HDFS-17668 Treat null SASL negotiated QOP as auth in DataTransferSasl… (

apache#7171)
fuchaohong · Dec 3, 2024 · 464d7d9 · 464d7d9
1 parent 964e089
commit 464d7d9
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/...src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java b/...src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
@@ -104,10 +104,15 @@ public static void checkSaslComplete(SaslParticipant sasl,
     String negotiatedQop = sasl.getNegotiatedQop();
     LOG.debug("{}: Verifying QOP: requested = {}, negotiated = {}",
         sasl, requestedQop, negotiatedQop);
-    if (negotiatedQop != null && !requestedQop.contains(negotiatedQop)) {
+    // Treat null negotiated QOP as "auth" for the purpose of verification
+    // Code elsewhere does the same implicitly
+    if(negotiatedQop == null) {
+      negotiatedQop = "auth";
+    }
+    if (!requestedQop.contains(negotiatedQop)) {
       throw new IOException(String.format("SASL handshake completed, but " +
           "channel does not have acceptable quality of protection, " +
-          "requested = %s, negotiated = %s", requestedQop, negotiatedQop));
+          "requested = %s, negotiated(effective) = %s", requestedQop, negotiatedQop));
     }
   }