[jira] [Commented] (GIRAPH-211) Add secure authentication to Netty IPC

[Eugene Koontz (JIRA)]

    [ 
https://issues.apache.org/jira/browse/GIRAPH-211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13434295#comment-13434295
 ] 

Eugene Koontz commented on GIRAPH-211:
--------------------------------------

Thanks for your comments Avery! Replying to each below:

> Can't we block until the authentication is done?

Absolutely - we just need to choose the object to synchronize on and be careful 
that it's respected where it needs to be. Will include this in next patch, 
which will also avoid the race.

> Would probably be nice to try on a hadoop 1.0.x if you have a chance.

Will do.

> I think it's reasonable to allow short-circuiting since there isn't a 
> security issue here (this is the same process). 

Yes, I think it will be ok to trust the client in this case (specifically in 
GIRAPH-262 we are testing for):

{code}
(service.getWorkerInfo().getHostnamePort().equals(remoteServerAddress)) {
{code}

I just need to fix whatever bug I am masking by disabling short-curcuiting.

> As for channel pooling, can we simply authenticate once per channel?

Yes, I just need to figure out how to associate the sasl client with the 
channel when we are using channel-pooling. I use the Address => Channel map in 
my patch, but now with GIRAPH-262, we have Address => ChannelRotator. So this 
will require some changes on my patch.

 


                
> Add secure authentication to Netty IPC
> --------------------------------------
>
>                 Key: GIRAPH-211
>                 URL: https://issues.apache.org/jira/browse/GIRAPH-211
>             Project: Giraph
>          Issue Type: Improvement
>            Reporter: Eugene Koontz
>            Assignee: Eugene Koontz
>             Fix For: 0.2.0
>
>         Attachments: GIRAPH-211.patch, GIRAPH-211-proposal.txt
>
>
> Gianmarco De Francisci Morales asked on the user list:
> bq. I am getting the exception in the subject when running my giraph program
> bq. on a cluster with Kerberos authentication.
> This leads to the idea of having Kerberos authentication supported within 
> GIRAPH. Hopefully it would use our fast GIRAPH-37 IPC, but could also 
> interoperate with Hadoop security.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira