[jira] [Commented] (HBASE-23881) TestShadeSaslAuthenticationProvider failures

Mon, 02 Mar 2020 13:42:56 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-23881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049676#comment-17049676
 ] 

Josh Elser commented on HBASE-23881:
------------------------------------

Ok, I think I see what the issue is. Seems like this is something unique to the 
PLAIN mechanism.

[http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/beb15266ba1a/src/share/classes/com/sun/security/sasl/PlainClient.java#l100]

The client creates the response to the challenge from the server, which encodes 
the username/password into a challenge, to send it back to the RegionServer.

[https://github.com/apache/hbase/blob/04d789f1a7549f2ae3c25ad4d125601c6b99fdc6/hbase-client/src/main/java/org/apache/hadoop/hbase/security/NettyHBaseSaslRpcClientHandler.java#L114-L117]

Here, we are calling that method (to respond to the initial server challenge), 
immediately checking to see if the SaslClient thinks the handshake is complete.

[http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/beb15266ba1a/src/share/classes/com/sun/security/sasl/PlainClient.java#l138]

But the PlainClient (implements SaslClient) already thinks the handshake was 
successful.

I believe the problem is that the client moves ahead, thinking that the sasl 
handshake is done, but the server throws back an error saying "No, this has 
failed". This _doesn't_ happen for gssapi/krb5 because there's an extra 
challenge/response phase.

> TestShadeSaslAuthenticationProvider failures
> --------------------------------------------
>
>                 Key: HBASE-23881
>                 URL: https://issues.apache.org/jira/browse/HBASE-23881
>             Project: HBase
>          Issue Type: Bug
>          Components: test
>    Affects Versions: 3.0.0, 2.3.0
>            Reporter: Bharath Vissapragada
>            Assignee: Josh Elser
>            Priority: Major
>
> TestShadeSaslAuthenticationProvider now fails deterministically with the 
> following exception..
> {noformat}
> java.lang.Exception: Unexpected exception, 
> expected<org.apache.hadoop.hbase.DoNotRetryIOException> but 
> was<java.io.IOException>
>       at 
> org.apache.hadoop.hbase.security.provider.example.TestShadeSaslAuthenticationProvider.testNegativeAuthentication(TestShadeSaslAuthenticationProvider.java:233)
> {noformat}
> The test now fails a different place than before merging HBASE-18095 because 
> the RPCs are also a part of connection setup. We might need to rewrite the 
> test..  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to