Comments (3)
I tried very hard to make everything working, but for the moment I am declaring defeated after many unsuccessful tries. The main issue is that the encrypt/decrypt part of python-sasl (and hence cyrus sasl) seems not working for the DIGEST-MD5 encryption. This is an example of what snakebite receives after a successful sasl handshake:
payload: "rspauth=d6141c413171a5eb119aedbbeb8db387"
cipherOption {
suite: AES_CTR_NOPADDING
inKey: "\343;p\214\224V\326\026L\367\371d\177\222x\271tf\241N\345\236\206\321F~\000\001\000\000\000\000"
inIv: "\370l&\317\246\304x.\177\307\336\236C\336\332\225"
outKey: "\307\214\314\'\355\276A\'\302\360N\261uw\177\347\323T\303\322\342-As\372$\000\001\000\000\000\001"
outIv: "#\326N\260\237\337s\232N\027N\255L\3265F"
}
The various Iv and Key fields are encrypted, by the Datanode, using the DIGEST-MD5 session keys negotiated via SASL just before (when using auth-conf
). I planned to use PyCryptodome for AES encryption but I wasn't able to get to test it.
The first issue was the error described in cyrusimap/cyrus-sasl#614. I found a workaround, namely patching python-sasl
, but then I just ended up in a more generic error with more specific hints about what to change/patch.
from snakebite-py3.
Updating this issue with some info about testing done. The sasl
library was forked to sasl3
(updating bindings etc..) but I wasn't still able to make any RPC to the Namenode to work. The bug that I was getting reported the following error in the Namenode's logs:
INFO org.apache.hadoop.ipc.Server: Socket Reader #1 for port 8020: readAndProcess from client 10.64.5.32 threw exception [javax.security.sasl.SaslException: Problems unwrapping SASL buffer [Caused by GSSException: Defective token detected (Mechanism level: Kerberos GSS-API Mechanism Token:Defective Token ID!)]]
javax.security.sasl.SaslException: Problems unwrapping SASL buffer [Caused by GSSException: Defective token detected (Mechanism level: Kerberos GSS-API Mechanism Token:Defective Token ID!)]
After a lot of tests and debugging comparing the code running pure-sasl
(working) vs the one usingsasl3
(ending up in the above failure) I noticed that the encoded token sent to the Namenode (to wrap the RPC) was always 4 bytes longer, and the diff was at the front (so the first four bytes were different for some reason, dumping binary was a joy). Google then helped and I found:
https://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2017-March/003002.html
So the extra 4 bytes in front are the length of the payload, added by GSS-API. Cyrus Sasl follows a RFC, Java another one. The trick to make everything to work is to:
- remove the first 4 bytes after encoding with sasl.encode(), and then send to the Namenode.
- add 4 bytes with the len of the token received from the Namenode (something like
struct.pack('!I', len(response.token)) + response.token
is sufficient).
All the above was to make cyrus sasl to work with RPCs between Client and Namenode, that use GSS-API/kerberos in my case. This makes snakebite to work with calls like ls
, but it doesn't when we want to get the content of a file for example, because the code to encrypt the RPC between client and Datanode is still missing. The RPC in fact doesn't use GSS-API, but Digest-MD5, and it follows a different protocol (Datanode protocol).
So next step is to implement the missing code and see if it works. If so, we'll be able to switch snakebite back to cyrus sasl and finally use it in Hadoop clusters with Kerberos and RPC encryption.
from snakebite-py3.
As reference https://issues.apache.org/jira/browse/HDFS-6606
from snakebite-py3.
Related Issues (8)
- HAClient doesn't fail over to alt Namenode HOT 2
- Unit tests fail with errors
- Kerberos support for Python3 HOT 7
- Deprecation warning due to invalid escape sequences in Python 3.8
- sasl.process() fails HOT 2
- StopIteration Error Raised at Runtime with Python 3.7 Version HOT 1
- Regular expression in minicluster _get_namenode_port has invalid escape sequence in python >= 3.8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snakebite-py3.