[jira] [Commented] (HBASE-27204) BlockingRpcClient will hang for 20 seconds when SASL is enabled after finishing negotiation

Fri, 15 Jul 2022 08:46:00 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-27204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17567308#comment-17567308
 ] 

Szabolcs Bukros commented on HBASE-27204:
-----------------------------------------

[~zhangduo] We were experimenting with a custom rpc client based on the 
blocking rpc client that would also support PLAIN auth, when encountered the 
issue. Basically I have seen that that the PLAIN client sets "completed = true" 
at getInitialResponse() call and because of this, skips the rest of the logic 
in the method. This means if the authentication or the connection fails the 
potential error msg is never read and the application just assumes everything 
is all right. The SaslClientAuthenticationProvider is plugable with 
BlockingRpcConnection too meaning this could happen there too and I wanted to 
provide a fix that would prevent this. Unfortunately I have not fully grasped 
the issue and the consequences of my "fix".

> BlockingRpcClient will hang for 20 seconds when SASL is enabled after 
> finishing negotiation
> -------------------------------------------------------------------------------------------
>
>                 Key: HBASE-27204
>                 URL: https://issues.apache.org/jira/browse/HBASE-27204
>             Project: HBase
>          Issue Type: Bug
>          Components: rpc, sasl, security
>            Reporter: Duo Zhang
>            Priority: Critical
>             Fix For: 2.5.0, 3.0.0-alpha-4, 2.4.14
>
>
> Found this when implementing HBASE-27185. When running TestSecureIPC, if 
> BlockingRpcClient is used, the tests will spend much more time comparing to 
> NettyRpcClient.
> The problem is that, for the normal kerberos authentication, the last step is 
> client send a reply to server, so after server receives the last token, it 
> will not write anything back but expect client to send connection header.
> In HBASE-24579, for reading the error message, we added a readReply after the 
> SaslClient indicates that the negotiation is completed. But as said above, 
> for normal cases, we will not write anything back from server side, so the 
> client will hang there and only throw an exception when timeout is reached, 
> which is 20 seconds.
> This nearly makes the BlockingRpcClient unusable when sasl is enabled, as it 
> will hang 20 seconds when connecting...



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to