[jira] [Commented] (DRILL-4335) Apache Drill should support network encryption

Mon, 17 Apr 2017 00:43:37 -0700 

    [ 
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15970801#comment-15970801
 ] 

ASF GitHub Bot commented on DRILL-4335:
---------------------------------------

Github user sohami commented on a diff in the pull request:

    https://github.com/apache/drill/pull/773#discussion_r111676760
  
    --- Diff: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java ---
    @@ -335,8 +350,27 @@ public BitToUserHandshake 
getHandshakeResponse(UserToBitHandshake inbound) throw
                 }
               }
     
    -          // mention server's authentication capabilities
    -          
respBuilder.addAllAuthenticationMechanisms(config.getAuthProvider().getAllFactoryNames());
    +          // We are checking in UserConnectionConfig that if SASL 
encryption is enabled then mechanisms other
    +          // than PLAIN are also configured otherwise throw exception
    +          final Set<String> configuredMech = 
config.getAuthProvider().getAllFactoryNames();
    +
    +          if (!config.isEncryptionEnabled()) {
    +
    +            respBuilder.addAllAuthenticationMechanisms(configuredMech);
    +          } else {
    +            final Set<String> saslEncryptMech = new HashSet<>();
    +
    +            for (String mechanism : configuredMech) {
    +              if 
(!mechanism.equals(PlainFactory.SIMPLE_NAME.toLowerCase())) {
    +                saslEncryptMech.add(mechanism);
    +              }
    +            }
    +            respBuilder.addAllAuthenticationMechanisms(saslEncryptMech);
    +          }
    +
    +          // set the encrypted flag in handshake message. For older 
clients this field is optional so will be ignored
    +          respBuilder.setEncrypted(connection.isEncrypted());
    --- End diff --
    
    if client is new which supports encryption and encryption is disabled on 
server side then server will set the `encrypted` flag to false so that client 
knows not to negotiate for encryption. Whereas wrapChunkSize parameter will be 
ignored.


> Apache Drill should support network encryption
> ----------------------------------------------
>
>                 Key: DRILL-4335
>                 URL: https://issues.apache.org/jira/browse/DRILL-4335
>             Project: Apache Drill
>          Issue Type: New Feature
>            Reporter: Keys Botzum
>            Assignee: Sorabh Hamirwasia
>              Labels: security
>         Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this 
> needs to include network level encryption and not just authentication. This 
> is particularly important for the client connection to Drill which will often 
> be sending passwords in the clear until there is encryption.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to