HBASE-24263 TestDelegationToken is broken (#1587)

hbase-client/src/main/java/org/apache/hadoop/hbase/security/AbstractHBaseSaslRpcClient.java

@@ -89,23 +89,17 @@ public abstract class AbstractHBaseSaslRpcClient {
   }
 
   /**
-   * Computes the initial response a client sends to a server to begin the SASL
-   * challenge/response handshake. If the client's SASL mechanism does not require
-   * that an initial response is sent to begin the handshake, this method will return
-   * a null byte array, indicating no initial response needs to be sent by this client.
-   *
-   * It is unclear as to whether all SASL implementations will return a non-empty initial
-   * response, so this implementation is written such that this is allowed. All known
-   * SASL mechanism implementations in the JDK provide non-empty initial responses.
-   *
-   * @return The client's initial response to send the server (which may be empty), or null
-   *    if this implementation does not require an initial response to be sent.
+   * Computes the initial response a client sends to a server to begin the SASL challenge/response
+   * handshake. If the client's SASL mechanism does not have an initial response, an empty token
+   * will be returned without querying the evaluateChallenge method, as an authentication processing
+   * must be started by client.
+   * @return The client's initial response to send the server (which may be empty).
    */
   public byte[] getInitialResponse() throws SaslException {
     if (saslClient.hasInitialResponse()) {
       return saslClient.evaluateChallenge(EMPTY_TOKEN);
     }
-    return null;
+    return EMPTY_TOKEN;
   }
 
   public boolean isComplete() {

hbase-client/src/main/java/org/apache/hadoop/hbase/security/NettyHBaseSaslRpcClientHandler.java

@@ -119,21 +119,19 @@ public class NettyHBaseSaslRpcClientHandler extends SimpleChannelInboundHandler<
           return saslRpcClient.getInitialResponse();
         }
       });
-      if (initialResponse != null) {
-        writeResponse(ctx, initialResponse);
-      } else {
-        LOG.trace("SASL initialResponse was null, not sending response to server.");
-      }
+      assert initialResponse != null;
+      writeResponse(ctx, initialResponse);
       // HBASE-23881 We do not want to check if the SaslClient thinks the handshake is
       // complete as, at this point, we've not heard a back from the server with it's reply
       // to our first challenge response. We should wait for at least one reply
       // from the server before calling negotiation complete.
       //
       // Each SASL mechanism has its own handshake. Some mechanisms calculate a single client buffer
-      // to be sent to the server while others have multiple exchanges to negotiate authentication. GSSAPI(Kerberos)
-      // and DIGEST-MD5 both are examples of mechanisms which have multiple steps. Mechanisms which have multiple steps
-      // will not return true on `SaslClient#isComplete()` until the handshake has fully completed. Mechanisms which
-      // only send a single buffer may return true on `isComplete()` after that initial response is calculated.
+      // to be sent to the server while others have multiple exchanges to negotiate authentication.
+      // GSSAPI(Kerberos) and DIGEST-MD5 both are examples of mechanisms which have multiple steps.
+      // Mechanisms which have multiple steps will not return true on `SaslClient#isComplete()`
+      // until the handshake has fully completed. Mechanisms which only send a single buffer may
+      // return true on `isComplete()` after that initial response is calculated.
     } catch (Exception e) {
       // the exception thrown by handlerAdded will not be passed to the exceptionCaught below
       // because netty will remove a handler if handlerAdded throws an exception.