hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL based mutual authentication
Date Tue, 02 Feb 2010 16:48:18 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828662#action_12828662
] 

Owen O'Malley commented on HADOOP-6419:
---------------------------------------

Did you intend to leave all of the logging levels at all in your TestSaslRpc or was that for
your own debugging?

I'd suggest that disposeSasl set the saslClient (or saslServer) to null after it has been
disposed, unless you are sure that disposing of it a second time is ignored.

A quibble is that your regex for splitting principal names would be easier to read as "[/@]"
instead of "(/|@)". It should however, be pulled out into a utility function, since you do
it a couple of places in the code.

Does it matter that we don't allow server principals like "a@B.ORG" and insist on "a/c@B.ORG"?
Does SASL insist on it? It is certainly the standard practice, but we are forcing it as a
requirement.

Instead of throwing IOException with an authorization failure, please use hadoop.security.AccessControlException.

> Change RPC layer to support SASL based mutual authentication
> ------------------------------------------------------------
>
>                 Key: HADOOP-6419
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6419
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6419-26.patch, c6419-39.patch, c6419-45.patch, c6419-66.patch,
c6419-67.patch, c6419-69.patch, c6419-70.patch, c6419-72.patch, c6419-73.patch
>
>
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831)
or SASL GSSAPI/Kerberos. Since J2SE 5, Sun provides a SASL implementation by default. Both
our delegation token and job token can be used as credentials for SASL DIGEST-MD5 authentication.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message