[GitHub] [hbase] joshelser commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs

Fri, 06 Dec 2019 08:37:18 -0800 

joshelser commented on a change in pull request #884: HBASE-23347 Allowable 
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r354922419
 
 

 ##########
 File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerRpcConnection.java
 ##########
 @@ -762,18 +750,17 @@ protected final boolean processPreamble(ByteBuffer 
preambleBuffer) throws IOExce
         return false;
       }
     }
-    if (!this.rpcServer.isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
-      doRawSaslReply(SaslStatus.SUCCESS, new 
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
-        null);
-      authMethod = AuthMethod.SIMPLE;
-      // client has already sent the initial Sasl message and we
-      // should ignore it. Both client and server should fall back
-      // to simple auth from now on.
-      skipInitialSaslHandshake = true;
-    }
-    if (authMethod != AuthMethod.SIMPLE) {
-      useSasl = true;
-    }
+    // TODO can we remove this fallback? Is this even a good idea?
+//    if (!this.rpcServer.isSecurityEnabled && authMethod != 
AuthMethod.SIMPLE) {
+//      doRawSaslReply(SaslStatus.SUCCESS, new 
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
+//        null);
+//      authMethod = AuthMethod.SIMPLE;
+//      // client has already sent the initial Sasl message and we
+//      // should ignore it. Both client and server should fall back
+//      // to simple auth from now on.
+//      skipInitialSaslHandshake = true;
+//    }
 
 Review comment:
   Yeah, I think that's what this is doing (but need to look more closely). The 
server replies back saying "I'm not using SASL", and the client uses that to 
switch back to SIMPLE, carrying on.
   
   Replication from a secure cluster to an unsecure cluster is one plausible 
use-case. My thinking for clients trying to use Kerberos that the answer should 
just be "use the correct configs to talk to your hbase cluster". I'm not sure 
if replication is capable of doing that today.
   
   I think this is still an "open item". Need to think more.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to