[kudu] branch master updated: [security] handle a few unexpected authn token conditions
This is an automated email from the ASF dual-hosted git repository. alexey pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git The following commit(s) were added to refs/heads/master by this push: new 24f85ce [security] handle a few unexpected authn token conditions 24f85ce is described below commit 24f85cedcd47e585ea9c308c317da963c5ab8fa9 Author: Alexey Serbin AuthorDate: Wed Feb 23 21:22:23 2022 -0800 [security] handle a few unexpected authn token conditions This patch addresses a few unexpected error conditions in the server-side negotiation code when authenticating a client with its authn token. I didn't add any tests since there is no mock for the corresponding client side and implementing it from scratch just to verify these two simple cases looked like an overkill. Change-Id: Ic05ff6a9b289877d8440b94f00b2375da938c901 Reviewed-on: http://gerrit.cloudera.org:8080/18271 Tested-by: Alexey Serbin Reviewed-by: Attila Bukor Reviewed-by: Andrew Wong --- src/kudu/rpc/server_negotiation.cc | 22 ++ 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/kudu/rpc/server_negotiation.cc b/src/kudu/rpc/server_negotiation.cc index bcbebf6..025c36a 100644 --- a/src/kudu/rpc/server_negotiation.cc +++ b/src/kudu/rpc/server_negotiation.cc @@ -688,12 +688,17 @@ Status ServerNegotiation::AuthenticateByToken(faststring* recv_buf) { NegotiatePB pb; RETURN_NOT_OK(RecvNegotiatePB(&pb, recv_buf)); - if (pb.step() != NegotiatePB::TOKEN_EXCHANGE) { -Status s = Status::NotAuthorized("expected TOKEN_EXCHANGE step", - NegotiatePB::NegotiateStep_Name(pb.step())); + if (PREDICT_FALSE(pb.step() != NegotiatePB::TOKEN_EXCHANGE)) { +const auto s = Status::NotAuthorized("expected TOKEN_EXCHANGE step", + NegotiatePB::NegotiateStep_Name(pb.step())); +RETURN_NOT_OK(SendError(ErrorStatusPB::FATAL_UNAUTHORIZED, s)); +return s; } - if (!pb.has_authn_token()) { -Status s = Status::NotAuthorized("TOKEN_EXCHANGE message must include an authentication token"); + if (PREDICT_FALSE(!pb.has_authn_token())) { +const auto s = Status::NotAuthorized( +"TOKEN_EXCHANGE message must include an authentication token"); +RETURN_NOT_OK(SendError(ErrorStatusPB::FATAL_UNAUTHORIZED, s)); +return s; } // TODO(KUDU-1924): propagate the specific token verification failure back to the client, @@ -701,9 +706,10 @@ Status ServerNegotiation::AuthenticateByToken(faststring* recv_buf) { security::TokenPB token; auto verification_result = token_verifier_->VerifyTokenSignature(pb.authn_token(), &token); ErrorStatusPB::RpcErrorCodePB error; - Status s = ParseTokenVerificationResult(verification_result, - ErrorStatusPB::FATAL_INVALID_AUTHENTICATION_TOKEN, &error); - if (!s.ok()) { + if (const auto s = ParseTokenVerificationResult( +verification_result, +ErrorStatusPB::FATAL_INVALID_AUTHENTICATION_TOKEN, +&error); !s.ok()) { RETURN_NOT_OK(SendError(error, s)); return s; }
[kudu] branch master updated: Bump version to 1.17.0-SNAPSHOT
This is an automated email from the ASF dual-hosted git repository. abukor pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git The following commit(s) were added to refs/heads/master by this push: new 2d070cd Bump version to 1.17.0-SNAPSHOT 2d070cd is described below commit 2d070cd1e11d1d9943f8ee20eb9fc17f61e4cb42 Author: Attila Bukor AuthorDate: Fri Feb 25 15:18:06 2022 +0100 Bump version to 1.17.0-SNAPSHOT Change-Id: If46162640b4351b16c8ce6687039974f43bf7569 Reviewed-on: http://gerrit.cloudera.org:8080/18276 Reviewed-by: Alexey Serbin Tested-by: Attila Bukor --- docs/release_notes.adoc | 56 - version.txt | 2 +- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/docs/release_notes.adoc b/docs/release_notes.adoc index 39f8387..14655fa 100644 --- a/docs/release_notes.adoc +++ b/docs/release_notes.adoc @@ -16,7 +16,7 @@ // under the License. [[release_notes]] -= Apache Kudu 1.16.0 Release Notes += Apache Kudu 1.17.0 Release Notes :author: Kudu Team :imagesdir: ./images @@ -28,80 +28,80 @@ :sectlinks: :experimental: -[[rn_1.16.0_upgrade_notes]] +[[rn_1.17.0_upgrade_notes]] == Upgrade Notes -[[rn_1.16.0_obsoletions]] +[[rn_1.17.0_obsoletions]] == Obsoletions -[[rn_1.16.0_deprecations]] +[[rn_1.17.0_deprecations]] == Deprecations Support for Python 2.x and Python 3.4 and earlier is deprecated and may be removed in the next minor release. -[[rn_1.16.0_new_features]] +[[rn_1.17.0_new_features]] == New features -[[rn_1.16.0_improvements]] +[[rn_1.17.0_improvements]] == Optimizations and improvements -[[rn_1.16.0_fixed_issues]] +[[rn_1.17.0_fixed_issues]] == Fixed Issues -[[rn_1.16.0_wire_compatibility]] +[[rn_1.17.0_wire_compatibility]] == Wire Protocol compatibility -Kudu 1.16.0 is wire-compatible with previous versions of Kudu: +Kudu 1.17.0 is wire-compatible with previous versions of Kudu: -* Kudu 1.16 clients may connect to servers running Kudu 1.0 or later. If the client uses +* Kudu 1.17 clients may connect to servers running Kudu 1.0 or later. If the client uses features that are not available on the target server, an error will be returned. -* Rolling upgrade between Kudu 1.15 and Kudu 1.16 servers is believed to be possible +* Rolling upgrade between Kudu 1.16 and Kudu 1.17 servers is believed to be possible though has not been sufficiently tested. Users are encouraged to shut down all nodes in the cluster, upgrade the software, and then restart the daemons on the new version. -* Kudu 1.0 clients may connect to servers running Kudu 1.16 with the exception of the +* Kudu 1.0 clients may connect to servers running Kudu 1.17 with the exception of the below-mentioned restrictions regarding secure clusters. The authentication features introduced in Kudu 1.3 place the following limitations -on wire compatibility between Kudu 1.16 and versions earlier than 1.3: +on wire compatibility between Kudu 1.17 and versions earlier than 1.3: -* If a Kudu 1.16 cluster is configured with authentication or encryption set to "required", +* If a Kudu 1.17 cluster is configured with authentication or encryption set to "required", clients older than Kudu 1.3 will be unable to connect. -* If a Kudu 1.16 cluster is configured with authentication and encryption set to "optional" +* If a Kudu 1.17 cluster is configured with authentication and encryption set to "optional" or "disabled", older clients will still be able to connect. -[[rn_1.16.0_incompatible_changes]] -== Incompatible Changes in Kudu 1.16.0 +[[rn_1.17.0_incompatible_changes]] +== Incompatible Changes in Kudu 1.17.0 -[[rn_1.16.0_client_compatibility]] +[[rn_1.17.0_client_compatibility]] === Client Library Compatibility -* The Kudu 1.16 Java client library is API- and ABI-compatible with Kudu 1.15. Applications - written against Kudu 1.15 will compile and run against the Kudu 1.16 client library and +* The Kudu 1.17 Java client library is API- and ABI-compatible with Kudu 1.16. Applications + written against Kudu 1.16 will compile and run against the Kudu 1.17 client library and vice-versa. -* The Kudu 1.16 {cpp} client is API- and ABI-forward-compatible with Kudu 1.15. - Applications written and compiled against the Kudu 1.15 client library will run without - modification against the Kudu 1.16 client library. Applications written and compiled - against the Kudu 1.16 client library will run without modification against the Kudu 1.15 +* The Kudu 1.17 {cpp} client is API- and ABI-forward-compatible with Kudu 1.16. + Applications written and compiled against the Kudu 1.16 client library will run without + modification against the Kudu 1.17 client library. Applications written and compiled + against the Kudu 1.17 client library will run without modification against the Kudu 1.16 client library. -* Th