[
https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828819#action_12828819
]
Kan Zhang commented on HADOOP-6419:
-----------------------------------
attached a new patch that incorporated Owen's comments.
bq. Did you intend to leave all of the logging levels at all in your
TestSaslRpc or was that for your own debugging?
I intend to leave the logging levels on for that test. It's helpful for
debugging.
bq. unless you are sure that disposing of it a second time is ignored.
Java SASL API says dispose() is idempotent.
bq. A quibble is that your regex for splitting principal names would be easier
to read as "[/@]" instead of "(/|@)". It should however, be pulled out into a
utility function, since you do it a couple of places in the code.
Done.
bq. Does it matter that we don't allow server principals like "[email protected]" and
insist on "a/[email protected]"? Does SASL insist on it? It is certainly the standard
practice, but we are forcing it as a requirement.
When I tried to call Java SASL API with serverName parameter set to null or "",
I got library exceptions. I think it's better we throw an exception with a
meaningful message, rather than letting the library throw
ArrayIndexOutOfBoundsException, etc. If we prefer to let library deal with it,
let me know and I can remove the checking.
bq. Instead of throwing IOException with an authorization failure, please use
hadoop.security.AccessControlException.
Done.
> Change RPC layer to support SASL based mutual authentication
> ------------------------------------------------------------
>
> Key: HADOOP-6419
> URL: https://issues.apache.org/jira/browse/HADOOP-6419
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: c6419-26.patch, c6419-39.patch, c6419-45.patch,
> c6419-66.patch, c6419-67.patch, c6419-69.patch, c6419-70.patch,
> c6419-72.patch, c6419-73.patch, c6419-75.patch
>
>
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and
> RFC-2831) or SASL GSSAPI/Kerberos. Since J2SE 5, Sun provides a SASL
> implementation by default. Both our delegation token and job token can be
> used as credentials for SASL DIGEST-MD5 authentication.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
