[
https://issues.apache.org/jira/browse/HBASE-28337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17812576#comment-17812576
]
Andor Molnar edited comment on HBASE-28337 at 1/31/24 8:51 AM:
---------------------------------------------------------------
ping [~elserj] [~bharathv]
I'm trying to figure out what could be the right solution here. In my
understanding the original concern was that PLAIN client proceeds right after
sending credentials, because in case of a positive answer, the server should
not send anything back. This is OK if auth was successful, but in case of a a
negative answer, the client is not reading the error and not able to report it
properly.
So,
* if we don't wait and tryComplete() immediately, we'll lose the error message
on the client side and we only notice the failure from the connection closed by
the server,
* if we wait and tryComplete(), we get error message, but if auth was
successful client will wait for server feedback endlessly.
I've also tried to change server to send "OK" back if auth was successful, but
JDK's built in PLAIN client doesn't accept it since it's already completed.
I've created the patch to restore original behaviour, because it's less of a
problem.
was (Author: andorm):
ping [~elserj] [~bharathv]
I'm trying to figure out what could be the right solution here. In my
understanding the original concern was that PLAIN client proceeds right after
sending credentials, because in case of a positive answer, the server should
not send anything back. For a negative answer though, the client should wait
for the error message from the server.
So,
* if we don't wait and tryComplete() immediately, we'll lose the error message
on the client side and we only notice the failure from the connection closed by
the server,
* if we wait and tryComplete(), we get error message, but if auth was
successful client will wait for server feedback endlessly.
I've also tried to change server to send "OK" back if auth was successful, but
JDK's built in PLAIN client doesn't accept it since it's already completed.
I've created the patch to restore original behaviour, because it's less of a
problem.
> Positive connection test in TestShadeSaslAuthenticationProvider runs with
> Kerberos instead of Shade authentication
> ------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-28337
> URL: https://issues.apache.org/jira/browse/HBASE-28337
> Project: HBase
> Issue Type: Test
> Affects Versions: 2.6.0, 2.4.17, 3.0.0-beta-1, 2.5.7, 2.7.0
> Reporter: Andor Molnar
> Assignee: Andor Molnar
> Priority: Major
>
> The positive test (testPositiveAuthentication) in
> TestShadeSaslAuthenticationProvider doesn't create a new user in
> user1.doAs(), so it will use the already Kerberos authenticated user instead
> of re-authenticating with the token.
> As a consequence it doesn't reveal a problem introduced with HBASE-23881
> which will cause clients to timeout if authenticated with a SASL mech which
> doesn't create a reply token in case of successful authentication.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
