Return-Path: Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: (qmail 4402 invoked from network); 15 Jan 2010 20:33:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 15 Jan 2010 20:33:15 -0000 Received: (qmail 68410 invoked by uid 500); 15 Jan 2010 20:33:15 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 68364 invoked by uid 500); 15 Jan 2010 20:33:15 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 68354 invoked by uid 99); 15 Jan 2010 20:33:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Jan 2010 20:33:15 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Jan 2010 20:33:14 +0000 Received: from brutus.apache.org (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 8D783234C4BB for ; Fri, 15 Jan 2010 12:32:54 -0800 (PST) Message-ID: <2116527355.273941263587574578.JavaMail.jira@brutus.apache.org> Date: Fri, 15 Jan 2010 20:32:54 +0000 (UTC) From: "Raghu Angadi (JIRA)" To: common-issues@hadoop.apache.org Subject: [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL/token based mutual authentication In-Reply-To: <1162452186.1260301038197.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12800898#action_12800898 ] Raghu Angadi commented on HADOOP-6419: -------------------------------------- +1 for client side to start with. It is fairly straight fwd to extend a java.net.Socket through a SocketFactory. But to achieve the same for nio channels transparently requires "SocketChannelFactory" (and "ServerSocketChannelFactory", etc). I don't know of any working examples of such factories that create a custom socket channel that works transparently. I suspect, the reason is that the whole channel interface and implementation in Java is pretty complicated involves multiple classes interacting together. We might have to implement not just our own SocketChannel, but SelectorProvider, Select etc. Many frameworks handle these issues by providing their own i/o api and by adding support for pluggable protocols in a 'chain of control' pattern *above* the socket io layer. In our context, short term we could start with a simple i/o interface (connect, read, write, getChannelForSelect()) that would support pluggable protocol for client and server sides of RPC.. Ideally we would move to NIO framework like netty, but that would much larger effort. In summary, I don't think we can easily implement SocketChannel factories or is the recommended direction to proceed. > Change RPC layer to support SASL/token based mutual authentication > ------------------------------------------------------------------ > > Key: HADOOP-6419 > URL: https://issues.apache.org/jira/browse/HADOOP-6419 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Kan Zhang > Assignee: Kan Zhang > Attachments: c6419-26.patch > > > The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831). Since J2SE 5, Sun provides a SASL implementation by default. Both our delegation token and job token can be used as credentials for SASL DIGEST-MD5 authentication. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.