wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r354860462
##########
File path:
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerRpcConnection.java
##########
@@ -762,18 +750,17 @@ protected final boolean processPreamble(ByteBuffer
preambleBuffer) throws IOExce
return false;
}
}
- if (!this.rpcServer.isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
- doRawSaslReply(SaslStatus.SUCCESS, new
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
- null);
- authMethod = AuthMethod.SIMPLE;
- // client has already sent the initial Sasl message and we
- // should ignore it. Both client and server should fall back
- // to simple auth from now on.
- skipInitialSaslHandshake = true;
- }
- if (authMethod != AuthMethod.SIMPLE) {
- useSasl = true;
- }
+ // TODO can we remove this fallback? Is this even a good idea?
+// if (!this.rpcServer.isSecurityEnabled && authMethod !=
AuthMethod.SIMPLE) {
+// doRawSaslReply(SaslStatus.SUCCESS, new
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
+// null);
+// authMethod = AuthMethod.SIMPLE;
+// // client has already sent the initial Sasl message and we
+// // should ignore it. Both client and server should fall back
+// // to simple auth from now on.
+// skipInitialSaslHandshake = true;
+// }
Review comment:
Ain't sure I got this block right. Is it _faking_ a Sasl `SUCCESS` reply to
the RPC client? If so, and if we stop doing it, could it lead to problems when
a secured client tries to RPC to an non secured cluster? For example, if we
have a secured cluster replicating to a non secure one?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
