Closed Viguro79 closed 4 years ago
Yeah, I encountered this when trying to test with HDP3 in CI. Unfortunately, I don't have a Kerberized HDP cluster available to test with. I'd welcome contributions here from someone who has the env available to debug.
Hi
We encountered the same problem and after short debug found that the QoP
in token can be a list of levels ordered by the preference. For ex. auth-conf,auth
. Currently the code assumes that token has only one QoP
level. I'm pasting the patch below. The code simply selects the most secure level, thus ignoring the other side's preferences. I don't know the library, so i'm not sure that all the places where the Qop list can be spotted, are covered by this patch.
diff -u -r internal/rpc/kerberos.go internal-new/rpc/kerberos.go
--- internal/rpc/kerberos.go 2020-07-28 17:15:33.000000000 +0200
+++ internal-new/rpc/kerberos.go 2020-07-28 17:14:35.000000000 +0200
@@ -63,7 +63,8 @@
return err
}
- switch challenge.Qop {
+ qopLevel := sasl.HighestQopLevel(challenge.Qop)
+ switch qopLevel {
case sasl.QopPrivacy, sasl.QopIntegrity:
// Switch to SASL RPC handler
c.transport = &saslTransport{
@@ -71,7 +72,7 @@
clientID: c.ClientID,
},
sessionKey: sessionKey,
- privacy: challenge.Qop == sasl.QopPrivacy,
+ privacy: qopLevel == sasl.QopPrivacy,
}
case sasl.QopAuthentication:
// No special transport is required.
diff -u -r internal/sasl/challenge.go internal-new/sasl/challenge.go
--- internal/sasl/challenge.go 2020-07-28 17:15:33.000000000 +0200
+++ internal-new/sasl/challenge.go 2020-07-28 17:14:35.000000000 +0200
@@ -30,6 +30,21 @@
Algorithm string
}
+// HighestQopLevel extracts most secure Qop level from the list provided as an argument.
+func HighestQopLevel(qopListStr string) string {
+ // The qopList is a comma-separated list of qop values, the order of which specifies the preference order.
+ qopList := strings.Split(qopListStr, ",")
+ // Search provided list for most secure qop level.
+ for _, r := range []string{QopPrivacy, QopIntegrity, QopAuthentication} {
+ for _, qop := range qopList {
+ if qop == r {
+ return r
+ }
+ }
+ }
+ return qopListStr
+}
+
func ParseChallenge(challenge []byte) (*Challenge, error) {
ch := Challenge{}
I can't manage to test on HDP3 - probably because of the cloudera acquisition, the packages aren't easily installable anymore. But I pushed your fix in 9a6156e161288c956ce1d890cda9e6c97c67d065. Hopefully it helps!
When I try to use gohdfs on HDP3.1, it won't work.
hdfs dfs -ls /data
works. Butgohdfs ls /data
returns an error : Couldn't connect to namenode: no available namenodes: SASL handshake: unexpected QOP in challenge Cluster kerberized + H.A. It's working on HDP2.6 with the same configuration. Is this a known issue?