[
https://issues.apache.org/jira/browse/HADOOP-9421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13689451#comment-13689451
]
Luke Lu commented on HADOOP-9421:
---------------------------------
Specifically:
bq. Re-introduces the roundtrip I removed for tokens and usable by other auths
in the future
Not true. The initiate proto wrapped in rpc header is part of the connection
header packet even though they're logically separate messages.
bq. Appears to add yet another roundtrip for non-token auths
Not true. See above.
bq. Completely removes the ability for the client to chose the best or most
preferred auth
Not true. In fact the client initiate proto allows future auths without
introduce new round-trip.
bq. Ruins pluggable auths because the client now requires specific logic to
"guess" if it can do the new auth
Not true. initiate "allows" but not "requires" client specific logic, hence
more extensible.
bq. Prevents elimination of token use_ip
Not applicable to any known token mechs: Digest-MD5 or SCRAM, as the former is
always server initiated and the latter doesn't care.
bq. Prevents supporting tokens for multi-interface, multi-A record, or CNAMEs
Not true. Token auth don't care, see above. And the initiate proto is
extensible for all kinds of auth metadata.
bq. Breaks my ability to add IP failover support
Not true. IP failover works with tokens as is and for Kerberos if server
principal is shared among the servers for the same logical server. Can be
extended to support insane cross server principal failover, while maintaining
minimum round-trips in normal cases.
bq. Allows clients to do complete DOS attacks by tying up the socket
indefinitely with initiates
Clients can already do the same by keeping RPC connections indefinitely. DoS is
only significant if it requires client less resource to DoS a server, which is
not the case.
In summary, your patch changes the major flow of the current RPC with a new
negotiate round-trip except for a round-trip reduction hack for Digest-MD5
tokens, since it disallows client to send any new auth metadata in the first
packet. My patch is actually a (conceptually) small change to extend the
capability to send arbitrary auth metadata in the first packet and allows
server to intelligently respond with either challenge or negotiate, which
allows round-trip optimization for all future auths besides Digest-MD5 tokens.
> Convert SASL to use ProtoBuf and add lengths for non-blocking processing
> ------------------------------------------------------------------------
>
> Key: HADOOP-9421
> URL: https://issues.apache.org/jira/browse/HADOOP-9421
> Project: Hadoop Common
> Issue Type: Sub-task
> Affects Versions: 2.0.3-alpha
> Reporter: Sanjay Radia
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch,
> HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch,
> HADOOP-9421.patch, HADOOP-9421-v2-demo.patch
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
