HBASE-24263 TestDelegationToken is broken (#1587)

This commit is contained in:
Duo Zhang 2020-04-26 11:43:51 +08:00 committed by GitHub
parent 8774614a8c
commit e96ad0ac1e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 21 deletions

View File

@ -89,23 +89,17 @@ public abstract class AbstractHBaseSaslRpcClient {
}
/**
* Computes the initial response a client sends to a server to begin the SASL
* challenge/response handshake. If the client's SASL mechanism does not require
* that an initial response is sent to begin the handshake, this method will return
* a null byte array, indicating no initial response needs to be sent by this client.
*
* It is unclear as to whether all SASL implementations will return a non-empty initial
* response, so this implementation is written such that this is allowed. All known
* SASL mechanism implementations in the JDK provide non-empty initial responses.
*
* @return The client's initial response to send the server (which may be empty), or null
* if this implementation does not require an initial response to be sent.
* Computes the initial response a client sends to a server to begin the SASL challenge/response
* handshake. If the client's SASL mechanism does not have an initial response, an empty token
* will be returned without querying the evaluateChallenge method, as an authentication processing
* must be started by client.
* @return The client's initial response to send the server (which may be empty).
*/
public byte[] getInitialResponse() throws SaslException {
if (saslClient.hasInitialResponse()) {
return saslClient.evaluateChallenge(EMPTY_TOKEN);
}
return null;
return EMPTY_TOKEN;
}
public boolean isComplete() {

View File

@ -119,21 +119,19 @@ public class NettyHBaseSaslRpcClientHandler extends SimpleChannelInboundHandler<
return saslRpcClient.getInitialResponse();
}
});
if (initialResponse != null) {
writeResponse(ctx, initialResponse);
} else {
LOG.trace("SASL initialResponse was null, not sending response to server.");
}
assert initialResponse != null;
writeResponse(ctx, initialResponse);
// HBASE-23881 We do not want to check if the SaslClient thinks the handshake is
// complete as, at this point, we've not heard a back from the server with it's reply
// to our first challenge response. We should wait for at least one reply
// from the server before calling negotiation complete.
//
// Each SASL mechanism has its own handshake. Some mechanisms calculate a single client buffer
// to be sent to the server while others have multiple exchanges to negotiate authentication. GSSAPI(Kerberos)
// and DIGEST-MD5 both are examples of mechanisms which have multiple steps. Mechanisms which have multiple steps
// will not return true on `SaslClient#isComplete()` until the handshake has fully completed. Mechanisms which
// only send a single buffer may return true on `isComplete()` after that initial response is calculated.
// to be sent to the server while others have multiple exchanges to negotiate authentication.
// GSSAPI(Kerberos) and DIGEST-MD5 both are examples of mechanisms which have multiple steps.
// Mechanisms which have multiple steps will not return true on `SaslClient#isComplete()`
// until the handshake has fully completed. Mechanisms which only send a single buffer may
// return true on `isComplete()` after that initial response is calculated.
} catch (Exception e) {
// the exception thrown by handlerAdded will not be passed to the exceptionCaught below
// because netty will remove a handler if handlerAdded throws an exception.