[jira] [Commented] (HADOOP-9698) RPCv9 client must honor server's SASL negotiate response

Mon, 22 Jul 2013 12:07:05 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715543#comment-13715543
 ] 

Daryn Sharp commented on HADOOP-9698:
-------------------------------------

bq. I don't think this needs to be a blocker but it is a good one to get in.

It's a blocker to avoid another incompatibility.  The client currently 
hardcodes the SASL proto/serverId tuple for token auth to empty-string/default. 
 I plan to use these fields for server hints for token selection.  If the 
server and client don't use the exact same values, negotiation will fail, and 
introduce an incompatibility with older clients.  In this patch, the client 
doesn't actually do anything with the fields but it uses the field values as 
specified by the server.

bq. Do you have an example of where ugi contains tokens but security is 
disabled.

Yarn is moving to tokens regardless of security.  For instance, container 
tokens are always used to prevent AMs from launching containers with different 
resource values than requested from the RM.
                
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
>                 Key: HADOOP-9698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9698
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.0-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.  
> This is meant to support features such as IP failover, better token 
> selection, and interoperability in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts 
> to authenticate instead of choosing a mutually agreeable auth method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to