[ https://issues.apache.org/jira/browse/HBASE-28337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812576#comment-17812576 ]
Andor Molnar edited comment on HBASE-28337 at 1/31/24 8:51 AM: --------------------------------------------------------------- ping [~elserj] [~bharathv] I'm trying to figure out what could be the right solution here. In my understanding the original concern was that PLAIN client proceeds right after sending credentials, because in case of a positive answer, the server should not send anything back. This is OK if auth was successful, but in case of a a negative answer, the client is not reading the error and not able to report it properly. So, * if we don't wait and tryComplete() immediately, we'll lose the error message on the client side and we only notice the failure from the connection closed by the server, * if we wait and tryComplete(), we get error message, but if auth was successful client will wait for server feedback endlessly. I've also tried to change server to send "OK" back if auth was successful, but JDK's built in PLAIN client doesn't accept it since it's already completed. I've created the patch to restore original behaviour, because it's less of a problem. was (Author: andorm): ping [~elserj] [~bharathv] I'm trying to figure out what could be the right solution here. In my understanding the original concern was that PLAIN client proceeds right after sending credentials, because in case of a positive answer, the server should not send anything back. For a negative answer though, the client should wait for the error message from the server. So, * if we don't wait and tryComplete() immediately, we'll lose the error message on the client side and we only notice the failure from the connection closed by the server, * if we wait and tryComplete(), we get error message, but if auth was successful client will wait for server feedback endlessly. I've also tried to change server to send "OK" back if auth was successful, but JDK's built in PLAIN client doesn't accept it since it's already completed. I've created the patch to restore original behaviour, because it's less of a problem. > Positive connection test in TestShadeSaslAuthenticationProvider runs with > Kerberos instead of Shade authentication > ------------------------------------------------------------------------------------------------------------------ > > Key: HBASE-28337 > URL: https://issues.apache.org/jira/browse/HBASE-28337 > Project: HBase > Issue Type: Test > Affects Versions: 2.6.0, 2.4.17, 3.0.0-beta-1, 2.5.7, 2.7.0 > Reporter: Andor Molnar > Assignee: Andor Molnar > Priority: Major > > The positive test (testPositiveAuthentication) in > TestShadeSaslAuthenticationProvider doesn't create a new user in > user1.doAs(), so it will use the already Kerberos authenticated user instead > of re-authenticating with the token. > As a consequence it doesn't reveal a problem introduced with HBASE-23881 > which will cause clients to timeout if authenticated with a SASL mech which > doesn't create a reply token in case of successful authentication. -- This message was sent by Atlassian Jira (v8.20.10#820010)