You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2012/10/31 18:28:13 UTC
[jira] [Created] (HADOOP-8999) SASL negotiation is flawed
Daryn Sharp created HADOOP-8999:
-----------------------------------
Summary: SASL negotiation is flawed
Key: HADOOP-8999
URL: https://issues.apache.org/jira/browse/HADOOP-8999
Project: Hadoop Common
Issue Type: Sub-task
Components: ipc
Reporter: Daryn Sharp
Assignee: Daryn Sharp
The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13497088#comment-13497088 ]
Hudson commented on HADOOP-8999:
--------------------------------
Integrated in Hadoop-Mapreduce-trunk #1257 (See [https://builds.apache.org/job/Hadoop-Mapreduce-trunk/1257/])
HADOOP-8999. SASL negotiation is flawed (daryn) (Revision 1408837)
Result = FAILURE
daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1408837
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-8999:
--------------------------------
Status: Patch Available (was: Open)
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13497068#comment-13497068 ]
Hudson commented on HADOOP-8999:
--------------------------------
Integrated in Hadoop-Hdfs-trunk #1226 (See [https://builds.apache.org/job/Hadoop-Hdfs-trunk/1226/])
HADOOP-8999. SASL negotiation is flawed (daryn) (Revision 1408837)
Result = FAILURE
daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1408837
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Robert Joseph Evans (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496277#comment-13496277 ]
Robert Joseph Evans commented on HADOOP-8999:
---------------------------------------------
The change looks OK to me. So the problem is that the wrapper protocol around SASL that we have been using requires that the client not finish (aka isComplete() returns true) after a single challenge, and if it does we need to unconditionally read the response to possibly get the switch to SIMPLE message. Also that the server must reply at least once, again so that all clients both old and new will possibly get the switch to SIMPLE message.
I don't like the special case you put into the server for PLAIN, but I don't see any other way around it without also changing the protocol version like you said previously.
Daryn could you please file a separate JIRA to fix our SASL wrapper protocol so that we can send the success/failure/switch to SIMPLE message so that we can the plug in any java SASL client/server pair without needing to worry about special cases for them. I know that it would require a protocol version change but I think it is worth it. Perhaps not for 2.0, but definitely for a 3.0.
+1 feel free to check it in.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496232#comment-13496232 ]
Daryn Sharp commented on HADOOP-8999:
-------------------------------------
I forgot to mention that tests are not included because the current ones are sufficient to prove this change does not break anything. When the PLAIN client is activated it will show that the change works.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-8999:
--------------------------------
Attachment: HADOOP-8999.patch
Fixing this issue "correctly" by always ending the SASL handshake with a success/failure introduces an rpc incompatibility. Purely for short-term compatibility, the rpc server will send a final success response to the client if and only if the SASL method is PLAIN. The client code is also changed to ensure that at least one rpc response is always read.
The reason why the currently supported KERBEROS and DIGEST methods work is they exchange multiple challenge/responses. This guarantees an exception response or a switch-to-simple message will be read since they will tend to occur on the first exchange.
The PLAIN method however involves a single exchange. The client sends an initial response and considers itself done - which means no rpc response will be read. The server handles the response and also considers itself done. However, the server may have responded with an exception or a switch to simple message. But the client won't read it until the next proxy call where it will generate a protobuf exception.
Hence why this patch forces the server to send a success response for PLAIN, and to require the client to read at least one rpc so it can read the success or error message from the server.
In the long term, the server should always send a final success response for authentication. Ideally there should also be an intermediate RPC state for SASL to disambiguate if negotiation is occurring or has completed.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13497016#comment-13497016 ]
Hudson commented on HADOOP-8999:
--------------------------------
Integrated in Hadoop-Yarn-trunk #36 (See [https://builds.apache.org/job/Hadoop-Yarn-trunk/36/])
HADOOP-8999. SASL negotiation is flawed (daryn) (Revision 1408837)
Result = SUCCESS
daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1408837
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13488691#comment-13488691 ]
Daryn Sharp commented on HADOOP-8999:
-------------------------------------
No, this problem is not related to the other changes.
If the SASL client (the PLAIN client does this) immediately claims it's done, the client code doesn't bother to read the server's RPC response. For one, this precludes the client interpreting a failure response. It also prevents a client from interpreting a "switch to simple" response from the server.
So you fix the client and then find the server doesn't send success if the SASL server returns null when it's done instead of a final byte sequence. The client blocks till it times out.
When either the client or server gets out of sync, a confusing incomplete protobuf exception is thrown. I'll post a simple (no pun intended!) patch after I finish testing on a secure cluster.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Hadoop QA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13495799#comment-13495799 ]
Hadoop QA commented on HADOOP-8999:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12553229/HADOOP-8999.patch
against trunk revision .
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:green}+1 javadoc{color}. The javadoc tool did not generate any warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new Findbugs (version 1.3.9) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in hadoop-common-project/hadoop-common.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results: https://builds.apache.org/job/PreCommit-HADOOP-Build/1734//testReport/
Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/1734//console
This message is automatically generated.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Devaraj Das (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496386#comment-13496386 ]
Devaraj Das commented on HADOOP-8999:
-------------------------------------
I haven't gone through the patch and what it solves but is this problem relevant to branch-1?
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496438#comment-13496438 ]
Daryn Sharp commented on HADOOP-8999:
-------------------------------------
The general problem is present in branch-1, but won't be exposed unless other SASL methods are added to branch-1.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Kan Zhang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13488433#comment-13488433 ]
Kan Zhang commented on HADOOP-8999:
-----------------------------------
I doubt the null needs to be returned to SaslClient. See the following javadoc for SaslServer. If you hit this problem on trunk, I'd check to see if your recent changes (HADOOP-8783 and HADOOP-8784) caused a mismatch between Client and Server, one is expecting to do SASL, while the other isn't. Just a thought.
{quote}
/**
98 * Evaluates the response data and generates a challenge.
99 *
100 * If a response is received from the client during the authentication
101 * process, this method is called to prepare an appropriate next
102 * challenge to submit to the client. The challenge is null if the
103 * authentication has succeeded and no more challenge data is to be sent
104 * to the client. It is non-null if the authentication must be continued
105 * by sending a challenge to the client, or if the authentication has
106 * succeeded but challenge data needs to be processed by the client.
107 * <tt>isComplete()</tt> should be called
108 * after each call to <tt>evaluateResponse()</tt>,to determine if any further
109 * response is needed from the client.
110 *
111 * @param response The non-null (but possibly empty) response sent
112 * by the client.
113 *
114 * @return The possibly null challenge to send to the client.
115 * It is null if the authentication has succeeded and there is
116 * no more challenge data to be sent to the client.
117 * @exception SaslException If an error occurred while processing
118 * the response or generating a challenge.
119 */
120 public abstract byte[] evaluateResponse(byte[] response)
121 throws SaslException;
{quote}
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (HADOOP-8999) SASL negotiation is flawed
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496339#comment-13496339 ]
Hudson commented on HADOOP-8999:
--------------------------------
Integrated in Hadoop-trunk-Commit #3010 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/3010/])
HADOOP-8999. SASL negotiation is flawed (daryn) (Revision 1408837)
Result = SUCCESS
daryn : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1408837
Files :
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
* /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HADOOP-8999) SASL negotiation is flawed
Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HADOOP-8999?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daryn Sharp updated HADOOP-8999:
--------------------------------
Resolution: Fixed
Fix Version/s: 2.0.3-alpha
3.0.0
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
Thanks for the review Bobby, I have committed to trunk and branch-2.
> SASL negotiation is flawed
> --------------------------
>
> Key: HADOOP-8999
> URL: https://issues.apache.org/jira/browse/HADOOP-8999
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: ipc
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Fix For: 3.0.0, 2.0.3-alpha
>
> Attachments: HADOOP-8999.patch
>
>
> The RPC protocol used for SASL negotiation is flawed. The server's RPC response contains the next SASL challenge token, but a SASL server can return null (I'm done) or a N-many byte challenge. The server currently will not send a RPC success response to the client if the SASL server returns null, which causes the client to hang until it times out.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira