Josh Elser created HBASE-26666:
----------------------------------
Summary: Address bearer token being sent over wire before RPC
encryption is enabled
Key: HBASE-26666
URL: https://issues.apache.org/jira/browse/HBASE-26666
Project: HBase
Issue Type: Sub-task
Reporter: Josh Elser
Fix For: HBASE-26553
Today, HBase must complete the SASL handshake (saslClient.complete()) prior to
turning on any RPC encryption (hbase.rpc.protection=privacy,
sasl.QOP=auth-conf).
This is a problem because we have to transmit the bearer token to the server
before we can complete the sasl handshake. This would mean that we would
insecurely transmit the bearer token (which is equivalent to any other
password) which is a bad smell.
Ideally, if we can solve this problem for the oauth bearer mechanism, we could
also apply it to our delegation token interface for digest-md5 (which, I
believe, suffers the same problem).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
