Return-Path: Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: (qmail 58998 invoked from network); 19 Jan 2010 05:13:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 19 Jan 2010 05:13:16 -0000 Received: (qmail 94515 invoked by uid 500); 19 Jan 2010 05:13:16 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 94417 invoked by uid 500); 19 Jan 2010 05:13:16 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 94407 invoked by uid 99); 19 Jan 2010 05:13:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jan 2010 05:13:15 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jan 2010 05:13:14 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 82889234C4B6 for ; Mon, 18 Jan 2010 21:12:54 -0800 (PST) Message-ID: <1236501305.328431263877974533.JavaMail.jira@brutus.apache.org> Date: Tue, 19 Jan 2010 05:12:54 +0000 (UTC) From: "Kan Zhang (JIRA)" To: common-issues@hadoop.apache.org Subject: [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL/token based mutual authentication In-Reply-To: <1162452186.1260301038197.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802097#action_12802097 ] Kan Zhang commented on HADOOP-6419: ----------------------------------- > +1 for client side to start with. I was trying to re-factor the client side code. However, I feel it might not worth it under our current code structure. Firstly, since we obtain our sockets from socket channels, a custom socket has to be instantiated by wrapping an existing socket, which leads to a lot of boilerplate code. More importantly, we don't have a framework to plug in a security layer. One possibility is to make NetUtils class security aware. However, NetUtils isn't a good place since it's just a utility class consisting of all static methods. On the client side, SASL logic is already well captured in a single method initSASLContext(). I don't think polluting NetUtils would bring much benefit. The server side arguably needs more re-factoring. But NetUtils won't help there since it's only used on the client side. Hence, I suggest we leave factoring out security layer from Client and Server to a future date when there is a framework to work with. Attaching a new patch that 1) added a header element to RPC that specifies the authentication method to be used (or none). Part of existing header (ugi and protocol) will be sent after authentication and in protected form. 2) re-factored Server code to be more readable. > Change RPC layer to support SASL/token based mutual authentication > ------------------------------------------------------------------ > > Key: HADOOP-6419 > URL: https://issues.apache.org/jira/browse/HADOOP-6419 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Kan Zhang > Assignee: Kan Zhang > Attachments: c6419-26.patch > > > The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831). Since J2SE 5, Sun provides a SASL implementation by default. Both our delegation token and job token can be used as credentials for SASL DIGEST-MD5 authentication. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.