You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by al...@apache.org on 2019/11/12 05:56:57 UTC

[kudu] 02/02: KUDU-2989. Work around SASL bug when FQDN is >=64 characters

This is an automated email from the ASF dual-hosted git repository.

alexey pushed a commit to branch branch-1.11.x
in repository https://gitbox.apache.org/repos/asf/kudu.git

commit 3b84cf781aa5e0f7c2c8c4f60a21d82ad7fffb3e
Author: Todd Lipcon <to...@apache.org>
AuthorDate: Thu Oct 31 22:24:10 2019 -0700

    KUDU-2989. Work around SASL bug when FQDN is >=64 characters
    
    This adds a workaround for an upstream SASL bug which is triggered when
    the FQDN has more than 64 characters. In this case, SASL would truncate
    the FQDN and not be able to find the relevant keytab.
    
    The workaround simply uses our own code to determine the FQDN.
    
    Change-Id: I4898814f2f7ab87151798336414dde7078d28a4a
    Reviewed-on: http://gerrit.cloudera.org:8080/14609
    Reviewed-by: Anurag Mantripragada <an...@cloudera.com>
    Reviewed-by: Adar Dembo <ad...@cloudera.com>
    Tested-by: Kudu Jenkins
    (cherry picked from commit 111b13775193820b3e3551368fe00a8f00387007)
    Reviewed-on: http://gerrit.cloudera.org:8080/14687
    Reviewed-by: Grant Henke <gr...@apache.org>
    Tested-by: Alexey Serbin <as...@cloudera.com>
---
 src/kudu/rpc/server_negotiation.cc | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc
index 04e08b1..d56282f 100644
--- a/src/kudu/rpc/server_negotiation.cc
+++ b/src/kudu/rpc/server_negotiation.cc
@@ -388,12 +388,25 @@ Status ServerNegotiation::InitSaslServer() {
   unsigned secflags = 0;
 
   sasl_conn_t* sasl_conn = nullptr;
+
+  const char* server_fqdn = helper_.server_fqdn();
+  // If not explicitly set, use the host's FQDN here.
+  // SASL handles this itself if we pass null, but in a buggy way[1] that fails
+  // if the FQDN is >64 characters.
+  //
+  // [1] https://github.com/cyrusimap/cyrus-sasl/issues/583
+  string default_server_fqdn;
+  if (!server_fqdn) {
+    RETURN_NOT_OK_PREPEND(GetFQDN(&default_server_fqdn), "could not determine own FQDN");
+    server_fqdn = default_server_fqdn.c_str();
+  }
+
   RETURN_NOT_OK_PREPEND(WrapSaslCall(nullptr /* no conn */, [&]() {
       return sasl_server_new(
           // Registered name of the service using SASL. Required.
           sasl_proto_name_.c_str(),
           // The fully qualified domain name of this server.
-          helper_.server_fqdn(),
+          server_fqdn,
           // Permits multiple user realms on server. NULL == use default.
           nullptr,
           // Local and remote IP address strings. We don't use any mechanisms