Return-Path: X-Original-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-hdfs-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9565411DF0 for ; Fri, 19 Sep 2014 06:41:36 +0000 (UTC) Received: (qmail 11044 invoked by uid 500); 19 Sep 2014 06:41:36 -0000 Delivered-To: apmail-hadoop-hdfs-issues-archive@hadoop.apache.org Received: (qmail 10959 invoked by uid 500); 19 Sep 2014 06:41:36 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: hdfs-issues@hadoop.apache.org Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 10850 invoked by uid 99); 19 Sep 2014 06:41:35 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Sep 2014 06:41:35 +0000 Date: Fri, 19 Sep 2014 06:41:35 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HDFS-7073) Allow falling back to a non-SASL connection on DataTransferProtocol in several edge cases. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HDFS-7073?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chris Nauroth updated HDFS-7073: -------------------------------- Status: Patch Available (was: Open) > Allow falling back to a non-SASL connection on DataTransferProtocol in several edge cases. > ------------------------------------------------------------------------------------------ > > Key: HDFS-7073 > URL: https://issues.apache.org/jira/browse/HDFS-7073 > Project: Hadoop HDFS > Issue Type: Bug > Components: datanode, hdfs-client, security > Reporter: Chris Nauroth > Assignee: Chris Nauroth > Attachments: HDFS-7073.1.patch, HDFS-7073.2.patch > > > HDFS-2856 implemented general SASL support on DataTransferProtocol. Part of that work also included a fallback mode in case the remote cluster is running under a different configuration without SASL. I've discovered a few edge case configurations that this did not support: > * Cluster is unsecured, but has block access tokens enabled. This is not something I've seen done in practice, but I've heard historically it has been allowed. The HDFS-2856 code relied on seeing an empty block access token to trigger fallback, and this doesn't work if the unsecured cluster actually is using block access tokens. > * The DataNode has an unpublicized testing configuration property that could be used to skip the privileged port check. However, the HDFS-2856 code is still enforcing requirement of SASL when the ports are not privileged, so this would force existing configurations to make changes to activate SASL. > This patch will restore the old behavior so that these edge case configurations will continue to work the same way. -- This message was sent by Atlassian JIRA (v6.3.4#6332)