[jira] [Commented] (HBASE-14865) Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection

Fri, 25 Dec 2015 13:02:36 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15071728#comment-15071728
 ] 

Ted Yu commented on HBASE-14865:
--------------------------------

Running tests locally using Java 1.7.0_60, I got several failures which were 
caused by the following:
{code}
testAsyncRpc(org.apache.hadoop.hbase.security.TestSecureRPC)  Time elapsed: 
0.051 sec  <<< ERROR!
java.io.IOException: Login failure for hbase/[email protected] from keytab 
/Users/tyu/trunk/hbase-server/target/test-data/a6b76e6d-77c3-43a0-81b3-39b514f7eb76/keytab:
 javax.security.auth.login.LoginException: Null realm name (601)
        at sun.security.krb5.Realm.parseRealm(Realm.java:174)
        at sun.security.krb5.Realm.<init>(Realm.java:59)
        at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:375)
        at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:118)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:268)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:318)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
        at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
        at 
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
{code}
Appy:
Can you see if the above is reproducible on your computer ?

> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-14865
>                 URL: https://issues.apache.org/jira/browse/HBASE-14865
>             Project: HBase
>          Issue Type: Improvement
>          Components: security
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HBASE-14865-branch-1.2.patch, 
> HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch, 
> HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch, 
> HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch, 
> HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch, 
> HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of 
> authentication/integrity/privacy. It is the used to set 
> {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll 
> have to take a downtime. Rolling upgrade will create a situation where some 
> nodes have old value and some have new, which'll prevent any communication 
> between them. There will be similar issue when clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order. 
> So a transition from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to