hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL based mutual authentication
Date Tue, 02 Feb 2010 23:04:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828819#action_12828819
] 

Kan Zhang commented on HADOOP-6419:
-----------------------------------

attached a new patch that incorporated Owen's comments.

bq. Did you intend to leave all of the logging levels at all in your TestSaslRpc or was that
for your own debugging?

I intend to leave the logging levels on for that test. It's helpful for debugging.

bq. unless you are sure that disposing of it a second time is ignored.

Java SASL API says dispose() is idempotent.

bq. A quibble is that your regex for splitting principal names would be easier to read as
"[/@]" instead of "(/|@)". It should however, be pulled out into a utility function, since
you do it a couple of places in the code.

Done.

bq. Does it matter that we don't allow server principals like "a@B.ORG" and insist on "a/c@B.ORG"?
Does SASL insist on it? It is certainly the standard practice, but we are forcing it as a
requirement.

When I tried to call Java SASL API with serverName parameter set to null or "", I got library
exceptions. I think it's better we throw an exception with a meaningful message, rather than
letting the library throw ArrayIndexOutOfBoundsException, etc. If we prefer to let library
deal with it, let me know and I can remove the checking.

bq. Instead of throwing IOException with an authorization failure, please use hadoop.security.AccessControlException.

Done.


> Change RPC layer to support SASL based mutual authentication
> ------------------------------------------------------------
>
>                 Key: HADOOP-6419
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6419
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6419-26.patch, c6419-39.patch, c6419-45.patch, c6419-66.patch,
c6419-67.patch, c6419-69.patch, c6419-70.patch, c6419-72.patch, c6419-73.patch, c6419-75.patch
>
>
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831)
or SASL GSSAPI/Kerberos. Since J2SE 5, Sun provides a SASL implementation by default. Both
our delegation token and job token can be used as credentials for SASL DIGEST-MD5 authentication.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message