hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9698) RPCv9 client must honor server's SASL negotiate response
Date Wed, 24 Jul 2013 21:01:49 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13718816#comment-13718816
] 

Daryn Sharp commented on HADOOP-9698:
-------------------------------------

bq. It seems from the code that client always sends NEGOTIATE first for sasl case. IMO, the
client should initiate with its preferred auth type and server should negotiate only if it
doesn't support/allow the requested auth type

The negotiate/initiate issue was hashed out in HADOOP-9421.  This jira's headline is about
having the client honor the negotiate.  The capability for the client to blindly INITIATE
is there, but it's counter to the higher level goals: IP failover where the client doesn't
know the service principal, improved token selection which may change the proto/serverId.

bq. It is not clear to me why client cannot figure out whether it has the token for the service.
The client should try sasl only if it has tokens for the service in question

The server should be able to tell the client, or at least hint to it, what token it wants
via the proto/serverId fields instead of the client trying to guess.
# The current guessing model doesn't work with the default use_ip=true because multi-interface
hosts, NATing, public/private networks, etc will fail to find a token.
# The use_ip=false case fixes some of those issue, but it's fragile to ensure client code
manipulates the addr correctly.  I want out of that janitorial job - something at the rpc
layer prevents user error.
# HA token selection with a failover proxy is convoluted and can be simplified.

bq. Do we always allow fallback if the client wants token with security disabled but server
says simple?
The question is a bit contradictory.  It's not what the client wants, but rather what the
server wants.  There's no way for the client to know it's "expected" to use a token.  So yes,
if a server tells a simple client to do simple, it will do simple.

                
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
>                 Key: HADOOP-9698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9698
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.0-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.  This is
meant to support features such as IP failover, better token selection, and interoperability
in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts to authenticate
instead of choosing a mutually agreeable auth method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message