HADOOP-13429. Dispose of unnecessary SASL servers. Contributed by Daryn Sharp.

This commit is contained in:
Kihwal Lee 2016-08-02 10:40:28 -05:00
parent 7fc70c6422
commit b3018e73cc
2 changed files with 20 additions and 5 deletions

View File

@ -1599,6 +1599,9 @@ private void saslProcess(RpcSaslProto saslMessage)
// SASL wrapping is only used if the connection has a QOP, and
// the value is not auth. ex. auth-int & auth-priv
useWrap = (qop != null && !"auth".equalsIgnoreCase(qop));
if (!useWrap) {
disposeSasl();
}
}
}
@ -1692,7 +1695,7 @@ private RpcSaslProto processSaslToken(RpcSaslProto saslMessage)
private void switchToSimple() {
// disable SASL and blank out any SASL server
authProtocol = AuthProtocol.NONE;
saslServer = null;
disposeSasl();
}
private RpcSaslProto buildSaslResponse(SaslState state, byte[] replyToken) {
@ -1731,6 +1734,8 @@ private void disposeSasl() {
try {
saslServer.dispose();
} catch (SaslException ignored) {
} finally {
saslServer = null;
}
}
}
@ -1980,7 +1985,7 @@ private void processConnectionContext(DataInputStream dis)
.getProtocol() : null;
UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
if (saslServer == null) {
if (authProtocol == AuthProtocol.NONE) {
user = protocolUser;
} else {
// user is authenticated

View File

@ -28,6 +28,7 @@
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.Client.ConnectionId;
import org.apache.hadoop.ipc.Server.Connection;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.*;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
@ -271,6 +272,15 @@ private void doDigestRpc(Server server, TestTokenSecretManager sm)
//QOP must be auth
assertEquals(expectedQop.saslQop,
RPC.getConnectionIdForProxy(proxy).getSaslQop());
int n = 0;
for (Connection connection : server.getConnections()) {
// only qop auth should dispose of the sasl server
boolean hasServer = (connection.saslServer != null);
assertTrue("qop:" + expectedQop + " hasServer:" + hasServer,
(expectedQop == QualityOfProtection.AUTHENTICATION) ^ hasServer);
n++;
}
assertTrue(n > 0);
proxy.ping(null, newEmptyRequest());
} finally {
stop(server, proxy);