From 683448125e4107a42954eb9e4087a2915eb9f416 Mon Sep 17 00:00:00 2001 From: Aaron Myers Date: Wed, 19 Jun 2013 17:31:41 +0000 Subject: [PATCH] Clean up an IPC error message. Contributed by Aaron T. Myers. git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1494703 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/hadoop/fs/CommonConfigurationKeys.java | 3 +++ .../src/main/java/org/apache/hadoop/ipc/Client.java | 7 ++++++- .../org/apache/hadoop/security/SaslRpcClient.java | 10 +++++++++- .../src/main/resources/core-default.xml | 13 +++++++++++++ 4 files changed, 31 insertions(+), 2 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java index daa57af2c9c..c5d86f140a5 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/CommonConfigurationKeys.java @@ -202,5 +202,8 @@ public class CommonConfigurationKeys extends CommonConfigurationKeysPublic { public static final long HADOOP_SECURITY_UID_NAME_CACHE_TIMEOUT_DEFAULT = 4*60*60; // 4 hours + + public static final String IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY = "ipc.client.fallback-to-simple-auth-allowed"; + public static final boolean IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT = false; } diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java index d5a41051872..19e309c93a9 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Client.java @@ -108,6 +108,8 @@ public class Client { private int refCount = 1; private final int connectionTimeout; + + private final boolean fallbackAllowed; final static int PING_CALL_ID = -1; @@ -454,7 +456,8 @@ public class Client { private synchronized boolean setupSaslConnection(final InputStream in2, final OutputStream out2) throws IOException { - saslRpcClient = new SaslRpcClient(authMethod, token, serverPrincipal); + saslRpcClient = new SaslRpcClient(authMethod, token, serverPrincipal, + fallbackAllowed); return saslRpcClient.saslConnect(in2, out2); } @@ -1076,6 +1079,8 @@ public class Client { this.socketFactory = factory; this.connectionTimeout = conf.getInt(CommonConfigurationKeys.IPC_CLIENT_CONNECT_TIMEOUT_KEY, CommonConfigurationKeys.IPC_CLIENT_CONNECT_TIMEOUT_DEFAULT); + this.fallbackAllowed = conf.getBoolean(CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY, + CommonConfigurationKeys.IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT); } /** diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java index c0e1a0b52d9..ef97eb528c3 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java @@ -59,6 +59,7 @@ public class SaslRpcClient { public static final Log LOG = LogFactory.getLog(SaslRpcClient.class); private final SaslClient saslClient; + private final boolean fallbackAllowed; /** * Create a SaslRpcClient for an authentication method @@ -69,8 +70,10 @@ public class SaslRpcClient { * token to use if needed by the authentication method */ public SaslRpcClient(AuthMethod method, - Token token, String serverPrincipal) + Token token, String serverPrincipal, + boolean fallbackAllowed) throws IOException { + this.fallbackAllowed = fallbackAllowed; String saslUser = null; String saslProtocol = null; String saslServerName = null; @@ -155,6 +158,11 @@ public class SaslRpcClient { readStatus(inStream); int len = inStream.readInt(); if (len == SaslRpcServer.SWITCH_TO_SIMPLE_AUTH) { + if (!fallbackAllowed) { + throw new IOException("Server asks us to fall back to SIMPLE " + + "auth, but this client is configured to only allow secure " + + "connections."); + } if (LOG.isDebugEnabled()) LOG.debug("Server asks us to fall back to simple auth."); saslClient.dispose(); diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml index b13826572e4..f56e161d44b 100644 --- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml +++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml @@ -1189,4 +1189,17 @@ + + ipc.client.fallback-to-simple-auth-allowed + false + + When a client is configured to attempt a secure connection, but attempts to + connect to an insecure server, that server may instruct the client to + switch to SASL SIMPLE (unsecure) authentication. This setting controls + whether or not the client will accept this instruction from the server. + When false (the default), the client will not allow the fallback to SIMPLE + authentication, and will abort the connection. + + +