[jira] [Commented] (HADOOP-9698) RPCv9 client must honor server's SASL negotiate response

Wed, 24 Jul 2013 11:48:24 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13718693#comment-13718693
 ] 

Jitendra Nath Pandey commented on HADOOP-9698:
----------------------------------------------

- It seems from the code that client always sends NEGOTIATE first for sasl 
case. IMO, the client should initiate with its preferred auth type and server 
should negotiate only if it doesn't support/allow the requested auth type, 
otherwise we negotiation would happen unnecessarily for most common case where 
both support the same auth type.
- It is not clear to me why client cannot figure out whether it has the token 
for the service. The client should try sasl only if it has tokens for the 
service in question. I
t may be possible that the ugi has tokens for one service and not for others 
but security is disabled.
-  Do we always allow fallback if the client wants token with security disabled 
but server says simple?
{code}
+            } else if (UserGroupInformation.isSecurityEnabled() &&
+                       !fallbackAllowed) {
  {code}
- I would recommend to avoid passing configuration object to SaslRpcClient and 
storing it there.

                
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
>                 Key: HADOOP-9698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9698
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.0-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.  
> This is meant to support features such as IP failover, better token 
> selection, and interoperability in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts 
> to authenticate instead of choosing a mutually agreeable auth method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to