[jira] [Commented] (HBASE-25051) DIGEST based auth broken for MasterRegistry

Wed, 10 Jan 2024 07:21:05 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-25051?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17805190#comment-17805190
 ] 

Duo Zhang commented on HBASE-25051:
-----------------------------------

As we support different types of ConnectionRegistry, it should be created 
before we have any HBase connections yet, and when creating any HBase 
connections, as well as the RpcClient, we need to get the cluster id from 
ConnectionRegistry.

So here, I think the design is that, the ConnectionRegistry should have 
different ways for authentication, otherwise, it will have cyclic dependency, 
as the description said.

Moving the logic for getting cluster id to rpc connection setup step completely 
changes the architecture, so I do not think it is easy to do.

Maybe a more simplier way is to change the way on how we get cluster id in 
RpcConnectionRegistry, without relying on the normal rpc method call.

Will try to implement a POC recently.

Thanks.

> DIGEST based auth broken for MasterRegistry
> -------------------------------------------
>
>                 Key: HBASE-25051
>                 URL: https://issues.apache.org/jira/browse/HBASE-25051
>             Project: HBase
>          Issue Type: Sub-task
>          Components: Client, security
>    Affects Versions: 3.0.0-alpha-1, 2.3.0, 1.7.0
>            Reporter: Bharath Vissapragada
>            Priority: Minor
>
> DIGEST-MD5 based sasl auth depends on cluster-ID to obtain tokens. With 
> master registry, we have a circular dependency here because master registry 
> needs an rpcClient to talk to masters (and to get cluster ID) and rpc-Client 
> needs a clusterId if DIGEST based auth is configured. Earlier, there was a ZK 
> client that has its own authentication mechanism to fetch the cluster ID.
> HBASE-23330, I think doesn't fully fix the problem. It depends on an active 
> connection to fetch delegation tokens for the MR job and that inherently 
> assumes that the active connection does not use a DIGEST auth.
> It is not clear to me how common it is to use DIGEST based auth in 
> connections.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to