Dan Burkert has posted comments on this change. ( http://gerrit.cloudera.org:8080/8755 )
Change subject: KUDU-2121: fix SASL PLAIN fallback with rpc-authentication=optional ...................................................................... Patch Set 6: (7 comments) http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/integration-tests/security-itest.cc File src/kudu/integration-tests/security-itest.cc: http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/integration-tests/security-itest.cc@a185 PS5, Line 185: > nit: maybe, it's worth keeping this line of the description for this test? woops, good call. http://gerrit.cloudera.org:8080/#/c/8755/4/src/kudu/rpc/client_negotiation.cc File src/kudu/rpc/client_negotiation.cc: http://gerrit.cloudera.org:8080/#/c/8755/4/src/kudu/rpc/client_negotiation.cc@809 PS4, Line 809: gss_error_description(minor, GSS_C_MECH_CODE)); > warning: do not use 'else' after 'return' [readability-else-after-return] Done http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc File src/kudu/rpc/client_negotiation.cc: http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc@432 PS5, Line 432: ials are > nit: Should this be "enabled", since GSSAPI is available but just not used? I've tightened up this message to read 'Kerberos credentials are not available', which I think is the clearest way of expressing the error. I also fixed up the other places where this error is created in order to make it more consistent across clients. http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc@789 PS5, Line 789: OM_uint32 messa > nit: maybe, move this under the 'do {} while()' scope below? Done http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc@790 PS5, Line 790: > ditto Done http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc@829 PS5, Line 829: nullptr); > Are we leaking 'cred' if we return here? I don't think so, since we aren't getting an msan memory leak about this, and we do have a test that triggers this early return. That being said, I've reorganized the control flow here just in case there's some corner case not covered by our unit tests. It's a bit less linear, but does now always call release. http://gerrit.cloudera.org:8080/#/c/8755/5/src/kudu/rpc/client_negotiation.cc@834 PS5, Line 834: as to be > nit: remaining_life ? I want to keep it as 'lifetime', because that's what the param is named in the gss_inquire_cred declaration. I have added a comment sentence explaining it's meaning, though. -- To view, visit http://gerrit.cloudera.org:8080/8755 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I3f42f4b7a8ac767ccae439feb1dcd49080827276 Gerrit-Change-Number: 8755 Gerrit-PatchSet: 6 Gerrit-Owner: Dan Burkert <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Michael Ho <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Tidy Bot Gerrit-Comment-Date: Thu, 07 Dec 2017 19:51:45 +0000 Gerrit-HasComments: Yes
