[
https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HADOOP-9698:
--------------------------------
Attachment: HADOOP-9698.patch
Patch was delayed due to complications handling switch to simple in a clean way.
This is the patch for trunk. I will do more extensive testing of the patch
before posting the branch-2 version (which is expected to be nearly if not
identical sans maybe the clientId).
The changes look bigger than they are, but should be straightforward.
Summary of changes:
*Client*
Determines authProtocol (SASL or NONE) based on whether security is enabled or
has tokens. Since the client may not know the required token until after
connect, it will use SASL if it has any tokens at all.
Fallback to SIMPLE from SASL is optimized to not require a SUCCESS ack from the
server before sending connection header.
Removed servicePrincipal from ConnectionId because it may not be known
beforehand. Esp. after IP failover is added in a later jira.
*Server*
If SIMPLE is enabled, will advertise it if client uses SASL. If the client
initiates with SIMPLE, no response is sent from the server, and the client is
expected to immediately send the connection context.
Switch to simple is more cleanly implemented as a response to the client's
initial NEGOTIATE/INITIATE, instead of response to connection header with funky
logic to ignore the first SASL message. The connection header and
NEGOTIATE/INITIATE are sent as a pair, so it's not expensive.
*SaslRpcClient*
The bulk of the changes. The client delays instantiation of the SaslClient
until processing of the NEGOTIATE response. The client checks if it supports
each auth, and if it has the credentials (ex. token) - if not, tries the next.
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
> Key: HADOOP-9698
> URL: https://issues.apache.org/jira/browse/HADOOP-9698
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Affects Versions: 3.0.0, 2.1.0-beta
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.
> This is meant to support features such as IP failover, better token
> selection, and interoperability in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts
> to authenticate instead of choosing a mutually agreeable auth method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
