This is an automated email from the ASF dual-hosted git repository.
alexey pushed a commit to branch branch-1.13.x
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.13.x by this push:
new 19b51ef KUDU-3297 fix RPC negotiations with
cyrus-sasl-gssapi-2.1.27-5 and newer
19b51ef is described below
commit 19b51efda3ee179bbad184be801fc79db58f7f82
Author: Alexey Serbin <ale...@apache.org>
AuthorDate: Tue Jun 22 08:48:50 2021 -0700
KUDU-3297 fix RPC negotiations with cyrus-sasl-gssapi-2.1.27-5 and newer
It turns out that setting SASL security properties such as the minimum
Security Strength Factor (SSF) once sasl_client_start() has already
been called isn't working as expected anymore once patch [1] is applied
for the cyrus-sasl-gssapi plugin.
This patch addresses the issue, moving the call to
sasl_setprop(..., SASL_SEC_PROPS, ...) prior to the corresponding call
to sasl_client_start() in the client-side negotiation logic for C++ Kudu
components.
Prior to this patch, GSSAPI-involved scenarios of the negotiation-test
and security-itest would fail when running against the GSSAPI plugin
with patch [1] applied.
With this patch, all scenarios in the negotiation-test and the
security-itest pass.
I didn't add any extra test scenarios since the already existing test
coverage was enough to spot the issue, as it can be seen from above.
[1] https://github.com/cyrusimap/cyrus-sasl/pull/603
Change-Id: Ia655356798c753d5a223933cc09a0731018e10af
Reviewed-on: http://gerrit.cloudera.org:8080/17619
Reviewed-by: Grant Henke <granthe...@apache.org>
Reviewed-by: Greg Solovyev <gsolov...@cloudera.com>
Tested-by: Kudu Jenkins
(cherry picked from commit fff48ea4e5eadd365a85a05a82f66b3eb76d0b0b)
Reviewed-on: http://gerrit.cloudera.org:8080/17633
Tested-by: Alexey Serbin <aser...@cloudera.com>
Reviewed-by: Alexey Serbin <aser...@cloudera.com>
---
src/kudu/rpc/client_negotiation.cc | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/kudu/rpc/client_negotiation.cc
b/src/kudu/rpc/client_negotiation.cc
index f0edb07..0554b8b 100644
--- a/src/kudu/rpc/client_negotiation.cc
+++ b/src/kudu/rpc/client_negotiation.cc
@@ -573,6 +573,13 @@ Status ClientNegotiation::SendSaslInitiate() {
unsigned init_msg_len = 0;
const char* negotiated_mech = nullptr;
+ // If the negotiated mechanism is GSSAPI (Kerberos), configure SASL to use
+ // integrity protection so that the channel bindings and nonce can be
+ // verified.
+ if (negotiated_mech_ == SaslMechanism::GSSAPI) {
+ RETURN_NOT_OK(EnableProtection(sasl_conn_.get(),
SaslProtection::kIntegrity));
+ }
+
/* select a mechanism for a connection
* mechlist -- mechanisms server has available (punctuation ignored)
* output:
@@ -605,13 +612,6 @@ Status ClientNegotiation::SendSaslInitiate() {
// Check that the SASL library is using the mechanism that we picked.
DCHECK_EQ(SaslMechanism::value_of(negotiated_mech), negotiated_mech_);
- // If the negotiated mechanism is GSSAPI (Kerberos), configure SASL to use
- // integrity protection so that the channel bindings and nonce can be
- // verified.
- if (negotiated_mech_ == SaslMechanism::GSSAPI) {
- RETURN_NOT_OK(EnableProtection(sasl_conn_.get(),
SaslProtection::kIntegrity));
- }
-
NegotiatePB msg;
msg.set_step(NegotiatePB::SASL_INITIATE);
msg.mutable_token()->assign(init_msg, init_msg_len);
