[
https://issues.apache.org/jira/browse/HBASE-14865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Appy updated HBASE-14865:
-------------------------
Release Note:
With this patch, hbase.rpc.protection can now take multiple comma-separate QOP
values. Accepted QOP values remain unchanged and are 'authentication',
'integrity', and 'privacy'. Server or client can use this configuration to
specify their preference (in decreasing order) while negotiating QOP.
This feature can be used to upgrade or downgrade QOP in an online cluster
without compromising availability (i.e. taking cluster offline). For e.g. to
change qop from A to B, typical steps would be:
"A" --> "B,A" --> rolling restart --> "B" --> rolling restart
Sidenote: Based on experimentation, server's choice is given higher preference
than client's choice. i.e. if server's choices are "A,B,C" and client's choices
are "B,C,A", both A and B are acceptable, but A is chosen.
was:
With this patch, hbase.rpc.protection can now take multiple comma-separate QOP
values. Accepted QOP values remain unchanged and are 'authentication',
'integrity', and 'privacy'. While negotiating QOP, preference order used is
left-to-right.
This feature can be used to upgrade or downgrade QOP in an online cluster
without compromising availability (i.e. taking cluster offline). For e.g. to
change qop from A to B, typical steps would be:
"A" --> "B,A" --> rolling restart --> "B" --> rolling restart
> Support passing multiple QOPs to SaslClient/Server via hbase.rpc.protection
> ---------------------------------------------------------------------------
>
> Key: HBASE-14865
> URL: https://issues.apache.org/jira/browse/HBASE-14865
> Project: HBase
> Issue Type: Improvement
> Components: security
> Reporter: Appy
> Assignee: Appy
> Fix For: 2.0.0
>
> Attachments: 14865-master-v7.patch, HBASE-14865-branch-1.2.patch,
> HBASE-14865-branch-1.patch, HBASE-14865-branch-1.patch,
> HBASE-14865-master-v2.patch, HBASE-14865-master-v3.patch,
> HBASE-14865-master-v4.patch, HBASE-14865-master-v5.patch,
> HBASE-14865-master-v6.patch, HBASE-14865-master-v7.patch,
> HBASE-14865-master.patch
>
>
> Currently, we can set the value of hbase.rpc.protection to one of
> authentication/integrity/privacy. It is the used to set
> {{javax.security.sasl.qop}} in SaslUtil.java.
> The problem is, if a cluster wants to switch from one qop to another, it'll
> have to take a downtime. Rolling upgrade will create a situation where some
> nodes have old value and some have new, which'll prevent any communication
> between them. There will be similar issue when clients will try to connect.
> {{javax.security.sasl.qop}} can take in a list of QOP in preferences order.
> So a transition from qop1 to qop2 can be easily done like this
> "qop1" --> "qop2,qop1" --> rolling restart --> "qop2" --> rolling restart
> Need to change hbase.rpc.protection to accept a list too.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
