wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs URL: https://github.com/apache/hbase/pull/884#discussion_r354860462
########## File path: hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerRpcConnection.java ########## @@ -762,18 +750,17 @@ protected final boolean processPreamble(ByteBuffer preambleBuffer) throws IOExce return false; } } - if (!this.rpcServer.isSecurityEnabled && authMethod != AuthMethod.SIMPLE) { - doRawSaslReply(SaslStatus.SUCCESS, new IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null, - null); - authMethod = AuthMethod.SIMPLE; - // client has already sent the initial Sasl message and we - // should ignore it. Both client and server should fall back - // to simple auth from now on. - skipInitialSaslHandshake = true; - } - if (authMethod != AuthMethod.SIMPLE) { - useSasl = true; - } + // TODO can we remove this fallback? Is this even a good idea? +// if (!this.rpcServer.isSecurityEnabled && authMethod != AuthMethod.SIMPLE) { +// doRawSaslReply(SaslStatus.SUCCESS, new IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null, +// null); +// authMethod = AuthMethod.SIMPLE; +// // client has already sent the initial Sasl message and we +// // should ignore it. Both client and server should fall back +// // to simple auth from now on. +// skipInitialSaslHandshake = true; +// } Review comment: Ain't sure I got this block right. Is it _faking_ a Sasl `SUCCESS` reply to the RPC client? If so, and if we stop doing it, could it lead to problems when a secured client tries to RPC to an non secured cluster? For example, if we have a secured cluster replicating to a non secure one? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services