hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9698) RPCv9 client must honor server's SASL negotiate response
Date Mon, 22 Jul 2013 19:06:50 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9698?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13715543#comment-13715543
] 

Daryn Sharp commented on HADOOP-9698:
-------------------------------------

bq. I don't think this needs to be a blocker but it is a good one to get in.

It's a blocker to avoid another incompatibility.  The client currently hardcodes the SASL
proto/serverId tuple for token auth to empty-string/default.  I plan to use these fields for
server hints for token selection.  If the server and client don't use the exact same values,
negotiation will fail, and introduce an incompatibility with older clients.  In this patch,
the client doesn't actually do anything with the fields but it uses the field values as specified
by the server.

bq. Do you have an example of where ugi contains tokens but security is disabled.

Yarn is moving to tokens regardless of security.  For instance, container tokens are always
used to prevent AMs from launching containers with different resource values than requested
from the RM.
                
> RPCv9 client must honor server's SASL negotiate response
> --------------------------------------------------------
>
>                 Key: HADOOP-9698
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9698
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 3.0.0, 2.1.0-beta
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Blocker
>         Attachments: HADOOP-9698.patch
>
>
> As of HADOOP-9421, a RPCv9 server will advertise its authentication methods.  This is
meant to support features such as IP failover, better token selection, and interoperability
in a heterogenous security environment.
> Currently the client ignores the negotiate response and just blindly attempts to authenticate
instead of choosing a mutually agreeable auth method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message