[ https://issues.apache.org/jira/browse/HDFS-7073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chris Nauroth updated HDFS-7073: -------------------------------- Attachment: HDFS-7073.2.patch I'm attaching patch v2. This takes a different approach. We detect if the NameNode interaction falls back to simple auth. If so, then we know we need to skip SASL for DataTransferProtocol too. It's a bigger patch than v1, mostly due to mechanical method signature changes. I needed to plumb through the various RPC client and proxy layers to pull back out a flag indicating if fallback to simple auth occurred. In addition to the new tests and existing tests changed in the patch, I also manually tested file write and read from a client running secure configuration to a cluster running unsecure configuration. Jitendra and Yi, how does this look? > Allow falling back to a non-SASL connection on DataTransferProtocol in > several edge cases. > ------------------------------------------------------------------------------------------ > > Key: HDFS-7073 > URL: https://issues.apache.org/jira/browse/HDFS-7073 > Project: Hadoop HDFS > Issue Type: Bug > Components: datanode, hdfs-client, security > Reporter: Chris Nauroth > Assignee: Chris Nauroth > Attachments: HDFS-7073.1.patch, HDFS-7073.2.patch > > > HDFS-2856 implemented general SASL support on DataTransferProtocol. Part of > that work also included a fallback mode in case the remote cluster is running > under a different configuration without SASL. I've discovered a few edge > case configurations that this did not support: > * Cluster is unsecured, but has block access tokens enabled. This is not > something I've seen done in practice, but I've heard historically it has been > allowed. The HDFS-2856 code relied on seeing an empty block access token to > trigger fallback, and this doesn't work if the unsecured cluster actually is > using block access tokens. > * The DataNode has an unpublicized testing configuration property that could > be used to skip the privileged port check. However, the HDFS-2856 code is > still enforcing requirement of SASL when the ports are not privileged, so > this would force existing configurations to make changes to activate SASL. > This patch will restore the old behavior so that these edge case > configurations will continue to work the same way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)