hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jitendra Nath Pandey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7073) Allow falling back to a non-SASL connection on DataTransferProtocol in several edge cases.
Date Wed, 17 Sep 2014 04:36:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14136766#comment-14136766

Jitendra Nath Pandey commented on HDFS-7073:

# We should be able to catch {{SaslDataTransferFallbackException}} instead of specifically
checking the instance type.
# In {{SaslDataTransferClient}} and {{SaslDataTransferServer}}, I think it would be more precise
if we specifically check for 'ignore.secure.ports.for.testing'. 

Overall, the patch looks good to me.

> Allow falling back to a non-SASL connection on DataTransferProtocol in several edge cases.
> ------------------------------------------------------------------------------------------
>                 Key: HDFS-7073
>                 URL: https://issues.apache.org/jira/browse/HDFS-7073
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, hdfs-client, security
>            Reporter: Chris Nauroth
>            Assignee: Chris Nauroth
>         Attachments: HDFS-7073.1.patch
> HDFS-2856 implemented general SASL support on DataTransferProtocol.  Part of that work
also included a fallback mode in case the remote cluster is running under a different configuration
without SASL.  I've discovered a few edge case configurations that this did not support:
> * Cluster is unsecured, but has block access tokens enabled.  This is not something I've
seen done in practice, but I've heard historically it has been allowed.  The HDFS-2856 code
relied on seeing an empty block access token to trigger fallback, and this doesn't work if
the unsecured cluster actually is using block access tokens.
> * The DataNode has an unpublicized testing configuration property that could be used
to skip the privileged port check.  However, the HDFS-2856 code is still enforcing requirement
of SASL when the ports are not privileged, so this would force existing configurations to
make changes to activate SASL.
> This patch will restore the old behavior so that these edge case configurations will
continue to work the same way.

This message was sent by Atlassian JIRA

View raw message