Dan Burkert has posted comments on this change. Change subject: KUDU-1875: Refuse unauthenticated connections from publicly routable IP addrs ......................................................................
Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/6514/1/src/kudu/rpc/server_negotiation.cc File src/kudu/rpc/server_negotiation.cc: Line 149: negotiated_authn_ == AuthenticationType::INVALID)) { > Yeah, initially I thought the same. But it turns out here negotiated_mech_ Hmm, good point. We really only need to be checking when SASL PLAIN is being used, so perhaps the check is only necessary below, and not here? You are right that we don't know whether we're using SASL GSSAPI or SASL PLAIN until below. Line 685: if (!FLAGS_allow_unauthenticated_public_connections && > I am checking here because negotiated_mech_ is only set properly at line 67 argh, good point. I forgot that negotiated_mech_ isn't set till later. The mech should still not be INVALID here, though. -- To view, visit http://gerrit.cloudera.org:8080/6514 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I6c3fbb5491785874c5701d6c9d866949cfac905e Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Harsh J <ha...@harshj.com> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes