From 8af0310b62b86d2449a8cd910cbad6c8858cfd76 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Fri, 8 Nov 2024 08:49:02 +0100 Subject: [PATCH 1/3] HBASE-28970 Get asyncfs working with custom SASL mechanisms --- .../FanOutOneBlockAsyncDFSOutputSaslHelper.java | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java index 4f5ae5b22a98..4ec544f29847 100644 --- a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java +++ b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java @@ -112,7 +112,7 @@ private FanOutOneBlockAsyncDFSOutputSaslHelper() { private static final String SERVER_NAME = "0"; private static final String PROTOCOL = "hdfs"; - private static final String MECHANISM = "DIGEST-MD5"; + private static final String MECHANISM = org.apache.hadoop.security.SaslRpcServer.AuthMethod.TOKEN.getMechanismName(); private static final int SASL_TRANSFER_MAGIC_NUMBER = 0xDEADBEEF; private static final String NAME_DELIMITER = " "; @@ -461,7 +461,11 @@ private void sendSaslMessage(ChannelHandlerContext ctx, byte[] payload, @Override public void handlerAdded(ChannelHandlerContext ctx) throws Exception { safeWrite(ctx, ctx.alloc().buffer(4).writeInt(SASL_TRANSFER_MAGIC_NUMBER)); - sendSaslMessage(ctx, new byte[0]); + byte[] firstMessage = new byte[0]; + if (saslClient.hasInitialResponse()) { + firstMessage = saslClient.evaluateChallenge(new byte[0]); + } + sendSaslMessage(ctx, firstMessage); ctx.flush(); step++; } @@ -502,12 +506,17 @@ private void checkSaslComplete() throws IOException { Set requestedQop = ImmutableSet.copyOf(Arrays.asList(saslProps.get(Sasl.QOP).split(","))); String negotiatedQop = getNegotiatedQop(); + // Treat null negotiated QOP as "auth" for the purpose of verification + // Code elsewhere does the same implicitly + if(negotiatedQop == null) { + negotiatedQop = "auth"; + } LOG.debug( "Verifying QOP, requested QOP = " + requestedQop + ", negotiated QOP = " + negotiatedQop); if (!requestedQop.contains(negotiatedQop)) { throw new IOException(String.format("SASL handshake completed, but " + "channel does not have acceptable quality of protection, " - + "requested = %s, negotiated = %s", requestedQop, negotiatedQop)); + + "requested = %s, negotiated(effective) = %s", requestedQop, negotiatedQop)); } } From 296951575d5320acef3d715bfabfe250701a9fe5 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Tue, 3 Dec 2024 09:26:34 +0100 Subject: [PATCH 2/3] apply spotless --- .../io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java index 4ec544f29847..23f96670d997 100644 --- a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java +++ b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java @@ -112,7 +112,8 @@ private FanOutOneBlockAsyncDFSOutputSaslHelper() { private static final String SERVER_NAME = "0"; private static final String PROTOCOL = "hdfs"; - private static final String MECHANISM = org.apache.hadoop.security.SaslRpcServer.AuthMethod.TOKEN.getMechanismName(); + private static final String MECHANISM = + org.apache.hadoop.security.SaslRpcServer.AuthMethod.TOKEN.getMechanismName(); private static final int SASL_TRANSFER_MAGIC_NUMBER = 0xDEADBEEF; private static final String NAME_DELIMITER = " "; @@ -508,7 +509,7 @@ private void checkSaslComplete() throws IOException { String negotiatedQop = getNegotiatedQop(); // Treat null negotiated QOP as "auth" for the purpose of verification // Code elsewhere does the same implicitly - if(negotiatedQop == null) { + if (negotiatedQop == null) { negotiatedQop = "auth"; } LOG.debug( From 56a7d835c89b7309d89e47c2919520dbefad15e3 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Tue, 3 Dec 2024 09:36:41 +0100 Subject: [PATCH 3/3] minimal optimization --- .../io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java index 23f96670d997..a39c4fba7919 100644 --- a/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java +++ b/hbase-asyncfs/src/main/java/org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.java @@ -464,7 +464,7 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception { safeWrite(ctx, ctx.alloc().buffer(4).writeInt(SASL_TRANSFER_MAGIC_NUMBER)); byte[] firstMessage = new byte[0]; if (saslClient.hasInitialResponse()) { - firstMessage = saslClient.evaluateChallenge(new byte[0]); + firstMessage = saslClient.evaluateChallenge(firstMessage); } sendSaslMessage(ctx, firstMessage); ctx.flush();