[ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856976#comment-15856976 ]
ASF GitHub Bot commented on DRILL-4280: --------------------------------------- Github user sudheeshkatkam commented on a diff in the pull request: https://github.com/apache/drill/pull/578#discussion_r99952254 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/control/ControlClient.java --- @@ -89,14 +90,48 @@ public MessageLite getResponseDefaultInstance(int rpcType) throws RpcException { } @Override - protected Response handle(ControlConnection connection, int rpcType, ByteBuf pBody, ByteBuf dBody) throws RpcException { - return handler.handle(connection, rpcType, pBody, dBody); + protected void handle(ControlConnection connection, int rpcType, ByteBuf pBody, ByteBuf dBody, + ResponseSender sender) throws RpcException { + connection.getCurrentHandler().handle(connection, rpcType, pBody, dBody, sender); } @Override protected void validateHandshake(BitControlHandshake handshake) throws RpcException { if (handshake.getRpcVersion() != ControlRpcConfig.RPC_VERSION) { - throw new RpcException(String.format("Invalid rpc version. Expected %d, actual %d.", handshake.getRpcVersion(), ControlRpcConfig.RPC_VERSION)); + throw new RpcException(String.format("Invalid rpc version. Expected %d, actual %d.", + handshake.getRpcVersion(), ControlRpcConfig.RPC_VERSION)); + } + + if (handshake.getAuthenticationMechanismsCount() != 0) { // remote requires authentication + if (config.getAuthProvider() == null) { + throw new RpcException(String.format("Drillbit (%s) requires auth, but auth is not configured.", + remoteEndpoint.getAddress())); + } + if (!handshake.getAuthenticationMechanismsList().contains(config.getAuthMechanismToUse())) { + throw new RpcException(String.format("Drillbit (%s) does not support %s", remoteEndpoint.getAddress(), + config.getAuthMechanismToUse())); + } + + final SaslClient saslClient; + try { + saslClient = config.getAuthProvider() + .getAuthenticatorFactory(config.getAuthMechanismToUse()) + .createSaslClient(UserGroupInformation.getLoginUser(), + config.getSaslClientProperties(remoteEndpoint)); + } catch (final SaslException e) { + throw new RpcException("Failed to create SaslClient.", e); + } catch (final IOException e) { + throw new RpcException("Unexpected failure trying to login.", e); + } + if (saslClient == null) { --- End diff -- Yes, per the [SaslClientFactory API](https://docs.oracle.com/javase/7/docs/api/javax/security/sasl/SaslClientFactory.html#createSaslClient(java.lang.String[],%20java.lang.String,%20java.lang.String,%20java.lang.String,%20java.util.Map,%20javax.security.auth.callback.CallbackHandler)). > Kerberos Authentication > ----------------------- > > Key: DRILL-4280 > URL: https://issues.apache.org/jira/browse/DRILL-4280 > Project: Apache Drill > Issue Type: Improvement > Reporter: Keys Botzum > Assignee: Sudheesh Katkam > Labels: security > > Drill should support Kerberos based authentication from clients. This means > that both the ODBC and JDBC drivers as well as the web/REST interfaces should > support inbound Kerberos. For Web this would most likely be SPNEGO while for > ODBC and JDBC this will be more generic Kerberos. > Since Hive and much of Hadoop supports Kerberos there is a potential for a > lot of reuse of ideas if not implementation. > Note that this is related to but not the same as > https://issues.apache.org/jira/browse/DRILL-3584 -- This message was sent by Atlassian JIRA (v6.3.15#6346)