[
https://issues.apache.org/jira/browse/DRILL-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021798#comment-16021798
]
ASF GitHub Bot commented on DRILL-5485:
---------------------------------------
Github user sudheeshkatkam commented on a diff in the pull request:
https://github.com/apache/drill/pull/829#discussion_r118035903
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/DrillRestServer.java
---
@@ -91,13 +102,140 @@ protected void configure() {
bind(new UserAuthEnabled(isAuthEnabled)).to(UserAuthEnabled.class);
if (isAuthEnabled) {
bindFactory(DrillUserPrincipalProvider.class).to(DrillUserPrincipal.class);
+
bindFactory(AuthWebUserConnectionProvider.class).to(WebUserConnection.class);
} else {
bindFactory(AnonDrillUserPrincipalProvider.class).to(DrillUserPrincipal.class);
+
bindFactory(AnonWebUserConnectionProvider.class).to(WebUserConnection.class);
}
}
});
}
+ public static class AuthWebUserConnectionProvider implements
Factory<WebUserConnection> {
+
+ @Inject
+ HttpServletRequest request;
+
+ @Inject
+ WorkManager workManager;
+
+ @Override
+ public WebUserConnection provide() {
+ final HttpSession session = request.getSession();
+ final Principal sessionUserPrincipal = request.getUserPrincipal();
+
+ // If there is no valid principal this means user is not logged in
yet.
+ if (sessionUserPrincipal == null) {
+ return null;
+ }
+
+ // User is logged in, let's check if we already have a valid
UserSession.
+ UserSession drillUserSession = (UserSession)
session.getAttribute(UserSession.class.getSimpleName());
+
+ // Get the close future and remote address. If user is logging in
first time then these will be null and set
+ // below. Otherwise these will be valid instances which is re-used
for the session lifetime.
+ ChannelPromise closeFuture = (ChannelPromise)
session.getAttribute(ChannelPromise.class.getSimpleName());
+ SocketAddress remoteAddress = (SocketAddress)
session.getAttribute(SocketAddress.class.getSimpleName());
+
+ // User is login in for the first time
+ if (drillUserSession == null) {
+ final DrillbitContext drillbitContext = workManager.getContext();
+ drillUserSession = UserSession.Builder.newBuilder()
+ .withCredentials(UserBitShared.UserCredentials.newBuilder()
+ .setUserName(sessionUserPrincipal.getName())
+ .build())
+ .withOptionManager(drillbitContext.getOptionManager())
+
.setSupportComplexTypes(drillbitContext.getConfig().getBoolean(ExecConstants.CLIENT_SUPPORT_COMPLEX_TYPES))
+ .build();
+
+ // Store this UserSession for all future request on this
HttpSession.
+ session.setAttribute(UserSession.class.getSimpleName(),
drillUserSession);
+
+ // Only try getting remote address in first login since it's a
costly operation.
+ try {
+ // This can be slow as the underlying library will try to
resolve the address
+ remoteAddress = new
InetSocketAddress(InetAddress.getByName(request.getRemoteAddr()),
request.getRemotePort());
+ session.setAttribute(SocketAddress.class.getSimpleName(),
remoteAddress);
--- End diff --
Attributes names too generic. Maybe use: "drill-user-session",
"drill-socket-address", ...?
> Remove WebServer dependency on DrillClient
> ------------------------------------------
>
> Key: DRILL-5485
> URL: https://issues.apache.org/jira/browse/DRILL-5485
> Project: Apache Drill
> Issue Type: Improvement
> Components: Web Server
> Reporter: Sorabh Hamirwasia
> Fix For: 1.11.0
>
>
> With encryption support using SASL, client's won't be able to authenticate
> using PLAIN mechanism when encryption is enabled on the cluster. Today
> WebServer which is embedded inside Drillbit creates a DrillClient instance
> for each WebClient session. And the WebUser is authenticated as part of
> authentication between DrillClient instance and Drillbit using PLAIN
> mechanism. But with encryption enabled this will fail since encryption
> doesn't support authentication using PLAN mechanism, hence no WebClient can
> connect to a Drillbit. There are below issues as well with this approach:
> 1) Since DrillClient is used per WebUser session this is expensive as it has
> heavyweight RPC layer for DrillClient and all it's dependencies.
> 2) If the Foreman for a WebUser is also selected to be a different node then
> there will be extra hop of transferring data back to WebClient.
> To resolve all the above issue it would be better to authenticate the WebUser
> locally using the Drillbit on which WebServer is running without creating
> DrillClient instance. We can use the local PAMAuthenticator to authenticate
> the user. After authentication is successful the local Drillbit can also
> serve as the Foreman for all the queries submitted by WebUser. This can be
> achieved by submitting the query to the local Drillbit Foreman work queue.
> This will also remove the requirement to encrypt the channel opened between
> WebServer (DrillClient) and selected Drillbit since with this approach there
> won't be any physical channel opened between them.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
