Sorabh Hamirwasia created DRILL-5485:
----------------------------------------
Summary: Remove WebServer dependency on DrillClient
Key: DRILL-5485
URL: https://issues.apache.org/jira/browse/DRILL-5485
Project: Apache Drill
Issue Type: Improvement
Components: Web Server
Reporter: Sorabh Hamirwasia
Fix For: 1.11.0
With encryption support using SASL, client's won't be able to authenticate
using PLAIN mechanism when encryption is enabled on the cluster. Today
WebServer which is embedded inside Drillbit creates a DrillClient instance for
each WebClient session. And the WebUser is authenticated as part of
authentication between DrillClient instance and Drillbit using PLAIN mechanism.
But with encryption enabled this will fail since encryption doesn't support
authentication using PLAN mechanism, hence no WebClient can connect to a
Drillbit. There are below issues as well with this approach:
1) Since DrillClient is used per WebUser session this is expensive as it has
heavyweight RPC layer for DrillClient and all it's dependencies.
2) If the Foreman for a WebUser is also selected to be a different node then
there will be extra hop of transferring data back to WebClient.
To resolve all the above issue it would be better to authenticate the WebUser
locally using the Drillbit on which WebServer is running without creating
DrillClient instance. We can use the local PAMAuthenticator to authenticate the
user. After authentication is successful the local Drillbit can also serve as
the Foreman for all the queries submitted by WebUser. This can be achieved by
submitting the query to the local Drillbit Foreman work queue. This will also
remove the requirement to encrypt the channel opened between WebServer
(DrillClient) and selected Drillbit since with this approach there won't be any
physical channel opened between them.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
