[jira] Commented: (AVRO-641) add SASL to socket transport

Fri, 03 Sep 2010 15:29:16 -0700 

    [ 
https://issues.apache.org/jira/browse/AVRO-641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12906142#action_12906142
 ] 

Aaron T. Myers commented on AVRO-641:
-------------------------------------

This implementation is not *quite* a valid SASL protocol. From 
http://www.ietf.org/rfc/rfc2222.txt, a valid SASL protocol must provide:

bq. A definition of the command to initiate the authentication protocol 
exchange.  This command must have as a parameter the mechanism name being 
selected by the client.

This is so that a single server providing SASL authentication may support 
multiple underlying security mechanisms. Whether or not you make a single Avro 
server support multiple mechanisms, it would probably be useful to send the 
mechanism name you intend to use, so this can be checked and rejected in the 
event of mismatch.

The SASL spec also requires that a SASL protocol define "how the server 
indicates completion or failure of the exchange". In the current Avro 
implementation, failure is indicated by disconnecting the socket. Completion 
isn't really indicated, except by proceeding to operate normally. It would 
probably be useful to define this precisely, especially when implementing Avro 
SASL support for other languages.

The protocol which I wrote for Thrift 
(https://issues.apache.org/jira/browse/THRIFT-876) does this, as well as adding 
a definition of how to send additional status data in the event of failure. 
It's modeled after the IMAP SASL protocol 
(http://www.ietf.org/rfc/rfc3501.txt). This spec would probably need a change 
to be useful in Avro, as I don't believe that it could support the anonymous 
protocol as-written without doing an additional round trip.

> add SASL to socket transport
> ----------------------------
>
>                 Key: AVRO-641
>                 URL: https://issues.apache.org/jira/browse/AVRO-641
>             Project: Avro
>          Issue Type: New Feature
>          Components: java
>            Reporter: Doug Cutting
>            Assignee: Doug Cutting
>             Fix For: 1.4.1
>
>         Attachments: AVRO-641.patch, AVRO-641.patch, AVRO-641.patch, 
> AVRO-641.patch, AVRO-641.patch
>
>
> Java's socket transport is non-standard (not in the Avro spec) but might 
> serve as a prototype of a future standard transport (AVRO-341).
> It would be useful to extend it to support SASL-based authentication and 
> encryption.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to