From afdb20139352f2a23c4bc54f3ed42ff1b7a68590 Mon Sep 17 00:00:00 2001
From: Istvan Toth <stoty@apache.org>
Date: Thu, 14 Nov 2024 08:18:16 +0100
Subject: [PATCH 1/2] HDFS-17668 Treat null SASL negotiated QOP as auth in
 DataTransferSaslUtil#checkSaslComplete()

---
 .../protocol/datatransfer/sasl/DataTransferSaslUtil.java   | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
index e4ae936b4feaf..9efefe48b2794 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
@@ -104,7 +104,12 @@ public static void checkSaslComplete(SaslParticipant sasl,
     String negotiatedQop = sasl.getNegotiatedQop();
     LOG.debug("{}: Verifying QOP: requested = {}, negotiated = {}",
         sasl, requestedQop, negotiatedQop);
-    if (negotiatedQop != null && !requestedQop.contains(negotiatedQop)) {
+    // Treat null negotiated QOP as "auth" for the purpose of verification
+    // Code elsewhere does the same implicitly
+    if(negotiatedQop == null) {
+      negotiatedQop = "auth";
+    }
+    if (!requestedQop.contains(negotiatedQop)) {
       throw new IOException(String.format("SASL handshake completed, but " +
           "channel does not have acceptable quality of protection, " +
           "requested = %s, negotiated = %s", requestedQop, negotiatedQop));

From bde89d4045ac5f1244946cada2f157429d74b094 Mon Sep 17 00:00:00 2001
From: Istvan Toth <stoty@apache.org>
Date: Wed, 20 Nov 2024 12:44:51 +0100
Subject: [PATCH 2/2] HDFS-17669 Do not reqest SASL QOP when using
 CryptoInput/OutputStream

---
 .../datatransfer/sasl/DataTransferSaslUtil.java       | 11 +++++------
 .../datatransfer/sasl/SaslDataTransferClient.java     |  3 +--
 .../datatransfer/sasl/SaslDataTransferServer.java     |  3 +--
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
index 9efefe48b2794..d8717896ea24a 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.java
@@ -112,7 +112,7 @@ public static void checkSaslComplete(SaslParticipant sasl,
     if (!requestedQop.contains(negotiatedQop)) {
       throw new IOException(String.format("SASL handshake completed, but " +
           "channel does not have acceptable quality of protection, " +
-          "requested = %s, negotiated = %s", requestedQop, negotiatedQop));
+          "requested = %s, negotiated(effective) = %s", requestedQop, negotiatedQop));
     }
   }
 
@@ -135,12 +135,11 @@ public static boolean requestedQopContainsPrivacy(
    * @param encryptionAlgorithm to use for SASL negotation
    * @return properties of encrypted SASL negotiation
    */
-  public static Map<String, String> createSaslPropertiesForEncryption(
-      String encryptionAlgorithm) {
-    Map<String, String> saslProps = Maps.newHashMapWithExpectedSize(3);
-    saslProps.put(Sasl.QOP, QualityOfProtection.PRIVACY.getSaslQop());
+  public static Map<String, String> createSaslPropertiesForEncryption() {
+    Map<String, String> saslProps = Maps.newHashMapWithExpectedSize(2);
+    // This is equivalent to not setting QOP, but the rest of Hadoop expects this to be set
+    saslProps.put(Sasl.QOP, QualityOfProtection.AUTHENTICATION.getSaslQop());
     saslProps.put(Sasl.SERVER_AUTH, "true");
-    saslProps.put("com.sun.security.sasl.digest.cipher", encryptionAlgorithm);
     return saslProps;
   }
 
diff --git a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java
index dd1da77af1efd..401766fa9e16f 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.java
@@ -315,8 +315,7 @@ private IOStreamPair getEncryptedStreams(InetAddress addr,
       Token<BlockTokenIdentifier> accessToken,
       SecretKey secretKey)
       throws IOException {
-    Map<String, String> saslProps = createSaslPropertiesForEncryption(
-        encryptionKey.encryptionAlgorithm);
+    Map<String, String> saslProps = createSaslPropertiesForEncryption();
     if (secretKey != null) {
       LOG.debug("DataNode overwriting downstream QOP" +
           saslProps.get(Sasl.QOP));
diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java
index f6913c3425a9f..ac34f59000133 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.java
@@ -173,8 +173,7 @@ private IOStreamPair getEncryptedStreams(Peer peer,
       return new IOStreamPair(underlyingIn, underlyingOut);
     }
 
-    Map<String, String> saslProps = createSaslPropertiesForEncryption(
-      dnConf.getEncryptionAlgorithm());
+    Map<String, String> saslProps = createSaslPropertiesForEncryption();
 
     if (LOG.isDebugEnabled()) {
       LOG.debug("Server using encryption algorithm " +