You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Josh Elser (Jira)" <ji...@apache.org> on 2022/01/13 22:18:00 UTC

[jira] [Created] (HBASE-26666) Address bearer token being sent over wire before RPC encryption is enabled

Josh Elser created HBASE-26666:
----------------------------------

             Summary: Address bearer token being sent over wire before RPC encryption is enabled
                 Key: HBASE-26666
                 URL: https://issues.apache.org/jira/browse/HBASE-26666
             Project: HBase
          Issue Type: Sub-task
            Reporter: Josh Elser
             Fix For: HBASE-26553


Today, HBase must complete the SASL handshake (saslClient.complete()) prior to turning on any RPC encryption (hbase.rpc.protection=privacy, sasl.QOP=auth-conf).

This is a problem because we have to transmit the bearer token to the server before we can complete the sasl handshake. This would mean that we would insecurely transmit the bearer token (which is equivalent to any other password) which is a bad smell.

Ideally, if we can solve this problem for the oauth bearer mechanism, we could also apply it to our delegation token interface for digest-md5 (which, I believe, suffers the same problem).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)