[HADOOP-10211] Enable RPC protocol to negotiate SASL-QOP values between clients and servers - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.4.0
Component/s: security
Labels:
None

Target Version/s:

2.4.0
Hadoop Flags:

Reviewed
Release Note:

Hide
The hadoop.rpc.protection configuration property previously supported specifying a single value: one of authentication, integrity or privacy. An unrecognized value was silently assumed to mean authentication. This configuration property now accepts a comma-separated list of any of the 3 values, and unrecognized values are rejected with an error. Existing configurations containing an invalid value must be corrected. If the property is empty or not specified, authentication is assumed.

Show
The hadoop.rpc.protection configuration property previously supported specifying a single value: one of authentication, integrity or privacy. An unrecognized value was silently assumed to mean authentication. This configuration property now accepts a comma-separated list of any of the 3 values, and unrecognized values are rejected with an error. Existing configurations containing an invalid value must be corrected. If the property is empty or not specified, authentication is assumed.

Description

SASL allows different types of protection are referred to as the quality of protection (qop). It is negotiated between the client and server during the authentication phase of the SASL exchange. Currently hadoop allows specifying a single QOP value via hadoop.rpc.protection.
The enhancement enables a user to specify multiple QOP values - authentication, integrity, privacy as a comma separated list via hadoop.rpc.protection
The client and server can have different set of values for hadoop.rpc.protection and they will negotiate to determine the QOP to be used for communication.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-10211.patch
14/Feb/14 22:33
6 kB
Benoy Antony
HADOOP-10211.patch
14/Feb/14 20:00
6 kB
Benoy Antony
HADOOP-10221.sample
13/Feb/14 19:23
2 kB
Daryn Sharp
HADOOP-10211.patch
11/Feb/14 20:03
6 kB
Benoy Antony
HADOOP-10211.patch
08/Jan/14 00:41
6 kB
Benoy Antony
HADOOP-10211.patch
07/Jan/14 20:36
6 kB
Benoy Antony

Issue Links

breaks

HADOOP-10391 HADOOP-10211 change for comma-separated list of QOP values broke backwards-compatibility with existing configs.

Resolved

SPARK-5111 HiveContext and Thriftserver cannot work in secure cluster beyond hadoop2.5

Resolved

HIVE-6987 Metastore qop settings won't work with Hadoop-2.4

Closed

is depended upon by

HADOOP-10221 Add a plugin to specify SaslProperties for RPC protocol based on connection properties

Closed

is related to

HADOOP-10057 Add ability in Hadoop servers (Namenode, JobTracker, Datanode ) to support multiple QOP (Authentication , Privacy) simultaneously

Resolved

Activity

People

Assignee:: Benoy Antony

Reporter:: Benoy Antony

Votes:: 0 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: 07/Jan/14 20:33

Updated:: 11/May/15 17:27

Resolved:: 05/Mar/14 22:34