[
https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623270#comment-15623270
]
ASF GitHub Bot commented on DRILL-4280:
---------------------------------------
Github user laurentgo commented on a diff in the pull request:
https://github.com/apache/drill/pull/578#discussion_r85823003
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java ---
@@ -328,44 +304,73 @@ protected void consumeHandshake(ChannelHandlerContext
ctx, UserToBitHandshake in
public BitToUserHandshake getHandshakeResponse(UserToBitHandshake
inbound) throws Exception {
logger.trace("Handling handshake from user to bit. {}", inbound);
-
// if timeout is unsupported or is set to false, disable timeout.
if (!inbound.hasSupportTimeout() || !inbound.getSupportTimeout()) {
connection.disableReadTimeout();
logger.warn("Timeout Disabled as client doesn't support it.",
connection.getName());
}
- BitToUserHandshake.Builder respBuilder =
BitToUserHandshake.newBuilder()
+ final BitToUserHandshake.Builder respBuilder =
BitToUserHandshake.newBuilder()
.setRpcVersion(UserRpcConfig.RPC_VERSION);
try {
- if (inbound.getRpcVersion() != UserRpcConfig.RPC_VERSION) {
- final String errMsg = String.format("Invalid rpc version.
Expected %d, actual %d.",
- UserRpcConfig.RPC_VERSION, inbound.getRpcVersion());
+ if (!SUPPORTED_RPC_VERSIONS.contains(inbound.getRpcVersion())) {
+ final String errMsg = String.format("Invalid rpc version.
Expected %s, actual %d.",
+ SUPPORTED_RPC_VERSIONS, inbound.getRpcVersion());
return handleFailure(respBuilder,
HandshakeStatus.RPC_VERSION_MISMATCH, errMsg, null);
}
- if (authenticator != null) {
+ connection.setHandshake(inbound);
+
+ if (authFactory == null) { // authentication is disabled
+
connection.finalizeSession(inbound.getCredentials().getUserName());
+ respBuilder.setStatus(HandshakeStatus.SUCCESS);
+ return respBuilder.build();
+ }
+
+ if (inbound.getRpcVersion() == NON_SASL_RPC_VERSION_SUPPORTED) {
// for backward compatibility
+ final String userName = inbound.getCredentials().getUserName();
+ if (logger.isTraceEnabled()) {
+ logger.trace("User {} on connection {} is using an older
client (Drill version <= 1.8).",
+ userName, connection.getRemoteAddress());
+ }
try {
String password = "";
final UserProperties props = inbound.getProperties();
for (int i = 0; i < props.getPropertiesCount(); i++) {
Property prop = props.getProperties(i);
- if (UserSession.PASSWORD.equalsIgnoreCase(prop.getKey())) {
+ if
(ConnectionParameters.PASSWORD.equalsIgnoreCase(prop.getKey())) {
password = prop.getValue();
break;
}
}
-
authenticator.authenticate(inbound.getCredentials().getUserName(), password);
+ final PlainMechanism plainMechanism =
authFactory.getPlainMechanism();
+ if (plainMechanism == null) {
+ throw new UserAuthenticationException("The server no
longer supports username/password" +
+ " based authentication. Please talk to your system
administrator.");
+ }
+ plainMechanism.getAuthenticator()
+ .authenticate(userName, password);
+ connection.changeHandlerTo(handler);
+ connection.finalizeSession(userName);
+ respBuilder.setStatus(HandshakeStatus.SUCCESS);
--- End diff --
should the rpc version of the response be changed to
`NON_SASL_RPC_VERSION_SUPPORTED` in that specific case?
> Kerberos Authentication
> -----------------------
>
> Key: DRILL-4280
> URL: https://issues.apache.org/jira/browse/DRILL-4280
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: Keys Botzum
> Assignee: Chunhui Shi
> Labels: security
>
> Drill should support Kerberos based authentication from clients. This means
> that both the ODBC and JDBC drivers as well as the web/REST interfaces should
> support inbound Kerberos. For Web this would most likely be SPNEGO while for
> ODBC and JDBC this will be more generic Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a
> lot of reuse of ideas if not implementation.
> Note that this is related to but not the same as
> https://issues.apache.org/jira/browse/DRILL-3584
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
