You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Sébastien BARNOUD (JIRA)" <ji...@apache.org> on 2019/05/29 09:26:00 UTC

[jira] [Updated] (HBASE-22492) HBase server doesn't preserve SASL sequence number on the network

     [ https://issues.apache.org/jira/browse/HBASE-22492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sébastien BARNOUD updated HBASE-22492:
--------------------------------------
    Description: 
When auth-conf is enabled on RPC, the server encrypt response in setReponse() using saslServer. The generated cryptogram included a sequence number manage by saslServer. But then, when the response is sent over the network, the sequence number order is not preserved.

The client receives reply in the wrong order, leading to a log message from DigestMD5Base:
{code:java}
sasl:1481  - DIGEST41:Unmatched MACs

{code}
Then the message is discarded, leading the client to a timeout.

I propose a fix here: [https://github.com/sbarnoud/hbase-release/commit/ce9894ffe0e4039deecd1ed51fa135f64b311d41]

It seems that any HBase 1.x is affected.

This part of code has been fully rewritten in HBase 2.x, and i haven't do the analysis on HBase 2.x which may be affected.

 

  was:
When auth-conf is enabled on RPC, the server encrypt response in setReponse() using saslServer. The generated cryptogram included a sequence number manage by saslServer. But then, when the response is sent over the network, the sequence number order is not preserved.

The client receives reply in the wrong order, leading to a log message from DigestMD5Base:
{code:java}
sasl:1481  - DIGEST41:Unmatched MACs

{code}
Then the message is discarded, leading the client to a timeout.


> HBase server doesn't preserve SASL sequence number on the network
> -----------------------------------------------------------------
>
>                 Key: HBASE-22492
>                 URL: https://issues.apache.org/jira/browse/HBASE-22492
>             Project: HBase
>          Issue Type: Bug
>          Components: regionserver
>    Affects Versions: 1.1.2
>         Environment: HDP 2.6.5.108-1
>  
>            Reporter: Sébastien BARNOUD
>            Priority: Major
>
> When auth-conf is enabled on RPC, the server encrypt response in setReponse() using saslServer. The generated cryptogram included a sequence number manage by saslServer. But then, when the response is sent over the network, the sequence number order is not preserved.
> The client receives reply in the wrong order, leading to a log message from DigestMD5Base:
> {code:java}
> sasl:1481  - DIGEST41:Unmatched MACs
> {code}
> Then the message is discarded, leading the client to a timeout.
> I propose a fix here: [https://github.com/sbarnoud/hbase-release/commit/ce9894ffe0e4039deecd1ed51fa135f64b311d41]
> It seems that any HBase 1.x is affected.
> This part of code has been fully rewritten in HBase 2.x, and i haven't do the analysis on HBase 2.x which may be affected.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)