[
https://issues.apache.org/jira/browse/KUDU-2121?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16154641#comment-16154641
]
Todd Lipcon commented on KUDU-2121:
-----------------------------------
hm, so I guess the fix is that we should call evaluateChallenge(new byte[0])
just after calling createSaslClient, so we can detect the issue before we
present GSSAPI as an option to the server?
> Java Client chooses GSSAPI SASL mechanism when Kerberos credentials are not
> present
> -----------------------------------------------------------------------------------
>
> Key: KUDU-2121
> URL: https://issues.apache.org/jira/browse/KUDU-2121
> Project: Kudu
> Issue Type: Bug
> Components: java, security
> Affects Versions: 1.4.0
> Reporter: Dan Burkert
>
> I've found an interesting difference in behavior between macos/Oracle JDK
> 8.0_144 and Centos 7/OpenJDK 8.0_121 in the [Sasl mechanism choosing
> code|https://github.com/apache/kudu/blob/2f78643e4979fc8a9499498aa04c7f4ffa0deb61/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java#L358-L389].
> On macos, it will not choose GSSAPI if Kerberos credentials aren't present,
> because Sasl.createSaslClient will throw a SaslException. On Centos 7 with
> OpenJDK, GSSAPI _will_ be chosen, and the negotiation will fail during the
> first call to
> [saslClient.evaluateChallenge|https://github.com/apache/kudu/blob/2f78643e4979fc8a9499498aa04c7f4ffa0deb61/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java#L680]
> (again, with a SaslException). I haven't gotten to the bottom of the
> difference in behavior, and whether the platform, JDK version, or both is
> involved.
> Practically, the only effect this has is that unauthenticated clients on the
> Linux/OpenJDK platform will be unable to connect to authentication-optional
> servers, since the server will present GSSAPI as an option, the client will
> choose it, and then fail during evalueateChallenge.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
