[jira] [Updated] (HBASE-26666) Address bearer token being sent over wire before RPC encryption is enabled

Andor Molnar (Jira) Thu, 24 Feb 2022 06:52:05 -0800


     [ 
https://issues.apache.org/jira/browse/HBASE-26666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Andor Molnar updated HBASE-26666:
---------------------------------
    Status: Patch Available  (was: Open)

https://github.com/apache/hbase/pull/4125

> Address bearer token being sent over wire before RPC encryption is enabled
> --------------------------------------------------------------------------
>
>                 Key: HBASE-26666
>                 URL: https://issues.apache.org/jira/browse/HBASE-26666
>             Project: HBase
>          Issue Type: Sub-task
>            Reporter: Josh Elser
>            Assignee: Andor Molnar
>            Priority: Major
>             Fix For: HBASE-26553
>
>
> Today, HBase must complete the SASL handshake (saslClient.complete()) prior 
> to turning on any RPC encryption (hbase.rpc.protection=privacy, 
> sasl.QOP=auth-conf).
> This is a problem because we have to transmit the bearer token to the server 
> before we can complete the sasl handshake. This would mean that we would 
> insecurely transmit the bearer token (which is equivalent to any other 
> password) which is a bad smell.
> Ideally, if we can solve this problem for the oauth bearer mechanism, we 
> could also apply it to our delegation token interface for digest-md5 (which, 
> I believe, suffers the same problem).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (HBASE-26666) Address bearer token being sent over wire before RPC encryption is enabled

Reply via email to