[
https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13718816#comment-13718816
]
Daryn Sharp commented on HADOOP-9698:
-------------------------------------
bq. It seems from the code that client always sends NEGOTIATE first for sasl
case. IMO, the client should initiate with its preferred auth type and server
should negotiate only if it doesn't support/allow the requested auth type
The negotiate/initiate issue was hashed out in HADOOP-9421. This jira's
headline is about having the client honor the negotiate. The capability for
the client to blindly INITIATE is there, but it's counter to the higher level
goals: IP failover where the client doesn't know the service principal,
improved token selection which may change the proto/serverId.
bq. It is not clear to me why client cannot figure out whether it has the token
for the service. The client should try sasl only if it has tokens for the
service in question
The server should be able to tell the client, or at least hint to it, what
token it wants via the proto/serverId fields instead of the client trying to
guess.
# The current guessing model doesn't work with the default use_ip=true because
multi-interface hosts, NATing, public/private networks, etc will fail to find a
token.
# The use_ip=false case fixes some of those issue, but it's fragile to ensure
client code manipulates the addr correctly. I want out of that janitorial job
- something at the rpc layer prevents user error.
# HA token selection with a failover proxy is convoluted and can be simplified.
bq. Do we always allow fallback if the client wants token with security
disabled but server says simple?
The question is a bit contradictory. It's not what the client wants, but
rather what the server wants. There's no way for the client to know it's
"expected" to use a token. So yes, if a server tells a simple client to do
simple, it will do simple.
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
> Key: HADOOP-9698
> URL: https://issues.apache.org/jira/browse/HADOOP-9698
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Affects Versions: 3.0.0, 2.1.0-beta
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Blocker
> Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.
> This is meant to support features such as IP failover, better token
> selection, and interoperability in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts
> to authenticate instead of choosing a mutually agreeable auth method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
