[
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991395#comment-15991395
]
ASF GitHub Bot commented on DRILL-4335:
---------------------------------------
Github user sohami commented on a diff in the pull request:
https://github.com/apache/drill/pull/773#discussion_r113804812
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/security/AuthenticationOutcomeListener.java
---
@@ -243,4 +249,46 @@ public SaslMessage process(SaslChallengeContext
context) throws Exception {
}
}
}
+
+ private static void handleSuccess(SaslChallengeContext context) throws
SaslException {
+ final ClientConnection connection = context.connection;
+ final SaslClient saslClient = connection.getSaslClient();
+
+ try {
+ // Check if connection was marked for being secure then verify for
negotiated QOP value for
+ // correctness.
+ final String negotiatedQOP =
saslClient.getNegotiatedProperty(Sasl.QOP).toString();
+ final String expectedQOP = connection.isEncryptionEnabled()
+ ? SaslProperties.QualityOfProtection.PRIVACY.getSaslQop()
+ : SaslProperties.QualityOfProtection.AUTHENTICATION.getSaslQop();
+
+ if (!(negotiatedQOP.equals(expectedQOP))) {
+ throw new SaslException(String.format("Mismatch in negotiated QOP
value: %s and Expected QOP value: %s",
+ negotiatedQOP, expectedQOP));
+ }
+
+ // Update the rawWrapChunkSize with the negotiated buffer size since
we cannot call encode with more than
+ // negotiated size of buffer.
+ if (connection.isEncryptionEnabled()) {
+ final int negotiatedRawSendSize = Integer.parseInt(
+
saslClient.getNegotiatedProperty(Sasl.RAW_SEND_SIZE).toString());
+ if (negotiatedRawSendSize <= 0) {
+ throw new SaslException(String.format("Negotiated rawSendSize:
%d is invalid. Please check the configured " +
+ "value of sasl.encryption.encodesize. It might be configured
to a very small value.",
+ negotiatedRawSendSize));
+ }
+ connection.setWrapSizeLimit(negotiatedRawSendSize);
--- End diff --
Changed the name in SaslEncryptionHandler to wrapSizeLimit as well. Don't
want to keep the name as maxSendBufferSize since i.e. very generic name and it
is actually a rawSendSize from sasl perspective for wrap function. From Drill's
perspective I think wrapSizeLimit makes more sense.
> Apache Drill should support network encryption
> ----------------------------------------------
>
> Key: DRILL-4335
> URL: https://issues.apache.org/jira/browse/DRILL-4335
> Project: Apache Drill
> Issue Type: New Feature
> Reporter: Keys Botzum
> Assignee: Sorabh Hamirwasia
> Labels: security
> Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this
> needs to include network level encryption and not just authentication. This
> is particularly important for the client connection to Drill which will often
> be sending passwords in the clear until there is encryption.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
