| Bryan Duxbury | d483712 | 2010-09-08 00:06:35 +0000 | [diff] [blame] | 1 | A Thrift SASL message shall be a byte array of one of the following forms: |
| 2 | |
| 3 | | 1-byte START status code | 1-byte mechanism name length | variable length mechanism name | 4-byte payload length | variable-length payload | |
| 4 | | 1-byte status code | 4-byte payload length | variable-length payload | |
| 5 | |
| 6 | The length fields shall be interpreted as integers, with the high byte sent |
| 7 | first. This indicates the length of the field immediately following it, not |
| 8 | including the status code or the length bytes. |
| 9 | |
| 10 | The possible status codes are: |
| 11 | |
| 12 | 0x01 - START - Hello, let's go on a date. |
| 13 | 0x02 - OK - Everything's been going alright so far, let's see each other again. |
| 14 | 0x03 - BAD - I understand what you're saying. I really do. I just don't like it. We have to break up. |
| 15 | 0x04 - ERROR - We can't go on like this. It's like you're speaking another language. |
| 16 | 0x05 - COMPLETE - Will you marry me? |
| 17 | |
| 18 | The Thrift SASL communication will proceed as follows: |
| 19 | |
| 20 | 1. The client is configured at instantiation of the transport with a single |
| 21 | underlying SASL security mechanism that it supports. |
| 22 | |
| 23 | 2. The server is configured with a mapping of underlying security mechanism |
| 24 | name -> mechanism options. |
| 25 | |
| 26 | 3. At connection time, the client will initiate communication by sending the |
| 27 | server a START byte, followed by a 1-byte field indicating the length in bytes |
| 28 | of the underlying security mechanism name that the client would like to use. |
| 29 | This mechanism name shall be 1-20 characters in length, and follow the |
| 30 | specifications for SASL mechanism names specified in RFC 2222. This mechanism |
| 31 | name shall be followed by a 4-byte, potentially zero-value message length word, |
| 32 | followed by a potentially zero-length payload. The payload is determined by the |
| 33 | output byte array of the underlying actual security mechanism, and will be |
| 34 | empty except for those underlying security protocols which implement the |
| 35 | optional SASL initial response. |
| 36 | |
| 37 | 4. The server receives this message and, if the mechanism name provided is |
| 38 | among the set of mechanisms this server transport is configured to accept, |
| 39 | appropriate initialization of the underlying security mechanism may take place. |
| 40 | If the mechanism name is not one which the server is configured to support, the |
| 41 | server shall return the BAD byte, followed by a 4-byte, potentially zero-value |
| 42 | message length, followed by the potentially zero-length payload which may be a |
| 43 | status code or message indicating failure. No further communication may take |
| 44 | place via this transport. If the mechanism name is one which the server |
| 45 | supports, then proceed to step 5. |
| 46 | |
| 47 | 5. The server then provides the byte array of the payload received to its |
| 48 | underlying security mechanism. A challenge is generated by the underlying |
| 49 | security mechanism on the server, and this is used as the payload for a message |
| 50 | sent to the client. This message shall consist of an OK byte, followed by the |
| 51 | non-zero message length word, followed by the payload. |
| 52 | |
| 53 | 6. The client receives this message from the server and passes the payload to |
| 54 | its underlying security mechanism to generate a response. The client then sends |
| 55 | the server an OK byte, followed by the non-zero-value length of the response, |
| 56 | followed by the bytes of the response as the payload. |
| 57 | |
| 58 | 7. Steps 5 and 6 are repeated until both security mechanisms are satisfied with |
| 59 | the challenge/response exchange. When either side has completed its security |
| 60 | protocol, its next message shall be the COMPLETE byte, followed by a 4-byte |
| 61 | potentially zero-value length word, followed by a potentially zero-length |
| 62 | payload. This payload will be empty except for those underlying security |
| 63 | mechanisms which provide additional data with success. |
| 64 | |
| 65 | If at any point in time either side is able to interpret the challenge or |
| 66 | response sent by the other, but is dissatisfied with the contents thereof, this |
| 67 | side should send the other a BAD byte, followed by a 4-byte potentially |
| 68 | zero-value length word, followed by an optional, potentially zero-length |
| 69 | message encoded in UTF-8 indicating failure. This message should be passed to |
| 70 | the protocol above the thrift transport by whatever mechanism is appropriate |
| 71 | and idiomatic for the particular language these thrift bindings are for. |
| 72 | |
| 73 | If at any point in time either side fails to interpret the challenge or |
| 74 | response sent by the other, this side should send the other an ERROR byte, |
| 75 | followed by a 4-byte potentially zero-value length word, followed by an |
| 76 | optional, potentially zero-length message encoded in UTF-8. This message should |
| 77 | be passed to the protocol above the thrift transport by whatever mechanism is |
| 78 | appropriate and idiomatic for the particular language these thrift bindings are |
| 79 | for. |
| 80 | |
| 81 | If step 7 completes successfully, then the communication is considered |
| 82 | authenticated and subsequent communication may commence. |
| 83 | |
| 84 | If step 7 fails to complete successfully, then no further communication may |
| 85 | take place via this transport. |
| 86 | |
| 87 | 8. All writes to the underlying transport must be prefixed by the 4-byte length |
| 88 | of the payload data, followed by the payload. All reads from this transport |
| 89 | should read the 4-byte length word, then read the full quantity of bytes |
| 90 | specified by this length word. |
| 91 | |
| 92 | If no SASL QOP (quality of protection) is negotiated during steps 5 and 6, then |
| 93 | all subsequent writes to/reads from this transport are written/read unaltered, |
| 94 | save for the length prefix, to the underlying transport. |
| 95 | |
| 96 | If a SASL QOP is negotiated, then this must be used by the Thrift transport for |
| 97 | all subsequent communication. This is done by wrapping subsequent writes to the |
| 98 | transport using the underlying security mechanism, and unwrapping subsequent |
| 99 | reads from the underlying transport. Note that in this case, the length prefix |
| 100 | of the write to the underlying transport is the length of the data after it has |
| 101 | been wrapped by the underlying security mechanism. Note that the complete |
| 102 | message must be read before giving this data to the underlying security |
| 103 | mechanism for unwrapping. |
| 104 | |
| 105 | If at any point in time reading of a message fails either because of a |
| 106 | malformed length word or failure to unwrap by the underlying security |
| 107 | mechanism, then all further communication on this transport must cease. |