[jira] [Commented] (HADOOP-9421) Convert SASL to use ProtoBuf and provide negotiation capabilities

Tue, 25 Jun 2013 07:03:37 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13693051#comment-13693051
 ] 

Daryn Sharp commented on HADOOP-9421:
-------------------------------------

I'm intending for the proto/serverid to be a general way for the client to 
determine if it has the required credentials to even initiate that particular 
auth type.  In the end, both the SASL client & server must use the exact same 
values for any mechanism or the SASL exchange will fail.

In the case of kerberos, the GSSAPI mechanism uses the proto/serverid to 
communicate the service principal's user and host.

In the case of tokens, the proto/serverid could be used to communication info 
to find the token.  Luke is right that the proto/serverid is used by DIGEST-MD5 
to form digest-uri which currently has no bearing on the authentication.  
However, this info may allow a token lookup independent of the current service 
lookup and the woes caused by use_ip.

With other auth methods, the provided info might form a hint as to how to 
obtain the needed credentials.  For instance, the serverid might be used to 
provide the trusted SSO server for SSO or identity tokens.

Again, it's a SASL requirement that the same proto/serverid must be used to 
instantiate the SASL client & start.  The GSSAPI mechanism uses that 
information to get a service ticket.  How we use those fields for other 
mechanisms like DIGEST-MD5 is up to us.
                
> Convert SASL to use ProtoBuf and provide negotiation capabilities
> -----------------------------------------------------------------
>
>                 Key: HADOOP-9421
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9421
>             Project: Hadoop Common
>          Issue Type: Sub-task
>    Affects Versions: 2.0.3-alpha
>            Reporter: Sanjay Radia
>            Assignee: Daryn Sharp
>            Priority: Blocker
>             Fix For: 3.0.0, 2.1.0-beta, 2.2.0
>
>         Attachments: HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch, 
> HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421.patch, 
> HADOOP-9421.patch, HADOOP-9421.patch, HADOOP-9421-v2-demo.patch
>
>


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to