From 7638b4727e702725bcbfeb4addf3fc80078924b8 Mon Sep 17 00:00:00 2001 From: Tsz-Wo Nicholas Sze Date: Sat, 20 Jul 2024 15:16:01 +0800 Subject: [PATCH] HDFS-17575. SaslDataTransferClient should use SaslParticipant to create messages. (#6933) --- .../sasl/SaslDataTransferClient.java | 16 ++++++++++++---- .../datatransfer/sasl/SaslParticipant.java | 10 ++++++++-- 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java index 043439130d5dc..960a5221dd1ae 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java @@ -63,6 +63,7 @@ import org.apache.hadoop.security.token.SecretManager; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.util.Lists; +import org.apache.hadoop.util.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -84,6 +85,8 @@ public class SaslDataTransferClient { private static final Logger LOG = LoggerFactory.getLogger( SaslDataTransferClient.class); + private static final byte[] EMPTY_BYTE_ARRAY = {}; + private final Configuration conf; private final AtomicBoolean fallbackToSimpleAuth; private final SaslPropertiesResolver saslPropsResolver; @@ -519,25 +522,29 @@ private IOStreamPair doSaslHandshake(InetAddress addr, // In which case there will be no encrypted secret sent from NN. BlockTokenIdentifier blockTokenIdentifier = accessToken.decodeIdentifier(); + final byte[] first = sasl.evaluateChallengeOrResponse(EMPTY_BYTE_ARRAY); + if (LOG.isDebugEnabled()) { + LOG.info("first: {}", first == null ? null : first.length == 0 ? "" + : StringUtils.byteToHexString(first)); + } if (blockTokenIdentifier != null) { byte[] handshakeSecret = accessToken.decodeIdentifier().getHandshakeMsg(); if (handshakeSecret == null || handshakeSecret.length == 0) { LOG.debug("Handshake secret is null, " + "sending without handshake secret."); - sendSaslMessage(out, new byte[0]); + sendSaslMessage(out, first); } else { LOG.debug("Sending handshake secret."); BlockTokenIdentifier identifier = new BlockTokenIdentifier(); identifier.readFields(new DataInputStream( new ByteArrayInputStream(accessToken.getIdentifier()))); String bpid = identifier.getBlockPoolId(); - sendSaslMessageHandshakeSecret(out, new byte[0], - handshakeSecret, bpid); + sendSaslMessageHandshakeSecret(out, first, handshakeSecret, bpid); } } else { LOG.debug("Block token id is null, sending without handshake secret."); - sendSaslMessage(out, new byte[0]); + sendSaslMessage(out, first); } // step 1 @@ -565,6 +572,7 @@ private IOStreamPair doSaslHandshake(InetAddress addr, cipherOptions.add(option); } } + LOG.debug("{}: cipherOptions={}", sasl, cipherOptions); sendSaslMessageAndNegotiationCipherOptions(out, localResponse, cipherOptions); diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslParticipant.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslParticipant.java index e32f76a8ebd7d..ee8760d688adb 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslParticipant.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslParticipant.java @@ -20,6 +20,7 @@ import java.io.DataInputStream; import java.io.DataOutputStream; import java.util.Map; +import java.util.Objects; import javax.security.auth.callback.CallbackHandler; import javax.security.sasl.Sasl; import javax.security.sasl.SaslClient; @@ -110,7 +111,7 @@ public static SaslParticipant createClientSaslParticipant(String userName, * @param saslServer to wrap */ private SaslParticipant(SaslServer saslServer) { - this.saslServer = saslServer; + this.saslServer = Objects.requireNonNull(saslServer, "saslServer == null"); this.saslClient = null; } @@ -121,7 +122,7 @@ private SaslParticipant(SaslServer saslServer) { */ private SaslParticipant(SaslClient saslClient) { this.saslServer = null; - this.saslClient = saslClient; + this.saslClient = Objects.requireNonNull(saslClient, "saslClient == null"); } /** @@ -228,4 +229,9 @@ public IOStreamPair createStreamPair(DataOutputStream out, new SaslOutputStream(out, saslServer)); } } + + @Override + public String toString() { + return "Sasl" + (saslServer != null? "Server" : "Client"); + } }