[jira] Updated: (HADOOP-6907) Rpc client doesn't use the per-connection conf to figure out server's Kerberos principal

Mon, 16 Aug 2010 15:48:42 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-6907?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kan Zhang updated HADOOP-6907:
------------------------------

    Attachment: c6907-12.patch

This patch does the following.

1. It refactored a bunch of connection-related params from being global (stay 
the same for new connections) to become per-connection params and their values 
are obtained from the conf used when calling RPC.getProxy(). This allows new 
connections to be set up based on the conf used for that connection, which is 
more intuitive.

2. In particular, the server's Kerberos principal is now obtained from the per 
connection conf.

3. The conf cached globally in Client is not removed since it provides a cache 
for Classes that ObjectWritable.NullInstance relies on to figure out the 
declaredClass. It seems to provide a useful function and the cache can be 
shared among connections. No per-connection params are obtained from this 
global conf.

> Rpc client doesn't use the per-connection conf to figure out server's 
> Kerberos principal
> ----------------------------------------------------------------------------------------
>
>                 Key: HADOOP-6907
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6907
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: ipc, security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6907-12.patch
>
>
> Currently, RPC client caches the conf that was passed in to its constructor 
> and uses that same conf (or values obtained from it) for every connection it 
> sets up. This is not sufficient for security since each connection needs to 
> figure out server's Kerberos principal on a per-connection basis. It's not 
> reasonable to expect the first conf used by a user to contain all the 
> Kerberos principals that her future connections will ever need. Or worse, if 
> her first conf contains an incorrect principal name, it will prevent the user 
> from connecting to the server even if she later on passes in a correct conf 
> on retry (by calling RPC.getProxy()).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to