big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-13429. Dispose of unnecessary SASL servers. Contributed by Daryn Sharp.

Browse Source
This commit is contained in:
Kihwal Lee 2016-08-02 10:40:28 -05:00
parent 7fc70c6422
commit b3018e73cc
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java
View File

@ -1598,7 +1598,10 @@ private void saslProcess(RpcSaslProto saslMessage)
String qop = (String) saslServer.getNegotiatedProperty(Sasl.QOP); String qop = (String) saslServer.getNegotiatedProperty(Sasl.QOP);
// SASL wrapping is only used if the connection has a QOP, and // SASL wrapping is only used if the connection has a QOP, and
// the value is not auth. ex. auth-int & auth-priv // the value is not auth. ex. auth-int & auth-priv
useWrap = (qop != null && !"auth".equalsIgnoreCase(qop)); useWrap = (qop != null && !"auth".equalsIgnoreCase(qop));
if (!useWrap) {
disposeSasl();
}
} }
} }
@ -1692,9 +1695,9 @@ private RpcSaslProto processSaslToken(RpcSaslProto saslMessage)
private void switchToSimple() { private void switchToSimple() {
// disable SASL and blank out any SASL server // disable SASL and blank out any SASL server
authProtocol = AuthProtocol.NONE; authProtocol = AuthProtocol.NONE;
saslServer = null; disposeSasl();
} }
private RpcSaslProto buildSaslResponse(SaslState state, byte[] replyToken) { private RpcSaslProto buildSaslResponse(SaslState state, byte[] replyToken) {
if (LOG.isDebugEnabled()) { if (LOG.isDebugEnabled()) {
LOG.debug("Will send " + state + " token of size " LOG.debug("Will send " + state + " token of size "
@ -1731,6 +1734,8 @@ private void disposeSasl() {
try { try {
saslServer.dispose(); saslServer.dispose();
} catch (SaslException ignored) { } catch (SaslException ignored) {
} finally {
saslServer = null;
} }
} }
} }
@ -1980,7 +1985,7 @@ private void processConnectionContext(DataInputStream dis)
.getProtocol() : null; .getProtocol() : null;
UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext); UserGroupInformation protocolUser = ProtoUtil.getUgi(connectionContext);
if (saslServer == null) { if (authProtocol == AuthProtocol.NONE) {
user = protocolUser; user = protocolUser;
} else { } else {
// user is authenticated // user is authenticated

12
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/ipc/TestSaslRPC.java
View File

@ -28,6 +28,7 @@
import org.apache.hadoop.fs.CommonConfigurationKeysPublic; import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.Text; import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.Client.ConnectionId; import org.apache.hadoop.ipc.Client.ConnectionId;
import org.apache.hadoop.ipc.Server.Connection;
import org.apache.hadoop.net.NetUtils; import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.*; import org.apache.hadoop.security.*;
import org.apache.hadoop.security.SaslRpcServer.AuthMethod; import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
@ -270,7 +271,16 @@ private void doDigestRpc(Server server, TestTokenSecretManager sm)
assertEquals(TOKEN, authMethod); assertEquals(TOKEN, authMethod);
//QOP must be auth //QOP must be auth
assertEquals(expectedQop.saslQop, assertEquals(expectedQop.saslQop,
RPC.getConnectionIdForProxy(proxy).getSaslQop()); RPC.getConnectionIdForProxy(proxy).getSaslQop());
int n = 0;
for (Connection connection : server.getConnections()) {
// only qop auth should dispose of the sasl server
boolean hasServer = (connection.saslServer != null);
assertTrue("qop:" + expectedQop + " hasServer:" + hasServer,
(expectedQop == QualityOfProtection.AUTHENTICATION) ^ hasServer);
n++;
}
assertTrue(n > 0);
proxy.ping(null, newEmptyRequest()); proxy.ping(null, newEmptyRequest());
} finally { } finally {
stop(server, proxy); stop(server, proxy);