[jira] Commented: (HADOOP-6419) Change RPC layer to support SASL/token based mutual authentication

Mon, 18 Jan 2010 21:13:18 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802097#action_12802097
 ] 

Kan Zhang commented on HADOOP-6419:
-----------------------------------

> +1 for client side to start with.
I was trying to re-factor the client side code. However, I feel it might not 
worth it under our current code structure. Firstly, since we obtain our sockets 
from socket channels, a custom socket has to be instantiated by wrapping an 
existing socket, which leads to a lot of boilerplate code. More importantly, we 
don't have a framework to plug in a security layer. One possibility is to make 
NetUtils class security aware. However, NetUtils isn't a good place since it's 
just a utility class consisting of all static methods. On the client side, SASL 
logic is already well captured in a single method initSASLContext(). I don't 
think polluting NetUtils would bring much benefit. The server side arguably 
needs more re-factoring. But NetUtils won't help there since it's only used on 
the client side. Hence, I suggest we leave factoring out security layer from 
Client and Server to a future date when there is a framework to work with.

Attaching a new patch that 1) added a header element to RPC that specifies the 
authentication method to be used (or none). Part of existing header (ugi and 
protocol) will be sent after authentication and in protected form. 2) 
re-factored Server code to be more readable. 

> Change RPC layer to support SASL/token based mutual authentication
> ------------------------------------------------------------------
>
>                 Key: HADOOP-6419
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6419
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6419-26.patch
>
>
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and 
> RFC-2831). Since J2SE 5, Sun provides a SASL implementation by default. Both 
> our delegation token and job token can be used as credentials for SASL 
> DIGEST-MD5 authentication.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to