Chris Nauroth created HDFS-7073:
-----------------------------------
Summary: Allow falling back to a non-SASL connection on
DataTransferProtocol in several edge cases.
Key: HDFS-7073
URL: https://issues.apache.org/jira/browse/HDFS-7073
Project: Hadoop HDFS
Issue Type: Bug
Components: datanode, hdfs-client, security
Reporter: Chris Nauroth
Assignee: Chris Nauroth
HDFS-2856 implemented general SASL support on DataTransferProtocol. Part of
that work also included a fallback mode in case the remote cluster is running
under a different configuration without SASL. I've discovered a few edge case
configurations that this did not support:
* Cluster is unsecured, but has block access tokens enabled. This is not
something I've seen done in practice, but I've heard historically it has been
allowed. The HDFS-2856 code relied on seeing an empty block access token to
trigger fallback, and this doesn't work if the unsecured cluster actually is
using block access tokens.
* The DataNode has an unpublicized testing configuration property that could be
used to skip the privileged port check. However, the HDFS-2856 code is still
enforcing requirement of SASL when the ports are not privileged, so this would
force existing configurations to make changes to activate SASL.
This patch will restore the old behavior so that these edge case configurations
will continue to work the same way.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
