[ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15970779#comment-15970779 ]
ASF GitHub Bot commented on DRILL-4335: --------------------------------------- Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/773#discussion_r111646250 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/BitConnectionConfig.java --- @@ -46,16 +47,40 @@ protected BitConnectionConfig(BufferAllocator allocator, BootStrapContext contex super(allocator, context); final DrillConfig config = context.getConfig(); + final AuthenticatorProvider authProvider = getAuthProvider(); + if (config.getBoolean(ExecConstants.BIT_AUTHENTICATION_ENABLED)) { this.authMechanismToUse = config.getString(ExecConstants.BIT_AUTHENTICATION_MECHANISM); try { - getAuthProvider().getAuthenticatorFactory(authMechanismToUse); + authProvider.getAuthenticatorFactory(authMechanismToUse); } catch (final SaslException e) { throw new DrillbitStartupException(String.format( "'%s' mechanism not found for bit-to-bit authentication. Please check authentication configuration.", authMechanismToUse)); } - logger.info("Configured bit-to-bit connections to require authentication using: {}", authMechanismToUse); + + // Update encryption related configurations + encryptionContext.setEncryption(config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED)); + + int maxEncodeSize = config.getInt(ExecConstants.BIT_SASL_ENCRYPTION_ENCODESIZE); + + if(maxEncodeSize > RpcConstants.MAX_WRAP_SIZE) { + logger.warn("Setting bit.sasl.encryption.encodesize to maximum allowed value of 16MB"); + maxEncodeSize = RpcConstants.MAX_WRAP_SIZE; + } + encryptionContext.setWrappedChunkSize(maxEncodeSize); + + if (encryptionContext.isEncryptionEnabled() && authProvider.isOnlyPlainConfigured()) { + throw new DrillbitStartupException("Encryption is enabled but only PLAIN mechanism is configured." + + " Please check the security.bit configurations."); + } + + logger.info("Configured bit-to-bit connections to require authentication using: {} with encryption: {}", + authMechanismToUse, encryptionContext.getEncryptionString()); + + } else if (config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED)) { + throw new DrillbitStartupException("Invalid security configuration. Encryption is enabled with authentication " + --- End diff -- Fixed > Apache Drill should support network encryption > ---------------------------------------------- > > Key: DRILL-4335 > URL: https://issues.apache.org/jira/browse/DRILL-4335 > Project: Apache Drill > Issue Type: New Feature > Reporter: Keys Botzum > Assignee: Sorabh Hamirwasia > Labels: security > Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf > > > This is clearly related to Drill-291 but wanted to make explicit that this > needs to include network level encryption and not just authentication. This > is particularly important for the client connection to Drill which will often > be sending passwords in the clear until there is encryption. -- This message was sent by Atlassian JIRA (v6.3.15#6346)