[
https://issues.apache.org/jira/browse/HBASE-26666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17509516#comment-17509516
]
Bryan Beaudreault edited comment on HBASE-26666 at 3/20/22, 8:23 PM:
---------------------------------------------------------------------
By the way, I see the fix version here is
[HBASE-26553|https://issues.apache.org/jira/issues/?jql=project+%3D+HBASE+AND+fixVersion+%3D+HBASE-26553].
I realize you're working on a larger feature here, but any chance this can go
to master/branch-2 instead. It's more generally useful for those who want to
work towards TLS/SSL vs SASL
was (Author: bbeaudreault):
By the way, I see the fix version here is
[HBASE-26553|https://issues.apache.org/jira/issues/?jql=project+%3D+HBASE+AND+fixVersion+%3D+HBASE-26553].
I realize you're working on a larger feature here, but any chance this can go
to branch-2 instead. It's more generally useful for those who want to work
towards TLS/SSL vs SASL
> Address bearer token being sent over wire before RPC encryption is enabled
> --------------------------------------------------------------------------
>
> Key: HBASE-26666
> URL: https://issues.apache.org/jira/browse/HBASE-26666
> Project: HBase
> Issue Type: Sub-task
> Reporter: Josh Elser
> Assignee: Andor Molnar
> Priority: Major
> Fix For: HBASE-26553
>
>
> Today, HBase must complete the SASL handshake (saslClient.complete()) prior
> to turning on any RPC encryption (hbase.rpc.protection=privacy,
> sasl.QOP=auth-conf).
> This is a problem because we have to transmit the bearer token to the server
> before we can complete the sasl handshake. This would mean that we would
> insecurely transmit the bearer token (which is equivalent to any other
> password) which is a bad smell.
> Ideally, if we can solve this problem for the oauth bearer mechanism, we
> could also apply it to our delegation token interface for digest-md5 (which,
> I believe, suffers the same problem).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
