hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Joseph Evans (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Date Tue, 13 Nov 2012 16:00:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496277#comment-13496277

Robert Joseph Evans commented on HADOOP-8999:

The change looks OK to me.  So the problem is that the wrapper protocol around SASL that we
have been using requires that the client not finish (aka isComplete() returns true) after
a single challenge, and if it does we need to unconditionally read the response to possibly
get the switch to SIMPLE message. Also that the server must reply at least once, again so
that all clients both old and new will possibly get the switch to SIMPLE message.

I don't like the special case you put into the server for PLAIN, but I don't see any other
way around it without also changing the protocol version like you said previously.

Daryn could you please file a separate JIRA to fix our SASL wrapper protocol so that we can
send the success/failure/switch to SIMPLE message so that we can the plug in any java SASL
client/server pair without needing to worry about special cases for them. I know that it would
require a protocol version change but I think it is worth it.  Perhaps not for 2.0, but definitely
for a 3.0.

+1 feel free to check it in.
> SASL negotiation is flawed
> --------------------------
>                 Key: HADOOP-8999
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8999
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-8999.patch
> The RPC protocol used for SASL negotiation is flawed.  The server's RPC response contains
the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte
challenge.  The server currently will not send a RPC success response to the client if the
SASL server returns null, which causes the client to hang until it times out.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message