[
https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15877154#comment-15877154
]
ASF GitHub Bot commented on DRILL-4280:
---------------------------------------
Github user laurentgo commented on a diff in the pull request:
https://github.com/apache/drill/pull/578#discussion_r102307826
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java ---
@@ -358,25 +291,59 @@ public BitToUserHandshake
getHandshakeResponse(UserToBitHandshake inbound) throw
return handleFailure(respBuilder,
HandshakeStatus.RPC_VERSION_MISMATCH, errMsg, null);
}
- if (authenticator != null) {
+ connection.setHandshake(inbound);
+
+ if (!config.isAuthEnabled()) {
+
connection.finalizeSession(inbound.getCredentials().getUserName());
+ respBuilder.setStatus(HandshakeStatus.SUCCESS);
+ return respBuilder.build();
+ }
+
+ final boolean clientSupportsSasl = inbound.hasSaslSupport() &&
+ (inbound.getSaslSupport().ordinal() >=
SaslSupport.SASL_AUTH.ordinal());
+ if (!clientSupportsSasl) { // for backward compatibility < 1.10
+ final String userName = inbound.getCredentials().getUserName();
+ if (logger.isTraceEnabled()) {
+ logger.trace("User {} on connection {} is likely using an
older client.",
+ userName, connection.getRemoteAddress());
+ }
try {
String password = "";
final UserProperties props = inbound.getProperties();
for (int i = 0; i < props.getPropertiesCount(); i++) {
Property prop = props.getProperties(i);
- if (UserSession.PASSWORD.equalsIgnoreCase(prop.getKey())) {
+ if
(DrillProperties.PASSWORD.equalsIgnoreCase(prop.getKey())) {
password = prop.getValue();
break;
}
}
-
authenticator.authenticate(inbound.getCredentials().getUserName(), password);
+ final PlainFactory plainFactory =
config.getAuthProvider().getPlainFactory();
--- End diff --
instead of keeping a deprecated methods, why not looking for `PLAIN` auth
mechanism, and instead of calling authenticate, do an internal sasl session?
> Kerberos Authentication
> -----------------------
>
> Key: DRILL-4280
> URL: https://issues.apache.org/jira/browse/DRILL-4280
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: Keys Botzum
> Assignee: Sudheesh Katkam
> Labels: security
>
> Drill should support Kerberos based authentication from clients. This means
> that both the ODBC and JDBC drivers as well as the web/REST interfaces should
> support inbound Kerberos. For Web this would most likely be SPNEGO while for
> ODBC and JDBC this will be more generic Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a
> lot of reuse of ideas if not implementation.
> Note that this is related to but not the same as
> https://issues.apache.org/jira/browse/DRILL-3584
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
