You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by ab...@apache.org on 2021/11/16 20:45:46 UTC

[kudu] branch branch-1.15.x updated: KUDU-3297 fix Thrift client used for HMS integration

This is an automated email from the ASF dual-hosted git repository.

abukor pushed a commit to branch branch-1.15.x
in repository https://gitbox.apache.org/repos/asf/kudu.git


The following commit(s) were added to refs/heads/branch-1.15.x by this push:
     new e45135f  KUDU-3297 fix Thrift client used for HMS integration
e45135f is described below

commit e45135f3aa1f1fe47ebfe991d573bb0f5efbd261
Author: Alexey Serbin <al...@apache.org>
AuthorDate: Wed Oct 20 16:39:22 2021 -0700

    KUDU-3297 fix Thrift client used for HMS integration
    
    As it turns out, in the context of KUDU-3297, the SASL negotiation code
    needs to be updated in one more place:
      src/kudu/thrift/sasl_client_transport.cc
    
    I also thought about unifying the code between the Thrift client
    and the RPC code to have a single place to have the correct ordering
    between the calls EnableProtection() and sasl_client_start(), but after
    some consideration I realized it's not worth it.
    
    As for the testing, I verified that before this patch the following
    scenarios in hms_client-test were failing every time when running
    on RedHat/CentOS 8.4:
      * ProtectionTypes/HmsClientTest.TestHmsOperations/1
      * ProtectionTypes/HmsClientTest.TestHmsOperations/3
      * ProtectionTypes/HmsClientTest.TestLargeObjects/1
      * ProtectionTypes/HmsClientTest.TestLargeObjects/3
    The output of the failed test scenarios always contained the following:
      Bad status: Runtime error: failed to open Hive Metastore connection: SASL(-15): mechanism too weak for this user:
    
    With this patch, all scenarios of the hms_client-test pass when running
    on RedHat/CentOS 8.4:
    
    This is a follow-up to fff48ea4e5eadd365a85a05a82f66b3eb76d0b0b.
    
    Change-Id: Ic6af12932647eda7092f9f42a57eb211fe31f062
    Reviewed-on: http://gerrit.cloudera.org:8080/17958
    Tested-by: Kudu Jenkins
    Reviewed-by: Bankim Bhavsar <ba...@cloudera.com>
    Reviewed-by: Abhishek Chennaka <ac...@cloudera.com>
    Reviewed-by: Attila Bukor <ab...@apache.org>
    Reviewed-on: http://gerrit.cloudera.org:8080/18026
    Tested-by: Alexey Serbin <as...@cloudera.com>
---
 src/kudu/rpc/client_negotiation.cc       |  2 +-
 src/kudu/thrift/sasl_client_transport.cc | 23 +++++++++++++----------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc
index 7c3992b..2154394 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -607,7 +607,7 @@ Status ClientNegotiation::SendSaslInitiate() {
           &negotiated_mech);                        // Filled in on success.
   }, kDesc);
 
-  if (PREDICT_FALSE(!s.IsIncomplete() && !s.ok())) {
+  if (PREDICT_FALSE(!s.ok() && !s.IsIncomplete())) {
     return s;
   }
 
diff --git a/src/kudu/thrift/sasl_client_transport.cc b/src/kudu/thrift/sasl_client_transport.cc
index f12045b..a1766c3 100644
--- a/src/kudu/thrift/sasl_client_transport.cc
+++ b/src/kudu/thrift/sasl_client_transport.cc
@@ -341,11 +341,18 @@ NegotiationStatus SaslClientTransport::ReceiveSaslMessage(faststring* payload) {
 }
 
 void SaslClientTransport::SendSaslStart() {
+  auto s = rpc::EnableProtection(sasl_conn_.get(),
+                                 rpc::SaslProtection::kAuthentication,
+                                 max_recv_buf_size_);
+  if (PREDICT_FALSE(!s.ok())) {
+    throw SaslException(std::move(s));
+  }
+
   const char* init_msg = nullptr;
   unsigned init_msg_len = 0;
   const char* negotiated_mech = nullptr;
 
-  Status s = WrapSaslCall(sasl_conn_.get(), [&] {
+  s = WrapSaslCall(sasl_conn_.get(), [&] {
       return sasl_client_start(
           sasl_conn_.get(),            // The SASL connection context created by sasl_client_new()
           SaslMechanism::name_of(SaslMechanism::GSSAPI), // The mechanism to use.
@@ -355,18 +362,12 @@ void SaslClientTransport::SendSaslStart() {
           &negotiated_mech);                             // Filled in on success.
   }, "calling sasl_client_start()");
 
-  if (PREDICT_FALSE(!s.IsIncomplete() && !s.ok())) {
+  if (PREDICT_FALSE(!s.ok() && !s.IsIncomplete())) {
     throw SaslException(std::move(s));
   }
 
   // Check that the SASL library is using the mechanism that we picked.
   DCHECK_EQ(SaslMechanism::value_of(negotiated_mech), SaslMechanism::GSSAPI);
-  s = rpc::EnableProtection(sasl_conn_.get(),
-                            rpc::SaslProtection::kAuthentication,
-                            max_recv_buf_size_);
-  if (!s.ok()) {
-    throw SaslException(s);
-  }
 
   // These two calls comprise a single message in the thrift-sasl protocol.
   SendSaslMessage(TSASL_START, Slice(negotiated_mech));
@@ -374,8 +375,10 @@ void SaslClientTransport::SendSaslStart() {
   transport_->flush();
 }
 
-int SaslClientTransport::GetOptionCb(const char* plugin_name, const char* option,
-                                     const char** result, unsigned* len) {
+int SaslClientTransport::GetOptionCb(const char* plugin_name,
+                                     const char* option,
+                                     const char** result,
+                                     unsigned* len) {
   return sasl_helper_.GetOptionCb(plugin_name, option, result, len);
 }