[GitHub] [hbase] wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable custom authentication methods for RPCs

Mon, 09 Dec 2019 04:24:10 -0800 

wchevreuil commented on a change in pull request #884: HBASE-23347 Allowable 
custom authentication methods for RPCs
URL: https://github.com/apache/hbase/pull/884#discussion_r355398083
 
 

 ##########
 File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerRpcConnection.java
 ##########
 @@ -762,18 +750,17 @@ protected final boolean processPreamble(ByteBuffer 
preambleBuffer) throws IOExce
         return false;
       }
     }
-    if (!this.rpcServer.isSecurityEnabled && authMethod != AuthMethod.SIMPLE) {
-      doRawSaslReply(SaslStatus.SUCCESS, new 
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
-        null);
-      authMethod = AuthMethod.SIMPLE;
-      // client has already sent the initial Sasl message and we
-      // should ignore it. Both client and server should fall back
-      // to simple auth from now on.
-      skipInitialSaslHandshake = true;
-    }
-    if (authMethod != AuthMethod.SIMPLE) {
-      useSasl = true;
-    }
+    // TODO can we remove this fallback? Is this even a good idea?
+//    if (!this.rpcServer.isSecurityEnabled && authMethod != 
AuthMethod.SIMPLE) {
+//      doRawSaslReply(SaslStatus.SUCCESS, new 
IntWritable(SaslUtil.SWITCH_TO_SIMPLE_AUTH), null,
+//        null);
+//      authMethod = AuthMethod.SIMPLE;
+//      // client has already sent the initial Sasl message and we
+//      // should ignore it. Both client and server should fall back
+//      // to simple auth from now on.
+//      skipInitialSaslHandshake = true;
+//    }
 
 Review comment:
   Maybe we should keep the current fallback approach and re-think it on a 
separate jira? There are few other scenarios where we might want to connect to 
an unsecure cluster from a secured environment. Some of the inter-cluster tools 
such as CopyTable, ExportSnapshot, HashTable/SyncTable, when dealing with  a 
secure/unsecure pair, wouldn't be able to have "simple" as the authentication 
config value.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to