Hao Hao has posted comments on this change. Change subject: KUDU-1875: Refuse unauthenticated connections from publicly routable IP addrs ......................................................................
Patch Set 3: (3 comments) http://gerrit.cloudera.org:8080/#/c/6514/1/src/kudu/rpc/negotiation.cc File src/kudu/rpc/negotiation.cc: Line 68: DEFINE_bool(allow_unauthenticated_public_connections, false, > Figured we'd just use the configured netmask on the local interface. Unfort So looks like we all agree to enable it by default but give users a choice to config trusted subnet? Todd, what do you mean by 'configured netmask on the local interface'? Why is local interface? http://gerrit.cloudera.org:8080/#/c/6514/1/src/kudu/rpc/server_negotiation.cc File src/kudu/rpc/server_negotiation.cc: Line 149: negotiated_authn_ == AuthenticationType::INVALID)) { > The authentication type should never be INVALID at this point (that's just Yeah, initially I thought the same. But it turns out here negotiated_mech_ is not set yet, so we does not know if it is SaslMechanism::PLAIN or not. It appears to me negotiated_mech_ is only set at step 4? Line 685: if (!FLAGS_allow_unauthenticated_public_connections && > I don't think you need to check here, it should be handled correctly by the I am checking here because negotiated_mech_ is only set properly at line 679. Am I missing something? -- To view, visit http://gerrit.cloudera.org:8080/6514 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I6c3fbb5491785874c5701d6c9d866949cfac905e Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Harsh J <ha...@harshj.com> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes