From a79fb0469f23e5990f128a95c00bc1556a09a78c Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Wed, 20 Nov 2024 12:44:51 +0100 Subject: [PATCH] HDFS-17669 Do not reqest SASL QOP when using CryptoInput/OutputStream --- .../datatransfer/sasl/DataTransferSaslUtil.java | 11 +++++------ .../datatransfer/sasl/SaslDataTransferClient.java | 3 +-- .../datatransfer/sasl/SaslDataTransferServer.java | 3 +-- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java index 9efefe48b27947..5a4d6872d84f6b 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java @@ -112,7 +112,7 @@ public static void checkSaslComplete(SaslParticipant sasl, if (!requestedQop.contains(negotiatedQop)) { throw new IOException(String.format("SASL handshake completed, but " + "channel does not have acceptable quality of protection, " + - "requested = %s, negotiated = %s", requestedQop, negotiatedQop)); + "requested = %s, negotiated(effective) = %s", requestedQop, negotiatedQop)); } } @@ -135,12 +135,11 @@ public static boolean requestedQopContainsPrivacy( * @param encryptionAlgorithm to use for SASL negotation * @return properties of encrypted SASL negotiation */ - public static Map createSaslPropertiesForEncryption( - String encryptionAlgorithm) { - Map saslProps = Maps.newHashMapWithExpectedSize(3); - saslProps.put(Sasl.QOP, QualityOfProtection.PRIVACY.getSaslQop()); + public static Map createSaslPropertiesForEncryption() { + Map saslProps = Maps.newHashMapWithExpectedSize(1); + // This is equivalent to the default null, but the rest of Haddop expects this to be set + saslProps.put(Sasl.QOP, QualityOfProtection.AUTHENTICATION.getSaslQop()); saslProps.put(Sasl.SERVER_AUTH, "true"); - saslProps.put("com.sun.security.sasl.digest.cipher", encryptionAlgorithm); return saslProps; } diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java index dd1da77af1efd6..401766fa9e16f4 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java +++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java @@ -315,8 +315,7 @@ private IOStreamPair getEncryptedStreams(InetAddress addr, Token accessToken, SecretKey secretKey) throws IOException { - Map saslProps = createSaslPropertiesForEncryption( - encryptionKey.encryptionAlgorithm); + Map saslProps = createSaslPropertiesForEncryption(); if (secretKey != null) { LOG.debug("DataNode overwriting downstream QOP" + saslProps.get(Sasl.QOP)); diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java index f6913c3425a9f1..ac34f590001332 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java @@ -173,8 +173,7 @@ private IOStreamPair getEncryptedStreams(Peer peer, return new IOStreamPair(underlyingIn, underlyingOut); } - Map saslProps = createSaslPropertiesForEncryption( - dnConf.getEncryptionAlgorithm()); + Map saslProps = createSaslPropertiesForEncryption(); if (LOG.isDebugEnabled()) { LOG.debug("Server using encryption algorithm " +