[jira] [Commented] (DRILL-4280) Kerberos Authentication

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856472#comment-15856472
 ] 

ASF GitHub Bot commented on DRILL-4280:
---------------------------------------

Github user laurentgo commented on a diff in the pull request:

    https://github.com/apache/drill/pull/578#discussion_r99875648
  
    --- Diff: contrib/native/client/src/clientlib/drillClientImpl.cpp ---
    @@ -407,37 +422,155 @@ connectionStatus_t 
DrillClientImpl::validateHandshake(DrillUserProperties* prope
         if(ret!=CONN_SUCCESS){
             return ret;
         }
    -    if(this->m_handshakeStatus != exec::user::SUCCESS){
    -        switch(this->m_handshakeStatus){
    -            case exec::user::RPC_VERSION_MISMATCH:
    -                DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Invalid rpc version. 
 Expected "
    -                    << DRILL_RPC_VERSION << ", actual "<< 
m_handshakeVersion << "." << std::endl;)
    -                return handleConnError(CONN_BAD_RPC_VER,
    -                        getMessage(ERR_CONN_BAD_RPC_VER, DRILL_RPC_VERSION,
    -                            m_handshakeVersion,
    -                            this->m_handshakeErrorId.c_str(),
    -                            this->m_handshakeErrorMsg.c_str()));
    -            case exec::user::AUTH_FAILED:
    -                DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Authentication 
failed." << std::endl;)
    -                return handleConnError(CONN_AUTH_FAILED,
    -                        getMessage(ERR_CONN_AUTHFAIL,
    -                            this->m_handshakeErrorId.c_str(),
    -                            this->m_handshakeErrorMsg.c_str()));
    -            case exec::user::UNKNOWN_FAILURE:
    -                DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Unknown error during 
handshake." << std::endl;)
    -                return handleConnError(CONN_HANDSHAKE_FAILED,
    -                        getMessage(ERR_CONN_UNKNOWN_ERR,
    -                            this->m_handshakeErrorId.c_str(),
    -                            this->m_handshakeErrorMsg.c_str()));
    -            default:
    -                break;
    +
    +    switch(this->m_handshakeStatus) {
    +        case exec::user::SUCCESS:
    +            // reset io_service after handshake is validated before 
running queries
    +            m_io_service.reset();
    +            return CONN_SUCCESS;
    +        case exec::user::RPC_VERSION_MISMATCH:
    +            DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Invalid rpc version.  
Expected "
    +                << DRILL_RPC_VERSION << ", actual "<< m_handshakeVersion 
<< "." << std::endl;)
    +            return handleConnError(CONN_BAD_RPC_VER, 
getMessage(ERR_CONN_BAD_RPC_VER, DRILL_RPC_VERSION,
    +                                                                
m_handshakeVersion,
    +                                                                
this->m_handshakeErrorId.c_str(),
    +                                                                
this->m_handshakeErrorMsg.c_str()));
    +        case exec::user::AUTH_FAILED:
    +            DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Authentication failed." 
<< std::endl;)
    +            return handleConnError(CONN_AUTH_FAILED, 
getMessage(ERR_CONN_AUTHFAIL,
    +                                                                
this->m_handshakeErrorId.c_str(),
    +                                                                
this->m_handshakeErrorMsg.c_str()));
    +        case exec::user::UNKNOWN_FAILURE:
    +            DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Unknown error during 
handshake." << std::endl;)
    +            return handleConnError(CONN_HANDSHAKE_FAILED, 
getMessage(ERR_CONN_UNKNOWN_ERR,
    +                                                                     
this->m_handshakeErrorId.c_str(),
    +                                                                     
this->m_handshakeErrorMsg.c_str()));
    +        case exec::user::AUTH_REQUIRED:
    +            DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Server requires SASL 
authentication." << std::endl;)
    +            return authenticate(properties);
    +        default:
    +            DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Unknown return status." 
<< std::endl;)
    +            return handleConnError(CONN_HANDSHAKE_FAILED, 
getMessage(ERR_CONN_UNKNOWN_ERR,
    +                                                                     
this->m_handshakeErrorId.c_str(),
    +                                                                     
this->m_handshakeErrorMsg.c_str()));
    +    }
    +}
    +
    +connectionStatus_t DrillClientImpl::authenticate(const 
DrillUserProperties* userProperties) {
    +    try {
    +        m_saslAuthenticator = new SaslAuthenticatorImpl(userProperties);
    +    } catch (std::runtime_error& e) {
    --- End diff --
    
    exceptions in C++ are tricky, I'm not against personally, but I wonder if 
this is needed (especially since here, it's because static initialization 
failed...)


> Kerberos Authentication
> -----------------------
>
>                 Key: DRILL-4280
>                 URL: https://issues.apache.org/jira/browse/DRILL-4280
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: security
>
> Drill should support Kerberos based authentication from clients. This means 
> that both the ODBC and JDBC drivers as well as the web/REST interfaces should 
> support inbound Kerberos. For Web this would most likely be SPNEGO while for 
> ODBC and JDBC this will be more generic Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a 
> lot of reuse of ideas if not implementation.
> Note that this is related to but not the same as 
> https://issues.apache.org/jira/browse/DRILL-3584 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)