8 năm trước cách đây · 145d716a2b
--- a/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/conf/kms-env.sh
@@ -66,6 +66,19 @@
 
				 #
			
 
				 # export KMS_MAX_HTTP_HEADER_SIZE=65536
			
 
				 
			
 
				+# Set to 'true' if you want the SSL stack to require a valid certificate chain
			
 
				+# from the client before accepting a connection. Set to 'want' if you want the
			
 
				+# SSL stack to request a client Certificate, but not fail if one isn't
			
 
				+# presented. A 'false' value (which is the default) will not require a
			
 
				+# certificate chain unless the client requests a resource protected by a
			
 
				+# security constraint that uses CLIENT-CERT authentication.
			
 
				+#
			
 
				+# export KMS_SSL_CLIENT_AUTH=false
			
 
				+
			
 
				+# The comma separated list of SSL protocols to support
			
 
				+#
			
 
				+# export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
			
 
				+
			
 
				 # The comma separated list of encryption ciphers for SSL
			
 
				 #
			
 
				 # export KMS_SSL_CIPHERS=
			
--- a/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/libexec/kms-config.sh
@@ -177,6 +177,20 @@ else
 
				   print "Using   KMS_MAX_HTTP_HEADER_SIZE:     ${KMS_MAX_HTTP_HEADER_SIZE}"
			
 
				 fi
			
 
				 
			
 
				+if [ "${KMS_SSL_CLIENT_AUTH}" = "" ]; then
			
 
				+  export KMS_SSL_CLIENT_AUTH="false"
			
 
				+  print "Setting KMS_SSL_CLIENT_AUTH:     ${KMS_SSL_CLIENT_AUTH}"
			
 
				+else
			
 
				+  print "Using   KMS_SSL_CLIENT_AUTH:     ${KMS_SSL_CLIENT_AUTH}"
			
 
				+fi
			
 
				+
			
 
				+if [ "${KMS_SSL_ENABLED_PROTOCOLS}" = "" ]; then
			
 
				+  export KMS_SSL_ENABLED_PROTOCOLS="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
			
 
				+  print "Setting KMS_SSL_ENABLED_PROTOCOLS:     ${KMS_SSL_ENABLED_PROTOCOLS}"
			
 
				+else
			
 
				+  print "Using   KMS_SSL_ENABLED_PROTOCOLS:     ${KMS_SSL_ENABLED_PROTOCOLS}"
			
 
				+fi
			
 
				+
			
 
				 if [ "${KMS_SSL_CIPHERS}" = "" ]; then
			
 
				   export KMS_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
			
 
				   KMS_SSL_CIPHERS+=",TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
			
--- a/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
+++ b/hadoop-common-project/hadoop-kms/src/main/sbin/kms.sh
@@ -87,6 +87,9 @@ if [[ "${1}" = "start" || "${1}" = "run" ]]; then
 
				     "${KMS_ACCEPTOR_THREAD_COUNT}"
			
 
				   catalina_set_property "kms.max.http.header.size" \
			
 
				     "${KMS_MAX_HTTP_HEADER_SIZE}"
			
 
				+  catalina_set_property "kms.ssl.client.auth" "${KMS_SSL_CLIENT_AUTH}"
			
 
				+  catalina_set_property "kms.ssl.enabled.protocols" \
			
 
				+    "${KMS_SSL_ENABLED_PROTOCOLS}"
			
 
				   catalina_set_property "kms.ssl.ciphers" "${KMS_SSL_CIPHERS}"
			
 
				   catalina_set_property "kms.ssl.keystore.file" "${KMS_SSL_KEYSTORE_FILE}"
			
 
				 
			
--- a/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
+++ b/hadoop-common-project/hadoop-kms/src/main/tomcat/ssl-server.xml
@@ -73,7 +73,8 @@
 
				                acceptCount="${kms.accept.count}"
			
 
				                acceptorThreadCount="${kms.acceptor.thread.count}"
			
 
				                maxHttpHeaderSize="${kms.max.http.header.size}"
			
 
				-               clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
			
 
				+               clientAuth="${kms.ssl.client.auth}"
			
 
				+               sslEnabledProtocols="${kms.ssl.enabled.protocols}"
			
 
				                ciphers="${kms.ssl.ciphers}"
			
 
				                truststorePass="${kms.ssl.truststore.pass}"
			
 
				                keystoreFile="${kms.ssl.keystore.file}"
			
--- a/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
+++ b/hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm
@@ -301,11 +301,20 @@ The answer to "What is your first and last name?" (i.e. "CN") must be the hostna
 
				 
			
 
				 NOTE: You need to restart the KMS for the configuration changes to take effect.
			
 
				 
			
 
				+
			
 
				+Set environment variable `KMS_SSL_CLIENT_AUTH` to change client
			
 
				+authentication. The default is `false`. See `clientAuth` in
			
 
				+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
			
 
				+
			
 
				+Set environment variable `KMS_SSL_ENABLED_PROTOCOLS` to specify a list of
			
 
				+enabled SSL protocols. The default list includes `TLSv1`, `TLSv1.1`,
			
 
				+`TLSv1.2`, and `SSLv2Hello`. See `sslEnabledProtocols` in
			
 
				+[Tomcat 6.0 SSL Support](https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support).
			
 
				+
			
 
				 In order to support some old SSL clients, the default encryption ciphers
			
 
				 include a few relatively weaker ciphers. Set environment variable
			
 
				-`KMS_SSL_CIPHERS` or property `kms.ssl.ciphers` to override. The value is a
			
 
				-comma separated list of ciphers documented in this
			
 
				-[Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
			
 
				+`KMS_SSL_CIPHERS` to override. The value is a comma separated list of ciphers
			
 
				+documented in [Tomcat Wiki](https://wiki.apache.org/tomcat/Security/Ciphers).
			
 
				 
			
 
				 $H4 ACLs (Access Control Lists)