[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17041884#comment-17041884
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

asfgit commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977
 
 
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
>  Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037129#comment-17037129
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

cgivre commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-586386461
 
 
   @vvysotskyi No worries mate..  When you have time, please take a look as all 
the PRs are running into the same issue.  
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037101#comment-17037101
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

vvysotskyi commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-586363671
 
 
   @cgivre, sorry, currently I'm running out of time with other tasks, so I 
can't resolve this issue now.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036606#comment-17036606
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

cgivre commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-586039797
 
 
   I'm working on a PR and encountered the same problem. @vvysotskyi could you 
take a look?
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036576#comment-17036576
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-586023050
 
 
   Seems like the failure is in another component now:
   
   ```
   [ERROR] Tests run: 30, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 
77.4 s <<< FAILURE! - in org.apache.drill.exec.udf.dynamic.TestDynamicUDFSupport
   [ERROR] 
org.apache.drill.exec.udf.dynamic.TestDynamicUDFSupport.testDropFunction  Time 
elapsed: 1.878 s  <<< ERROR!
   org.apache.drill.common.exceptions.UserRemoteException: 
   FUNCTION ERROR: Failure reading Function class.
   
   Function Class org.apache.drill.udf.dynamic.CustomLowerFunction
   Fragment 0:0
   
   [Error Id: 9834cc92-5ec4-4a1a-83e0-deee12f02447 on fv-az89:31064]
   Caused by: java.io.IOException: Failure trying to locate source code for 
class org.apache.drill.udf.dynamic.CustomLowerFunction, tried to read on 
classpath location /org/apache/drill/udf/dynamic/CustomLowerFunction.java
   ```
   
   Was something related to this merged into master recently?
   
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036411#comment-17036411
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r379038275
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ * 
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ * 
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ * 
+ * By default this loads the passwords from 
/opt/drill/conf/htpasswd.  Users can change the path by
+ * putting the absolute file path as 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ * 
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final Logger logger = 
LoggerFactory.getLogger(HtpasswdFileUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  private String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  private long lastModified;
+  private Map userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean isPasswordValid(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+boolean credentialsAccepted = (hash != null && isPasswordValid(password, 
hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036409#comment-17036409
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r379036610
 
 

 ##
 File path: 
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestHtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillProperties;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.test.ClientFixture;
+import org.apache.drill.test.ClusterFixture;
+import org.apache.drill.test.ClusterTest;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestHtpasswdFileUserAuthenticator extends ClusterTest {
+  private File tempPasswdFile;
+
+
+  private void setupCluster(String passwdContent) throws IOException {
+tempPasswdFile = new File(dirTestWatcher.getTmpDir(), "htpasswd." + 
System.currentTimeMillis());
+Files.write(tempPasswdFile.toPath(), passwdContent.getBytes());
+
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
tempPasswdFile.toString())
+  .build();
+  }
+
+
+  @Test
+  public void passwordChecksGiveCorrectResults() throws Exception {
+String passwdContent = "alice:pass1\n" +
+  "bob:buzzkill\n" +
+  "jane:$apr1$PrwDfXy9$ajkhotQW6RFnoVQtPKoW4/\n" +
+  "john:$apr1$UxZgBU8k$K4UzdubNa741TnWAZY2QV0\n";
+setupCluster(passwdContent);
+
+
+assertTrue(true);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("notalice", "pass1", cluster, false);
+tryCredentials("notbob", "buzzkill", cluster, false);
+tryCredentials("alice", "wrong", cluster, false);
+tryCredentials("bob", "incorrect", cluster, false);
+tryCredentials("jane", "pass", cluster, true);
+tryCredentials("john", "foobar", cluster, true);
+tryCredentials("jane", "wrong", cluster, false);
+tryCredentials("john", "incorrect1", cluster, false);
+  }
+
+  @Test
+  public void rejectsLoginsWhenHtpasswdFileMissing() throws Exception {
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
"/nonexistant-file")
+  .build();
+tryCredentials("bob", "bob", cluster, false);
+  }
+
+  @Test
+  public void detectsChanges() throws Exception {
+String passwdContent = "alice:pass1\nbob:buzzkill\n";
+setupCluster(passwdContent);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("alice", "pass2", cluster, false);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("bob", "yolo", cluster, false);
+
+// Wait a second between changes on older VMs that lack subsecond 
precision file modification time
+if(System.getProperty("java.version").startsWith("1.")) 
Thread.sleep(1000); 
 
 Review comment:
   I've changed it to detect file size changes in addition to mod time, so that 
should catch the change here even though mtime doesn't update.
 

This is an automated message from the Apache Git Service.
To respond to the 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036406#comment-17036406
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585899798
 
 
   FWIW a 1 second delay is required because that version of the JVM only 
offers 1-second resolution on file timestamps.
   
   I've changed it to detect changes based on file size and mod time.  That 
should work when changes are made rapidly in systems where the modification 
time is rounded to the nearest second.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036397#comment-17036397
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

vvysotskyi commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585897289
 
 
   @paul-rogers, thanks for explanation. I think we cannot specify a shorter 
delay due to [JDK-8177809](https://bugs.openjdk.java.net/browse/JDK-8177809). 
Let's leave it as it is (but with passing unit tests).
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036385#comment-17036385
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585890405
 
 
   @vvysotskyi, in this case the sleep is necessary. As I read it, this code 
uses the file system for synchronization. We write a file, then make a request 
that will check the file timestamp. If that request is too fast, the code will 
not detect the change.
   
   Maybe 1 second is too long; maybe 100ms is plenty.
   
   But, without the delay, we need some other mechanism for synchronization, 
which then defeats the purpose of the code and test.
   
   You propose changing the file modification timestamp. This can be done, but 
will not accurately reproduce the use case that we want to test.
   
   Are you OK with a shorter delay?
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035997#comment-17035997
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

vvysotskyi commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r378696629
 
 

 ##
 File path: 
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestHtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillProperties;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.test.ClientFixture;
+import org.apache.drill.test.ClusterFixture;
+import org.apache.drill.test.ClusterTest;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestHtpasswdFileUserAuthenticator extends ClusterTest {
+  private File tempPasswdFile;
+
+
+  private void setupCluster(String passwdContent) throws IOException {
+tempPasswdFile = new File(dirTestWatcher.getTmpDir(), "htpasswd." + 
System.currentTimeMillis());
+Files.write(tempPasswdFile.toPath(), passwdContent.getBytes());
+
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
tempPasswdFile.toString())
+  .build();
+  }
+
+
+  @Test
+  public void passwordChecksGiveCorrectResults() throws Exception {
+String passwdContent = "alice:pass1\n" +
+  "bob:buzzkill\n" +
+  "jane:$apr1$PrwDfXy9$ajkhotQW6RFnoVQtPKoW4/\n" +
+  "john:$apr1$UxZgBU8k$K4UzdubNa741TnWAZY2QV0\n";
+setupCluster(passwdContent);
+
+
+assertTrue(true);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("notalice", "pass1", cluster, false);
+tryCredentials("notbob", "buzzkill", cluster, false);
+tryCredentials("alice", "wrong", cluster, false);
+tryCredentials("bob", "incorrect", cluster, false);
+tryCredentials("jane", "pass", cluster, true);
+tryCredentials("john", "foobar", cluster, true);
+tryCredentials("jane", "wrong", cluster, false);
+tryCredentials("john", "incorrect1", cluster, false);
+  }
+
+  @Test
+  public void rejectsLoginsWhenHtpasswdFileMissing() throws Exception {
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
"/nonexistant-file")
+  .build();
+tryCredentials("bob", "bob", cluster, false);
+  }
+
+  @Test
+  public void detectsChanges() throws Exception {
+String passwdContent = "alice:pass1\nbob:buzzkill\n";
+setupCluster(passwdContent);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("alice", "pass2", cluster, false);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("bob", "yolo", cluster, false);
+
+// Wait a second between changes on older VMs that lack subsecond 
precision file modification time
+if(System.getProperty("java.version").startsWith("1.")) 
Thread.sleep(1000); 
 
 Review comment:
   I disagree with this change. Please avoid adding `Thread.sleep` in unit 
tests. If it is required, the file modification time may be changed from the 
code.
 

This is an automated message from the Apache Git Service.
To 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035963#comment-17035963
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585577476
 
 
   Excellent! There is also one minor race condition to fix.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035962#comment-17035962
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r378676465
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,145 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileReader;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ * 
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ * 
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ * 
+ * By default this loads the passwords from 
/opt/drill/conf/htpasswd.  Users can change the path by
+ * putting the absolute file path as 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ * 
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final Logger logger = 
LoggerFactory.getLogger(HtpasswdFileUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  private String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  private long lastModified;
+  private Map userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean isPasswordValid(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+boolean credentialsAccepted = (hash != null && isPasswordValid(password, 
hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035961#comment-17035961
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r378675855
 
 

 ##
 File path: 
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestHtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,154 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillProperties;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.test.ClientFixture;
+import org.apache.drill.test.ClusterFixture;
+import org.apache.drill.test.ClusterTest;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestHtpasswdFileUserAuthenticator extends ClusterTest {
+  private File tempPasswdFile;
+
+
+  private void setupCluster(String passwdContent) throws IOException {
+tempPasswdFile = new File(dirTestWatcher.getTmpDir(), "htpasswd." + 
System.currentTimeMillis());
+Files.write(tempPasswdFile.toPath(), passwdContent.getBytes());
+
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
tempPasswdFile.toString())
+  .build();
+  }
+
+
+  @Test
+  public void passwordChecksGiveCorrectResults() throws Exception {
+String passwdContent = "alice:pass1\n" +
+  "bob:buzzkill\n" +
+  "jane:$apr1$PrwDfXy9$ajkhotQW6RFnoVQtPKoW4/\n" +
+  "john:$apr1$UxZgBU8k$K4UzdubNa741TnWAZY2QV0\n";
+setupCluster(passwdContent);
+
+
+assertTrue(true);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("notalice", "pass1", cluster, false);
+tryCredentials("notbob", "buzzkill", cluster, false);
+tryCredentials("alice", "wrong", cluster, false);
+tryCredentials("bob", "incorrect", cluster, false);
+tryCredentials("jane", "pass", cluster, true);
+tryCredentials("john", "foobar", cluster, true);
+tryCredentials("jane", "wrong", cluster, false);
+tryCredentials("john", "incorrect1", cluster, false);
+  }
+
+  @Test
+  public void rejectsLoginsWhenHtpasswdFileMissing() throws Exception {
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
"/nonexistant-file")
+  .build();
+tryCredentials("bob", "bob", cluster, false);
+  }
+
+  @Test
+  public void detectsChanges() throws Exception {
+String passwdContent = "alice:pass1\nbob:buzzkill\n";
+setupCluster(passwdContent);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("alice", "pass2", cluster, false);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("bob", "yolo", cluster, false);
+
+String passwdContent2 = "alice:pass2\nbob:yolo\n";
+Files.write(tempPasswdFile.toPath(), passwdContent2.getBytes());
+Thread.sleep(10);
+
+tryCredentials("alice", "pass1", cluster, false);
+tryCredentials("alice", "pass2", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, false);
+tryCredentials("bob", "yolo", cluster, true);
+
+// Invalid file is treated as empty
+String passwdContent3 = "invalid file";
+Files.write(tempPasswdFile.toPath(), 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035955#comment-17035955
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r378673576
 
 

 ##
 File path: 
exec/java-exec/src/test/java/org/apache/drill/exec/rpc/user/security/TestHtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,154 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.drill.common.config.DrillProperties;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.test.ClientFixture;
+import org.apache.drill.test.ClusterFixture;
+import org.apache.drill.test.ClusterTest;
+import org.junit.Test;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class TestHtpasswdFileUserAuthenticator extends ClusterTest {
+  private File tempPasswdFile;
+
+
+  private void setupCluster(String passwdContent) throws IOException {
+tempPasswdFile = new File(dirTestWatcher.getTmpDir(), "htpasswd." + 
System.currentTimeMillis());
+Files.write(tempPasswdFile.toPath(), passwdContent.getBytes());
+
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
tempPasswdFile.toString())
+  .build();
+  }
+
+
+  @Test
+  public void passwordChecksGiveCorrectResults() throws Exception {
+String passwdContent = "alice:pass1\n" +
+  "bob:buzzkill\n" +
+  "jane:$apr1$PrwDfXy9$ajkhotQW6RFnoVQtPKoW4/\n" +
+  "john:$apr1$UxZgBU8k$K4UzdubNa741TnWAZY2QV0\n";
+setupCluster(passwdContent);
+
+
+assertTrue(true);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("notalice", "pass1", cluster, false);
+tryCredentials("notbob", "buzzkill", cluster, false);
+tryCredentials("alice", "wrong", cluster, false);
+tryCredentials("bob", "incorrect", cluster, false);
+tryCredentials("jane", "pass", cluster, true);
+tryCredentials("john", "foobar", cluster, true);
+tryCredentials("jane", "wrong", cluster, false);
+tryCredentials("john", "incorrect1", cluster, false);
+  }
+
+  @Test
+  public void rejectsLoginsWhenHtpasswdFileMissing() throws Exception {
+cluster = ClusterFixture.bareBuilder(dirTestWatcher)
+  .clusterSize(3)
+  .configProperty(ExecConstants.ALLOW_LOOPBACK_ADDRESS_BINDING, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATION_ENABLED, true)
+  .configProperty(ExecConstants.USER_AUTHENTICATOR_IMPL, "htpasswd")
+  .configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, 
"/nonexistant-file")
+  .build();
+tryCredentials("bob", "bob", cluster, false);
+  }
+
+  @Test
+  public void detectsChanges() throws Exception {
+String passwdContent = "alice:pass1\nbob:buzzkill\n";
+setupCluster(passwdContent);
+
+tryCredentials("alice", "pass1", cluster, true);
+tryCredentials("alice", "pass2", cluster, false);
+tryCredentials("bob", "buzzkill", cluster, true);
+tryCredentials("bob", "yolo", cluster, false);
+
+String passwdContent2 = "alice:pass2\nbob:yolo\n";
+Files.write(tempPasswdFile.toPath(), passwdContent2.getBytes());
+Thread.sleep(10);
+
+tryCredentials("alice", "pass1", cluster, false);
+tryCredentials("alice", "pass2", cluster, true);
+tryCredentials("bob", "buzzkill", cluster, false);
+tryCredentials("bob", "yolo", cluster, true);
+
+// Invalid file is treated as empty
+String passwdContent3 = "invalid file";
+Files.write(tempPasswdFile.toPath(), 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035952#comment-17035952
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585572887
 
 
   If I'm interpreting the checks correctly, the code works in Java 11 & 12, 
but not 1.8?  Very strange, I wonder why that would be.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17035948#comment-17035948
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-585572094
 
 
   @dobesv, thanks for the updates. I agree with limiting the scope of the 
tests.

   Looks like the failure above is due to something in this PR. If you can take 
a look at the issue, we'll be good to go from my perspective.
   
   ```
   [ERROR] Failures: 
   [ERROR]   
TestHtpasswdFileUserAuthenticator.detectsChanges:114->tryCredentials:145 
Expected connect to fail because of incorrect username / password combination, 
but it succeeded
   ```
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Assignee: Dobes Vandermeer
>Priority: Major
> Fix For: 1.18.0
>
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034942#comment-17034942
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584926786
 
 
   @paul-rogers 
   
   I added some tests and cleaned up the logic slightly.
   
   I didn't add tests for the REST API, since the password logic is shared 
between both systems I don't think this requires separate testing.
   
   I couldn't figure out a sane way to test the stuff related to the default 
path and I didn't do anything related to loading the file from the classpath. I 
think that might be more than I am capable of with the time budget I have for 
this task right now.  I don't think the "default path" is particularly import 
nor is it particularly prone to regressions.
   
   I didn't attempt tests related to logging, it just doesn't seem worth it.  
I'm not so familiar with the project that I can make a test like that in a 
reasonable amount of time.  Perhaps someone core to the team can add that if it 
seems important.
   
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034940#comment-17034940
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584926786
 
 
   @paul-rogers I added some tests and cleaned up the logic slightly.  I didn't 
add tests for the REST API, since the password logic is shared between both 
systems I don't think this requires separate testing.  I couldn't figure out a 
sane way to test the stuff related to the default file and I didn't do anything 
related to loading the file from the classpath, I think that might be more than 
I am capable of with the time budget I have for this task right now.  I welcome 
edits to the PR to implement that, but it didn't seem to be easy enough for me 
to justify spending hours on it when it's not really a very useful or important 
feature - I doubt anyone will use the default path in a real life situation, I 
just threw that in there as a minor convenience for testing purposes.
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034928#comment-17034928
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377959634
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into the 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034785#comment-17034785
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377865139
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034771#comment-17034771
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584816302
 
 
   @dobesv, the key failures to check for are any checkstyle errors. If 
anything else fails, it is probably due to problems with the (new) builds or 
master; we'll have to check.
   
   This PR includes no tests. It would be great to add some. Some example test 
cases:
   
   * htpasswd enabled, but no file path or default file found.
   * Enabled, and valid file in default location.
   * Enabled, and valid file in custom location.
   * File contents change to become invalid.
   * File contents change and are valid.
   
   To test you'll need to first set up the server to enable the web server, 
which is turned off by default in tests. For testing, we use something called 
the `ClusterFixture`. Most tests are based off of `ClusterTest` which set up 
the server once per test file. For your tests, you may want to start the server 
in each test case, each with a different configuration. `StatusResourcesTest` 
is a good example.
   
   The config you need is probably something like:
   
   ```
   ClusterFixtureBuilder builder = ClusterFixture.builder(dirTestWatcher).
 configProperty(ExecConstants.HTTP_ENABLE, true).
 configProperty(ExecConstants.HTTP_PORT_HUNT, true).
 configProperty(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH, "whatever");
   ```
   
   Next you'll need a way to talk to the REST server. There is a 
`RestClientFixture` class which looks promising, though I've not used it myself.
   
   You will need a place to create and update the file. The 
`BaseDirTestWatcher` class does this, often provided in tests as 
`dirTestWatcher`. See `TestDotDrillUtil` for an example of getting a 
test-specific temp directory and writing a file to that location. You can then 
use the temp directory as your custom auth file location when configuring the 
Drillbit.
   
   With this, you can test the "happy path":
   
   * Enabled, and valid file in custom location.
   * File contents change and are valid.
   
   A bit more work is needed for the other cases. To test this one:
   
   * Enabled, and valid file in default location.
   
   You can put the htpasswd in `src/test/resources` which will be on the 
classpath when running tests. The challenge is that the file is static; if we 
have the file, there is no way to test errors if the file *does not* exist. 
Sigh.
   
   Finally, checking the error cases is a nice-to-have, but is rather tricky. 
The errors don't kill the server, they only leave a trace in the log file. So, 
you can use two other tricks. One is `LogFixture` which lets you temporarily 
turn on logging. You won't need that because your code logs errors at the 
`error` level which is always enabled.
   
   To capture log messages, you can try something like `TestOperatorDump`: 
create an in-memory log appender. Yes, it would be nice if this capability were 
part of `LogFixture`; a nice little project when someone has the time.
   
   My recommendation is to at least test the "happy path"; add the others only 
if you feel so inclined.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034770#comment-17034770
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377856620
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into the 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034768#comment-17034768
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584812830
 
 
   Good catch on the file/path issue in the doc
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034761#comment-17034761
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377848831
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into the 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034760#comment-17034760
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584807952
 
 
   Thanks for the detailed usage description. In the config file shown in the 
description consistent with the implementation?
   
   Description:
   
   ```
  impl: "htpasswd",
  htpasswd: { file: "/path/to/htpasswd" }
   ```
   
   Implementation:
   
   ```
 public static final String HTPASSWD_AUTHENTICATOR_PATH = 
"drill.exec.security.user.auth.htpasswd.path";
   ```
   
   Notice the `file` vs `path` difference.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034759#comment-17034759
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377847858
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into the 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034737#comment-17034737
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377826743
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034728#comment-17034728
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377820014
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
 
 Review comment:
   Would a better default be `${DRILL_HOME}/conf`? This allows easier setup on 
an informal install where Drill is dropped into a home folder. It would be more 
consistent with our other config files. Of course, if Drill is installed in 
`/opt/drill`, then the result is the same.
   
   `${DRILL_HOME}/conf` is on the class path, so you can load the file as a 
resource by default. If the config value is set, then load it from the local 
file system as in the present code.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034727#comment-17034727
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377821192
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
 
 Review comment:
   Please use modifiers, `private` preferred.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034729#comment-17034729
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377821647
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
 
 Review comment:
   Nit: one blank like between methods. These open-source coding standards are 
a hassle, but necessary to keep us all pointed in the same direction.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034736#comment-17034736
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377825385
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034726#comment-17034726
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377810184
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
 
 Review comment:
   Nit: Javadoc needs an HTML `` to separate paragraphs.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034730#comment-17034730
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377822446
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
 
 Review comment:
   A good general rule is to declare variables with the base type, `Map`, but 
allocate the implementation you want, here `HashMap`.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034733#comment-17034733
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377823342
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
 
 Review comment:
   Nit: best to use a name that flows in an if-statement. Maybe 
`isPasswordValid`. So:
   
   ```
   if (isPasswordValid(...)) {
 // Welcome!
   } else {
 // You're outta here!
   }
   ```
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034735#comment-17034735
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377831915
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034732#comment-17034732
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377820859
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
 
 Review comment:
   Please use just `Logger` and `LoggerFactory` and import the needed sflj 
classes. (We have lots of mechanically-edited code we're trying to clean up.) 
Also, please use your own class for the logger, 
`HtpasswdFileUserAuthenticator`. That way we know where to look in the code to 
match up log messages.
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034734#comment-17034734
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377827396
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034731#comment-17034731
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

paul-rogers commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#discussion_r377824623
 
 

 ##
 File path: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/HtpasswdFileUserAuthenticator.java
 ##
 @@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.rpc.user.security;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.commons.codec.digest.Md5Crypt;
+import org.apache.commons.io.Charsets;
+import org.apache.drill.common.config.DrillConfig;
+import org.apache.drill.exec.ExecConstants;
+import org.apache.drill.exec.exception.DrillbitStartupException;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.text.MessageFormat;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.Scanner;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Implementation of UserAuthenticator that reads passwords from an htpasswd
+ * formatted file.
+ *
+ * Currently supports MD5, SHA-1, and plaintext passwords.
+ *
+ * Use the htpasswd command line tool to create and modify htpasswd files.
+ *
+ * By default this loads the passwords from the path 
/opt/drill/conf/htpasswd.  You
+ * can change the path by setting 
drill.exec.security.user.auth.htpasswd.path in
+ * drill-override.conf.
+ *
+ * This is intended for situations where the list of users is relatively 
static, and you are running
+ * drill in a container so using pam is not convenient.
+ */
+@UserAuthenticatorTemplate(type = "htpasswd")
+public class HtpasswdFileUserAuthenticator implements UserAuthenticator {
+  private static final org.slf4j.Logger logger = 
org.slf4j.LoggerFactory.getLogger(Pam4jUserAuthenticator.class);
+  public static final String DEFAULT_HTPASSWD_AUTHENTICATOR_PATH = 
"/opt/drill/conf/htpasswd";
+
+  String path = DEFAULT_HTPASSWD_AUTHENTICATOR_PATH;
+  long lastModified;
+  HashMap userToPassword;
+
+  @Override
+  public void setup(DrillConfig drillConfig) throws DrillbitStartupException {
+if (drillConfig.hasPath(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH)) {
+  path = drillConfig.getString(ExecConstants.HTPASSWD_AUTHENTICATOR_PATH);
+}
+  }
+
+
+  /**
+   * Check password against hash read from the file
+   *
+   * @param password User provided password
+   * @param hash Hash stored in the htpasswd file
+   * @return true if the password matched the hash
+   */
+  public static boolean checkPassword(String password, String hash) {
+if (hash.startsWith("$apr1$")) {
+  return hash.equals(Md5Crypt.apr1Crypt(password, hash));
+} else if (hash.startsWith("$1$")) {
+  return hash.equals(Md5Crypt.md5Crypt(password.getBytes(Charsets.UTF_8), 
hash));
+} else if (hash.startsWith("{SHA}")) {
+  return 
hash.substring(5).equals(Base64.getEncoder().encodeToString(DigestUtils.sha1(password)));
+} else if (hash.startsWith("$2y$")) {
+  // bcrypt not supported currently
+  return false;
+} else {
+  return hash.equals(password);
+}
+  }
+
+  /**
+   * Validate the given username and password against the password file
+   *
+   * @param username Username provided
+   * @param password Password provided
+   * @throws UserAuthenticationException If the username and password could 
not be validated
+   */
+  @Override
+  public void authenticate(String username, String password) throws 
UserAuthenticationException {
+read();
+String hash = this.userToPassword.get(username);
+logger.error("Testing " + hash + " against password " + password);
+boolean credentialsAccepted = (hash != null && 
this.checkPassword(password, hash));
+if (!credentialsAccepted) {
+  throw new UserAuthenticationException(String.format("htpasswd auth 
failed for user '%s'",
+username));
+}
+  }
+
+  /**
+   * Read the password file into 

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034692#comment-17034692
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on issue #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977#issuecomment-584778663
 
 
   I'm not sure if there's anything I can do about that build failure:
   
   https://github.com/apache/drill/pull/1977/checks#step:6:1748
   
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (DRILL-7573) Support text file for user authentication instead of using PAM

[ASF GitHub Bot (Jira)]

[ 
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034153#comment-17034153
 ] 

ASF GitHub Bot commented on DRILL-7573:
---

dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based 
authentication
URL: https://github.com/apache/drill/pull/1977
 
 
   # [DRILL-7573](https://issues.apache.org/jira/browse/DRILL-7573): Support 
htpasswd based authentication
   
   ## Description
   
   This allows you to specify `htpasswd` as your authentication implementation. 
 In this case, users will be authenticated using usernames and password taken 
from a text file in `htpasswd` format.
   
   This gives some more flexibility compared to the PAM authenticator.  For 
example, in docker / kubernetes you can mount a folder with an htpasswd file 
and update that file when you want to add/remove users, without any concern 
about interfering with the contents of /etc/passwd and /etc/shadow.
   
   ## Documentation
   
   # Using a password file for authentication
   
   Apache Drill allows you to store valid usernames and passwords in a text 
file in the popular "htpasswd" format.
   
   This can be more convenient than using PAM in containerized environments, 
because you do not have to modify any system files like `passwd`, `shadow`, or 
files in `pam.d`.  Instead you can mount a volume with the `htpasswd` file in 
it and tell drill to use that file for authentication.
   
   To configure this feature:
   
   1. Create an htpasswd file and copy/mount it to/on the drillbit 
machines/containers:
   
   $ htpasswd /path/to/htpasswd $USER
   
   2. Add the following configuration to the `drill.exec` block in the 
`/conf/drill-override.conf` file:  
 
 drill.exec: {
   security.auth.mechanisms : ["PLAIN"],
   security.user.auth: {
 enabled: true,
 packages += "org.apache.drill.exec.rpc.user.security",
 impl: "htpasswd",
 htpasswd: { file: "/path/to/htpasswd" }
   }
 }
   
   3. Restart the drillbit(s)
   4. Now you must use a username/password from the `htpasswd` file when 
logging into Drill
   
   Note: Currently the `crypt` and `bcrypt` algorithms are not supported, you 
should probably use the  MD5 hashing algorithm used by default by the 
`htpasswd` command.
   
   ## Testing
   
   I created an `htpasswd` file using `htpasswd`, configured the auth mechanism 
as shown above, and testing logging in with both valid and invalid passwords 
with MD5, SHA-1, and plantext password hashes in the `htpasswd` files.
   
   No automated tests so far, but I'm open to advice on how/where to add them.  
Still very new to the code base.
   
   
 

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Support text file for user authentication instead of using PAM
> --
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
>  Issue Type: Improvement
>  Components:  Server, Web Server
>Affects Versions: 1.17.0
>Reporter: Dobes Vandermeer
>Priority: Major
>
> Currently plain login using PAM as its user database.  However, in a 
> containerized or server environment the passwd file is generally kept static, 
> so some other mechanism for managing users is preferred.  Also, pam does not 
> by default come with an easy to way to check passwords other than via the 
> passwd/shadow files.
>  It would be great if there was another authentication method included in 
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the 
> simplest mechanism.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)