[jira] [Commented] (DRILL-4335) Apache Drill should support network encryption

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957867#comment-15957867
 ] 

ASF GitHub Bot commented on DRILL-4335:
---------------------------------------

Github user sudheeshkatkam commented on a diff in the pull request:

    https://github.com/apache/drill/pull/773#discussion_r109743453
  
    --- Diff: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/BitConnectionConfig.java 
---
    @@ -46,16 +47,40 @@ protected BitConnectionConfig(BufferAllocator 
allocator, BootStrapContext contex
         super(allocator, context);
     
         final DrillConfig config = context.getConfig();
    +    final AuthenticatorProvider authProvider = getAuthProvider();
    +
         if (config.getBoolean(ExecConstants.BIT_AUTHENTICATION_ENABLED)) {
           this.authMechanismToUse = 
config.getString(ExecConstants.BIT_AUTHENTICATION_MECHANISM);
           try {
    -        getAuthProvider().getAuthenticatorFactory(authMechanismToUse);
    +        authProvider.getAuthenticatorFactory(authMechanismToUse);
           } catch (final SaslException e) {
             throw new DrillbitStartupException(String.format(
                 "'%s' mechanism not found for bit-to-bit authentication. 
Please check authentication configuration.",
                 authMechanismToUse));
           }
    -      logger.info("Configured bit-to-bit connections to require 
authentication using: {}", authMechanismToUse);
    +
    +      // Update encryption related configurations
    +      
encryptionContext.setEncryption(config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED));
    +
    +      int maxEncodeSize = 
config.getInt(ExecConstants.BIT_SASL_ENCRYPTION_ENCODESIZE);
    +
    +      if(maxEncodeSize > RpcConstants.MAX_WRAP_SIZE) {
    +        logger.warn("Setting bit.sasl.encryption.encodesize to maximum 
allowed value of 16MB");
    +        maxEncodeSize = RpcConstants.MAX_WRAP_SIZE;
    +      }
    +      encryptionContext.setWrappedChunkSize(maxEncodeSize);
    +
    +      if (encryptionContext.isEncryptionEnabled() && 
authProvider.isOnlyPlainConfigured()) {
    +        throw new DrillbitStartupException("Encryption is enabled but only 
PLAIN mechanism is configured." +
    +          " Please check the security.bit configurations.");
    +      }
    +
    +      logger.info("Configured bit-to-bit connections to require 
authentication using: {} with encryption: {}",
    +        authMechanismToUse, encryptionContext.getEncryptionString());
    +
    +    } else if 
(config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED)) {
    +      throw new DrillbitStartupException("Invalid security configuration. 
Encryption is enabled with authentication " +
    --- End diff --
    
    How about "... Encryption **using SASL** is enabled... "


> Apache Drill should support network encryption
> ----------------------------------------------
>
>                 Key: DRILL-4335
>                 URL: https://issues.apache.org/jira/browse/DRILL-4335
>             Project: Apache Drill
>          Issue Type: New Feature
>            Reporter: Keys Botzum
>            Assignee: Sorabh Hamirwasia
>              Labels: security
>         Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this 
> needs to include network level encryption and not just authentication. This 
> is particularly important for the client connection to Drill which will often 
> be sending passwords in the clear until there is encryption.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)