HADOOP-8999. SASL negotiation is flawed (daryn)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1408837 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Daryn Sharp 2012-11-13 17:10:13 +00:00
parent 6db6e00649
commit fe8f635b78
3 changed files with 12 additions and 22 deletions

View File

@ -424,6 +424,8 @@ Release 2.0.3-alpha - Unreleased
HADOOP-7115. Add a cache for getpwuid_r and getpwgid_r calls (tucu) HADOOP-7115. Add a cache for getpwuid_r and getpwgid_r calls (tucu)
HADOOP-8999. SASL negotiation is flawed (daryn)
Release 2.0.2-alpha - 2012-09-07 Release 2.0.2-alpha - 2012-09-07
INCOMPATIBLE CHANGES INCOMPATIBLE CHANGES

View File

@ -1220,6 +1220,10 @@ public abstract class Server {
AUDITLOG.warn(AUTH_FAILED_FOR + clientIP + ":" + attemptingUser); AUDITLOG.warn(AUTH_FAILED_FOR + clientIP + ":" + attemptingUser);
throw e; throw e;
} }
if (replyToken == null && authMethod == AuthMethod.PLAIN) {
// client needs at least response to know if it should use SIMPLE
replyToken = new byte[0];
}
if (replyToken != null) { if (replyToken != null) {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Will send token of size " + replyToken.length LOG.debug("Will send token of size " + replyToken.length

View File

@ -145,15 +145,13 @@ public class SaslRpcClient {
byte[] saslToken = new byte[0]; byte[] saslToken = new byte[0];
if (saslClient.hasInitialResponse()) if (saslClient.hasInitialResponse())
saslToken = saslClient.evaluateChallenge(saslToken); saslToken = saslClient.evaluateChallenge(saslToken);
if (saslToken != null) { while (saslToken != null) {
outStream.writeInt(saslToken.length); outStream.writeInt(saslToken.length);
outStream.write(saslToken, 0, saslToken.length); outStream.write(saslToken, 0, saslToken.length);
outStream.flush(); outStream.flush();
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Have sent token of size " + saslToken.length LOG.debug("Have sent token of size " + saslToken.length
+ " from initSASLContext."); + " from initSASLContext.");
}
if (!saslClient.isComplete()) {
readStatus(inStream); readStatus(inStream);
int len = inStream.readInt(); int len = inStream.readInt();
if (len == SaslRpcServer.SWITCH_TO_SIMPLE_AUTH) { if (len == SaslRpcServer.SWITCH_TO_SIMPLE_AUTH) {
@ -161,32 +159,18 @@ public class SaslRpcClient {
LOG.debug("Server asks us to fall back to simple auth."); LOG.debug("Server asks us to fall back to simple auth.");
saslClient.dispose(); saslClient.dispose();
return false; return false;
} else if ((len == 0) && saslClient.isComplete()) {
break;
} }
saslToken = new byte[len]; saslToken = new byte[len];
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Will read input token of size " + saslToken.length LOG.debug("Will read input token of size " + saslToken.length
+ " for processing by initSASLContext"); + " for processing by initSASLContext");
inStream.readFully(saslToken); inStream.readFully(saslToken);
}
while (!saslClient.isComplete()) {
saslToken = saslClient.evaluateChallenge(saslToken); saslToken = saslClient.evaluateChallenge(saslToken);
if (saslToken != null) { }
if (LOG.isDebugEnabled()) if (!saslClient.isComplete()) { // shouldn't happen
LOG.debug("Will send token of size " + saslToken.length throw new SaslException("Internal negotiation error");
+ " from initSASLContext.");
outStream.writeInt(saslToken.length);
outStream.write(saslToken, 0, saslToken.length);
outStream.flush();
}
if (!saslClient.isComplete()) {
readStatus(inStream);
saslToken = new byte[inStream.readInt()];
if (LOG.isDebugEnabled())
LOG.debug("Will read input token of size " + saslToken.length
+ " for processing by initSASLContext");
inStream.readFully(saslToken);
}
} }
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug("SASL client context established. Negotiated QoP: " LOG.debug("SASL client context established. Negotiated QoP: "