[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed

Tue, 13 Nov 2012 08:00:16 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496277#comment-13496277
 ] 

Robert Joseph Evans commented on HADOOP-8999:
---------------------------------------------

The change looks OK to me.  So the problem is that the wrapper protocol around 
SASL that we have been using requires that the client not finish (aka 
isComplete() returns true) after a single challenge, and if it does we need to 
unconditionally read the response to possibly get the switch to SIMPLE message. 
Also that the server must reply at least once, again so that all clients both 
old and new will possibly get the switch to SIMPLE message.

I don't like the special case you put into the server for PLAIN, but I don't 
see any other way around it without also changing the protocol version like you 
said previously.

Daryn could you please file a separate JIRA to fix our SASL wrapper protocol so 
that we can send the success/failure/switch to SIMPLE message so that we can 
the plug in any java SASL client/server pair without needing to worry about 
special cases for them. I know that it would require a protocol version change 
but I think it is worth it.  Perhaps not for 2.0, but definitely for a 3.0.

+1 feel free to check it in.
                
> SASL negotiation is flawed
> --------------------------
>
>                 Key: HADOOP-8999
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8999
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed.  The server's RPC 
> response contains the next SASL challenge token, but a SASL server can return 
> null (I'm done) or a N-many byte challenge.  The server currently will not 
> send a RPC success response to the client if the SASL server returns null, 
> which causes the client to hang until it times out.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to