[
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957900#comment-15957900
]
ASF GitHub Bot commented on DRILL-4335:
---------------------------------------
Github user sudheeshkatkam commented on a diff in the pull request:
https://github.com/apache/drill/pull/773#discussion_r109958662
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserConnectionConfig.java
---
@@ -34,32 +39,81 @@
private final UserServerRequestHandler handler;
+ // Total number of external DrillClient connection's on this server.
+ private static final Counter secureUserConnections =
DrillMetrics.getRegistry()
+ .counter("drill.user.encrypted.connections");
+
+ private static final Counter insecureUserConnections =
DrillMetrics.getRegistry()
+ .counter("drill.user.unencrypted.connections");
+
UserConnectionConfig(BufferAllocator allocator, BootStrapContext
context, UserServerRequestHandler handler)
- throws DrillbitStartupException {
+ throws DrillbitStartupException {
super(allocator, context);
this.handler = handler;
- if
(context.getConfig().getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED)) {
- if (getAuthProvider().getAllFactoryNames().isEmpty()) {
+ final DrillConfig config = context.getConfig();
+ final AuthenticatorProvider authProvider = getAuthProvider();
+
+ if (config.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED)) {
+ if (authProvider.getAllFactoryNames().isEmpty()) {
throw new DrillbitStartupException("Authentication enabled, but no
mechanisms found. Please check " +
- "authentication configuration.");
+ "authentication configuration.");
}
authEnabled = true;
- logger.info("Configured all user connections to require
authentication using: {}",
- getAuthProvider().getAllFactoryNames());
+
+ // Update encryption related parameters.
+
encryptionContext.setEncryption(config.getBoolean(ExecConstants.USER_SASL_ENCRYPTION_ENABLED));
+
+ int maxEncodeSize =
config.getInt(ExecConstants.USER_SASL_ENCRYPTION_ENCODESIZE);
+
+ if(maxEncodeSize > RpcConstants.MAX_WRAP_SIZE) {
+ logger.warn("Setting user.sasl.encryption.encodesize to maximum
allowed value of 16MB");
+ maxEncodeSize = RpcConstants.MAX_WRAP_SIZE;
+ }
+ encryptionContext.setWrappedChunkSize(maxEncodeSize);
+
+ if (encryptionContext.isEncryptionEnabled() &&
authProvider.isOnlyPlainConfigured()) {
--- End diff --
There maybe other mechanisms that do not support encryption, so this check
(`isOnlyPlainConfigured`) may not be sufficient.
> Apache Drill should support network encryption
> ----------------------------------------------
>
> Key: DRILL-4335
> URL: https://issues.apache.org/jira/browse/DRILL-4335
> Project: Apache Drill
> Issue Type: New Feature
> Reporter: Keys Botzum
> Assignee: Sorabh Hamirwasia
> Labels: security
> Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this
> needs to include network level encryption and not just authentication. This
> is particularly important for the client connection to Drill which will often
> be sending passwords in the clear until there is encryption.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
