You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2021/12/10 22:30:19 UTC
[kudu] branch branch-1.14.x updated (2f842fc -> 206d269)
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a change to branch branch-1.14.x
in repository https://gitbox.apache.org/repos/asf/kudu.git.
from 2f842fc KUDU-3297 fix RPC negotiations with cyrus-sasl-gssapi-2.1.27-5 and newer
new 837872f KUDU-3297 fix Thrift client used for HMS integration
new 206d269 [java] bump log4j up to 2.15.0 version
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/gradle/dependencies.gradle | 2 +-
src/kudu/rpc/client_negotiation.cc | 2 +-
src/kudu/thrift/sasl_client_transport.cc | 23 +++++++++++++----------
3 files changed, 15 insertions(+), 12 deletions(-)
[kudu] 01/02: KUDU-3297 fix Thrift client used for HMS integration
Posted by al...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.14.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 837872f55b7b4b1355bf06c2cc82088ed4fd3b3d
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Wed Oct 20 16:39:22 2021 -0700
KUDU-3297 fix Thrift client used for HMS integration
As it turns out, in the context of KUDU-3297, the SASL negotiation code
needs to be updated in one more place:
src/kudu/thrift/sasl_client_transport.cc
I also thought about unifying the code between the Thrift client
and the RPC code to have a single place to have the correct ordering
between the calls EnableProtection() and sasl_client_start(), but after
some consideration I realized it's not worth it.
As for the testing, I verified that before this patch the following
scenarios in hms_client-test were failing every time when running
on RedHat/CentOS 8.4:
* ProtectionTypes/HmsClientTest.TestHmsOperations/1
* ProtectionTypes/HmsClientTest.TestHmsOperations/3
* ProtectionTypes/HmsClientTest.TestLargeObjects/1
* ProtectionTypes/HmsClientTest.TestLargeObjects/3
The output of the failed test scenarios always contained the following:
Bad status: Runtime error: failed to open Hive Metastore connection: SASL(-15): mechanism too weak for this user:
With this patch, all scenarios of the hms_client-test pass when running
on RedHat/CentOS 8.4:
This is a follow-up to fff48ea4e5eadd365a85a05a82f66b3eb76d0b0b.
Change-Id: Ic6af12932647eda7092f9f42a57eb211fe31f062
Reviewed-on: http://gerrit.cloudera.org:8080/17958
Tested-by: Kudu Jenkins
Reviewed-by: Bankim Bhavsar <ba...@cloudera.com>
Reviewed-by: Abhishek Chennaka <ac...@cloudera.com>
Reviewed-by: Attila Bukor <ab...@apache.org>
(cherry picked from commit 0ade8c6f21f0887e90b261ae6b1a57f4a6d1eff1)
Reviewed-on: http://gerrit.cloudera.org:8080/18086
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Alexey Serbin <as...@cloudera.com>
---
src/kudu/rpc/client_negotiation.cc | 2 +-
src/kudu/thrift/sasl_client_transport.cc | 23 +++++++++++++----------
2 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index 74f8577..45b3ce3 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -611,7 +611,7 @@ Status ClientNegotiation::SendSaslInitiate() {
&negotiated_mech); // Filled in on success.
}, kDesc);
- if (PREDICT_FALSE(!s.IsIncomplete() && !s.ok())) {
+ if (PREDICT_FALSE(!s.ok() && !s.IsIncomplete())) {
return s;
}
diff --git a/src/kudu/thrift/sasl_client_transport.cc b/src/kudu/thrift/sasl_client_transport.cc
index f12045b..a1766c3 100644
--- a/src/kudu/thrift/sasl_client_transport.cc
+++ b/src/kudu/thrift/sasl_client_transport.cc
@@ -341,11 +341,18 @@ NegotiationStatus SaslClientTransport::ReceiveSaslMessage(faststring* payload) {
}
void SaslClientTransport::SendSaslStart() {
+ auto s = rpc::EnableProtection(sasl_conn_.get(),
+ rpc::SaslProtection::kAuthentication,
+ max_recv_buf_size_);
+ if (PREDICT_FALSE(!s.ok())) {
+ throw SaslException(std::move(s));
+ }
+
const char* init_msg = nullptr;
unsigned init_msg_len = 0;
const char* negotiated_mech = nullptr;
- Status s = WrapSaslCall(sasl_conn_.get(), [&] {
+ s = WrapSaslCall(sasl_conn_.get(), [&] {
return sasl_client_start(
sasl_conn_.get(), // The SASL connection context created by sasl_client_new()
SaslMechanism::name_of(SaslMechanism::GSSAPI), // The mechanism to use.
@@ -355,18 +362,12 @@ void SaslClientTransport::SendSaslStart() {
&negotiated_mech); // Filled in on success.
}, "calling sasl_client_start()");
- if (PREDICT_FALSE(!s.IsIncomplete() && !s.ok())) {
+ if (PREDICT_FALSE(!s.ok() && !s.IsIncomplete())) {
throw SaslException(std::move(s));
}
// Check that the SASL library is using the mechanism that we picked.
DCHECK_EQ(SaslMechanism::value_of(negotiated_mech), SaslMechanism::GSSAPI);
- s = rpc::EnableProtection(sasl_conn_.get(),
- rpc::SaslProtection::kAuthentication,
- max_recv_buf_size_);
- if (!s.ok()) {
- throw SaslException(s);
- }
// These two calls comprise a single message in the thrift-sasl protocol.
SendSaslMessage(TSASL_START, Slice(negotiated_mech));
@@ -374,8 +375,10 @@ void SaslClientTransport::SendSaslStart() {
transport_->flush();
}
-int SaslClientTransport::GetOptionCb(const char* plugin_name, const char* option,
- const char** result, unsigned* len) {
+int SaslClientTransport::GetOptionCb(const char* plugin_name,
+ const char* option,
+ const char** result,
+ unsigned* len) {
return sasl_helper_.GetOptionCb(plugin_name, option, result, len);
}
[kudu] 02/02: [java] bump log4j up to 2.15.0 version
Posted by al...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.14.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 206d269387edcd1d34a3f31f4b90ed6620a6f1de
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Fri Dec 10 11:59:32 2021 -0800
[java] bump log4j up to 2.15.0 version
Kudu doesn't use Java for the server-side components, but to keep
various security scanners happy regarding the recent security
vulnerabilities like [1], let's update the log4j package up to the
recently released 2.15.0 version (2021-12-06). Release notes for the
new version of the package is available at [2].
[1] https://logging.apache.org/log4j/2.x/security.html
[2] https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0
Change-Id: Ib7317447f24916795d8f00e3f6c418707c7fd4ff
Reviewed-on: http://gerrit.cloudera.org:8080/18084
Reviewed-by: Andrew Wong <aw...@cloudera.com>
Reviewed-by: Greg Solovyev <gs...@cloudera.com>
Tested-by: Kudu Jenkins
(cherry picked from commit 44e517519e1507eafe58bd9179940160e6934079)
Conflicts:
java/gradle/dependencies.gradle
Reviewed-on: http://gerrit.cloudera.org:8080/18087
Reviewed-by: Alexey Serbin <as...@cloudera.com>
Tested-by: Alexey Serbin <as...@cloudera.com>
---
java/gradle/dependencies.gradle | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/java/gradle/dependencies.gradle b/java/gradle/dependencies.gradle
index 10aef8b..09f9221 100755
--- a/java/gradle/dependencies.gradle
+++ b/java/gradle/dependencies.gradle
@@ -46,7 +46,7 @@ versions += [
jmh : "1.27",
jsr305 : "3.0.2",
junit : "4.13.1",
- log4j : "2.14.0",
+ log4j : "2.15.0",
micrometer : "1.6.2",
mockito : "3.6.28",
murmur : "1.0.0",