You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2019/11/12 05:56:57 UTC
[kudu] 02/02: KUDU-2989. Work around SASL bug when FQDN is >=64
characters
This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.11.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit 3b84cf781aa5e0f7c2c8c4f60a21d82ad7fffb3e
Author: Todd Lipcon <to...@apache.org>
AuthorDate: Thu Oct 31 22:24:10 2019 -0700
KUDU-2989. Work around SASL bug when FQDN is >=64 characters
This adds a workaround for an upstream SASL bug which is triggered when
the FQDN has more than 64 characters. In this case, SASL would truncate
the FQDN and not be able to find the relevant keytab.
The workaround simply uses our own code to determine the FQDN.
Change-Id: I4898814f2f7ab87151798336414dde7078d28a4a
Reviewed-on: http://gerrit.cloudera.org:8080/14609
Reviewed-by: Anurag Mantripragada <an...@cloudera.com>
Reviewed-by: Adar Dembo <ad...@cloudera.com>
Tested-by: Kudu Jenkins
(cherry picked from commit 111b13775193820b3e3551368fe00a8f00387007)
Reviewed-on: http://gerrit.cloudera.org:8080/14687
Reviewed-by: Grant Henke <gr...@apache.org>
Tested-by: Alexey Serbin <as...@cloudera.com>
---
src/kudu/rpc/server_negotiation.cc | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc
index 04e08b1..d56282f 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -388,12 +388,25 @@ Status ServerNegotiation::InitSaslServer() {
unsigned secflags = 0;
sasl_conn_t* sasl_conn = nullptr;
+
+ const char* server_fqdn = helper_.server_fqdn();
+ // If not explicitly set, use the host's FQDN here.
+ // SASL handles this itself if we pass null, but in a buggy way[1] that fails
+ // if the FQDN is >64 characters.
+ //
+ // [1] https://github.com/cyrusimap/cyrus-sasl/issues/583
+ string default_server_fqdn;
+ if (!server_fqdn) {
+ RETURN_NOT_OK_PREPEND(GetFQDN(&default_server_fqdn), "could not determine own FQDN");
+ server_fqdn = default_server_fqdn.c_str();
+ }
+
RETURN_NOT_OK_PREPEND(WrapSaslCall(nullptr /* no conn */, [&]() {
return sasl_server_new(
// Registered name of the service using SASL. Required.
sasl_proto_name_.c_str(),
// The fully qualified domain name of this server.
- helper_.server_fqdn(),
+ server_fqdn,
// Permits multiple user realms on server. NULL == use default.
nullptr,
// Local and remote IP address strings. We don't use any mechanisms