This is an automated email from the ASF dual-hosted git repository. alexey pushed a commit to branch branch-1.13.x in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/branch-1.13.x by this push: new 19b51ef KUDU-3297 fix RPC negotiations with cyrus-sasl-gssapi-2.1.27-5 and newer 19b51ef is described below commit 19b51efda3ee179bbad184be801fc79db58f7f82 Author: Alexey Serbin <ale...@apache.org> AuthorDate: Tue Jun 22 08:48:50 2021 -0700 KUDU-3297 fix RPC negotiations with cyrus-sasl-gssapi-2.1.27-5 and newer It turns out that setting SASL security properties such as the minimum Security Strength Factor (SSF) once sasl_client_start() has already been called isn't working as expected anymore once patch [1] is applied for the cyrus-sasl-gssapi plugin. This patch addresses the issue, moving the call to sasl_setprop(..., SASL_SEC_PROPS, ...) prior to the corresponding call to sasl_client_start() in the client-side negotiation logic for C++ Kudu components. Prior to this patch, GSSAPI-involved scenarios of the negotiation-test and security-itest would fail when running against the GSSAPI plugin with patch [1] applied. With this patch, all scenarios in the negotiation-test and the security-itest pass. I didn't add any extra test scenarios since the already existing test coverage was enough to spot the issue, as it can be seen from above. [1] https://github.com/cyrusimap/cyrus-sasl/pull/603 Change-Id: Ia655356798c753d5a223933cc09a0731018e10af Reviewed-on: http://gerrit.cloudera.org:8080/17619 Reviewed-by: Grant Henke <granthe...@apache.org> Reviewed-by: Greg Solovyev <gsolov...@cloudera.com> Tested-by: Kudu Jenkins (cherry picked from commit fff48ea4e5eadd365a85a05a82f66b3eb76d0b0b) Reviewed-on: http://gerrit.cloudera.org:8080/17633 Tested-by: Alexey Serbin <aser...@cloudera.com> Reviewed-by: Alexey Serbin <aser...@cloudera.com> --- src/kudu/rpc/client_negotiation.cc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/kudu/rpc/client_negotiation.cc b/src/kudu/rpc/client_negotiation.cc index f0edb07..0554b8b 100644 --- a/src/kudu/rpc/client_negotiation.cc +++ b/src/kudu/rpc/client_negotiation.cc @@ -573,6 +573,13 @@ Status ClientNegotiation::SendSaslInitiate() { unsigned init_msg_len = 0; const char* negotiated_mech = nullptr; + // If the negotiated mechanism is GSSAPI (Kerberos), configure SASL to use + // integrity protection so that the channel bindings and nonce can be + // verified. + if (negotiated_mech_ == SaslMechanism::GSSAPI) { + RETURN_NOT_OK(EnableProtection(sasl_conn_.get(), SaslProtection::kIntegrity)); + } + /* select a mechanism for a connection * mechlist -- mechanisms server has available (punctuation ignored) * output: @@ -605,13 +612,6 @@ Status ClientNegotiation::SendSaslInitiate() { // Check that the SASL library is using the mechanism that we picked. DCHECK_EQ(SaslMechanism::value_of(negotiated_mech), negotiated_mech_); - // If the negotiated mechanism is GSSAPI (Kerberos), configure SASL to use - // integrity protection so that the channel bindings and nonce can be - // verified. - if (negotiated_mech_ == SaslMechanism::GSSAPI) { - RETURN_NOT_OK(EnableProtection(sasl_conn_.get(), SaslProtection::kIntegrity)); - } - NegotiatePB msg; msg.set_step(NegotiatePB::SASL_INITIATE); msg.mutable_token()->assign(init_msg, init_msg_len);