[ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623270#comment-15623270 ]
ASF GitHub Bot commented on DRILL-4280: --------------------------------------- Github user laurentgo commented on a diff in the pull request: https://github.com/apache/drill/pull/578#discussion_r85823003 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java --- @@ -328,44 +304,73 @@ protected void consumeHandshake(ChannelHandlerContext ctx, UserToBitHandshake in public BitToUserHandshake getHandshakeResponse(UserToBitHandshake inbound) throws Exception { logger.trace("Handling handshake from user to bit. {}", inbound); - // if timeout is unsupported or is set to false, disable timeout. if (!inbound.hasSupportTimeout() || !inbound.getSupportTimeout()) { connection.disableReadTimeout(); logger.warn("Timeout Disabled as client doesn't support it.", connection.getName()); } - BitToUserHandshake.Builder respBuilder = BitToUserHandshake.newBuilder() + final BitToUserHandshake.Builder respBuilder = BitToUserHandshake.newBuilder() .setRpcVersion(UserRpcConfig.RPC_VERSION); try { - if (inbound.getRpcVersion() != UserRpcConfig.RPC_VERSION) { - final String errMsg = String.format("Invalid rpc version. Expected %d, actual %d.", - UserRpcConfig.RPC_VERSION, inbound.getRpcVersion()); + if (!SUPPORTED_RPC_VERSIONS.contains(inbound.getRpcVersion())) { + final String errMsg = String.format("Invalid rpc version. Expected %s, actual %d.", + SUPPORTED_RPC_VERSIONS, inbound.getRpcVersion()); return handleFailure(respBuilder, HandshakeStatus.RPC_VERSION_MISMATCH, errMsg, null); } - if (authenticator != null) { + connection.setHandshake(inbound); + + if (authFactory == null) { // authentication is disabled + connection.finalizeSession(inbound.getCredentials().getUserName()); + respBuilder.setStatus(HandshakeStatus.SUCCESS); + return respBuilder.build(); + } + + if (inbound.getRpcVersion() == NON_SASL_RPC_VERSION_SUPPORTED) { // for backward compatibility + final String userName = inbound.getCredentials().getUserName(); + if (logger.isTraceEnabled()) { + logger.trace("User {} on connection {} is using an older client (Drill version <= 1.8).", + userName, connection.getRemoteAddress()); + } try { String password = ""; final UserProperties props = inbound.getProperties(); for (int i = 0; i < props.getPropertiesCount(); i++) { Property prop = props.getProperties(i); - if (UserSession.PASSWORD.equalsIgnoreCase(prop.getKey())) { + if (ConnectionParameters.PASSWORD.equalsIgnoreCase(prop.getKey())) { password = prop.getValue(); break; } } - authenticator.authenticate(inbound.getCredentials().getUserName(), password); + final PlainMechanism plainMechanism = authFactory.getPlainMechanism(); + if (plainMechanism == null) { + throw new UserAuthenticationException("The server no longer supports username/password" + + " based authentication. Please talk to your system administrator."); + } + plainMechanism.getAuthenticator() + .authenticate(userName, password); + connection.changeHandlerTo(handler); + connection.finalizeSession(userName); + respBuilder.setStatus(HandshakeStatus.SUCCESS); --- End diff -- should the rpc version of the response be changed to `NON_SASL_RPC_VERSION_SUPPORTED` in that specific case? > Kerberos Authentication > ----------------------- > > Key: DRILL-4280 > URL: https://issues.apache.org/jira/browse/DRILL-4280 > Project: Apache Drill > Issue Type: Improvement > Reporter: Keys Botzum > Assignee: Chunhui Shi > Labels: security > > Drill should support Kerberos based authentication from clients. This means > that both the ODBC and JDBC drivers as well as the web/REST interfaces should > support inbound Kerberos. For Web this would most likely be SPNEGO while for > ODBC and JDBC this will be more generic Kerberos. > Since Hive and much of Hadoop supports Kerberos there is a potential for a > lot of reuse of ideas if not implementation. > Note that this is related to but not the same as > https://issues.apache.org/jira/browse/DRILL-3584 -- This message was sent by Atlassian JIRA (v6.3.4#6332)