hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL/token based mutual authentication
Date Tue, 19 Jan 2010 05:12:54 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802097#action_12802097

Kan Zhang commented on HADOOP-6419:

> +1 for client side to start with.
I was trying to re-factor the client side code. However, I feel it might not worth it under
our current code structure. Firstly, since we obtain our sockets from socket channels, a custom
socket has to be instantiated by wrapping an existing socket, which leads to a lot of boilerplate
code. More importantly, we don't have a framework to plug in a security layer. One possibility
is to make NetUtils class security aware. However, NetUtils isn't a good place since it's
just a utility class consisting of all static methods. On the client side, SASL logic is already
well captured in a single method initSASLContext(). I don't think polluting NetUtils would
bring much benefit. The server side arguably needs more re-factoring. But NetUtils won't help
there since it's only used on the client side. Hence, I suggest we leave factoring out security
layer from Client and Server to a future date when there is a framework to work with.

Attaching a new patch that 1) added a header element to RPC that specifies the authentication
method to be used (or none). Part of existing header (ugi and protocol) will be sent after
authentication and in protected form. 2) re-factored Server code to be more readable. 

> Change RPC layer to support SASL/token based mutual authentication
> ------------------------------------------------------------------
>                 Key: HADOOP-6419
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6419
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6419-26.patch
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831).
Since J2SE 5, Sun provides a SASL implementation by default. Both our delegation token and
job token can be used as credentials for SASL DIGEST-MD5 authentication.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message