Fix problems with SASL and Kerberos #260
Conversation
|
Hi @jlisickigog, thanks for the report. This sheds some light on some of the issues people have encountered. What version of HDP are you running, out of curiosity? |
| @@ -49,6 +50,17 @@ func (d *SaslDialer) DialContext(ctx context.Context, network, addr string) (net | |||
| // then returns a wrapped connection or any error encountered. In the case of | |||
| // a protection setting of 'authentication', the bare connection is returned. | |||
| func (d *SaslDialer) wrapDatanodeConn(conn net.Conn) (net.Conn, error) { | |||
| if d.SkipSaslForRemotePrivilegedPort { | |||
There was a problem hiding this comment.
Rather than making this configurable, let's just match the behavior of the java code (however objectionable) and leave a long comment.
There was a problem hiding this comment.
Reproducing the behavior of the java client requires explicit separation for Hadoop dfs.encrypt.data.transfer and dfs.data.transfer.protection options in the client options. When dfs.encrypt.data.transfer is set the privileged port feature is disabled and dfs.data.transfer.protection setting is ignored. I can also imagine that the calculation of the Qop level could be delegated to a special strategy that calculates this on the fly taking into account the destination host address. This probably can also cover calculating HighestQopLevel. So in the end, the strategy will expose several methods for the different places where QOP level negotiation takes place.
| @@ -65,3 +65,16 @@ func ParseChallenge(challenge []byte) (*Challenge, error) { | |||
|
|
|||
| return &ch, nil | |||
| } | |||
|
|
|||
| // HighestQopLevel extracts most secure Qop level from the list provided as an argument. | |||
| func HighestQopLevel(qopList []string) string { | |||
There was a problem hiding this comment.
Instead of this function, maybe change the returned challenge to have sorted Qops?
There was a problem hiding this comment.
Hi! Thanks for this great implementation!
I am in exactly the same configuration (HDFS 3.1.1, HDP 3.1.4.0) but have to run on other clusters as well and would love to have this modification merged upstream.
Could you please explain how you would want this to be implemented? I'd happily try to contribute a patch.
BR
HDFS 3.1.1 |
Hello,
PR solves two problems we encountered when trying to use this tool to interact with our cluster. We have HortonWorks with Kerberos.
dfs.data.transfer.protectionparameter should be ignored when DataNode is listening on privileged port, which should cause the connection negotiation process to not send a SASL Handshake.Here is the link to a code which i believe is used by HDFS server.