[ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991395#comment-15991395 ]
ASF GitHub Bot commented on DRILL-4335: --------------------------------------- Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/773#discussion_r113804812 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/security/AuthenticationOutcomeListener.java --- @@ -243,4 +249,46 @@ public SaslMessage process(SaslChallengeContext context) throws Exception { } } } + + private static void handleSuccess(SaslChallengeContext context) throws SaslException { + final ClientConnection connection = context.connection; + final SaslClient saslClient = connection.getSaslClient(); + + try { + // Check if connection was marked for being secure then verify for negotiated QOP value for + // correctness. + final String negotiatedQOP = saslClient.getNegotiatedProperty(Sasl.QOP).toString(); + final String expectedQOP = connection.isEncryptionEnabled() + ? SaslProperties.QualityOfProtection.PRIVACY.getSaslQop() + : SaslProperties.QualityOfProtection.AUTHENTICATION.getSaslQop(); + + if (!(negotiatedQOP.equals(expectedQOP))) { + throw new SaslException(String.format("Mismatch in negotiated QOP value: %s and Expected QOP value: %s", + negotiatedQOP, expectedQOP)); + } + + // Update the rawWrapChunkSize with the negotiated buffer size since we cannot call encode with more than + // negotiated size of buffer. + if (connection.isEncryptionEnabled()) { + final int negotiatedRawSendSize = Integer.parseInt( + saslClient.getNegotiatedProperty(Sasl.RAW_SEND_SIZE).toString()); + if (negotiatedRawSendSize <= 0) { + throw new SaslException(String.format("Negotiated rawSendSize: %d is invalid. Please check the configured " + + "value of sasl.encryption.encodesize. It might be configured to a very small value.", + negotiatedRawSendSize)); + } + connection.setWrapSizeLimit(negotiatedRawSendSize); --- End diff -- Changed the name in SaslEncryptionHandler to wrapSizeLimit as well. Don't want to keep the name as maxSendBufferSize since i.e. very generic name and it is actually a rawSendSize from sasl perspective for wrap function. From Drill's perspective I think wrapSizeLimit makes more sense. > Apache Drill should support network encryption > ---------------------------------------------- > > Key: DRILL-4335 > URL: https://issues.apache.org/jira/browse/DRILL-4335 > Project: Apache Drill > Issue Type: New Feature > Reporter: Keys Botzum > Assignee: Sorabh Hamirwasia > Labels: security > Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf > > > This is clearly related to Drill-291 but wanted to make explicit that this > needs to include network level encryption and not just authentication. This > is particularly important for the client connection to Drill which will often > be sending passwords in the clear until there is encryption. -- This message was sent by Atlassian JIRA (v6.3.15#6346)