[ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623245#comment-15623245 ]
ASF GitHub Bot commented on DRILL-4280: --------------------------------------- Github user laurentgo commented on a diff in the pull request: https://github.com/apache/drill/pull/578#discussion_r85797062 --- Diff: contrib/native/client/src/clientlib/drillClientImpl.cpp --- @@ -427,6 +511,121 @@ connectionStatus_t DrillClientImpl::validateHandshake(DrillUserProperties* prope getMessage(ERR_CONN_AUTHFAIL, this->m_handshakeErrorId.c_str(), this->m_handshakeErrorMsg.c_str())); + case exec::user::AUTH_REQUIRED: { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Server requires SASL authentication." << std::endl;) + SaslAuthenticatorImpl saslAuthenticator(properties); + int saslResult = 0; + std::string chosenMech; + const char *out; + unsigned outlen; + saslResult = saslAuthenticator.init(m_mechanisms, chosenMech, &out, &outlen); + if (saslResult != SASL_OK) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Authenticator init failed. Code: " << saslResult << std::endl;) + return handleConnError(CONN_AUTH_FAILED, "User authentication init failed."); + } + if (NULL == out) { + out = (&::google::protobuf::internal::kEmptyString)->c_str(); + } + // send initial response + { + exec::user::SaslMessage response; + response.set_data(out, outlen); + response.set_mechanism(chosenMech[0]); + response.set_status(exec::user::SaslStatus::SASL_START); + { + boost::lock_guard<boost::mutex> lock(this->m_dcMutex); + int32_t coordId = this->getNextCoordinationId(); + + OutBoundRpcMessage out_msg(exec::rpc::REQUEST, exec::user::SASL_MESSAGE, coordId, &response); + sendSync(out_msg); + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Sent SASL init response, id: " << coordId + << " result: " << saslResult << std::endl;) + } + } + + bool done = false; + while (saslResult == SASL_OK || saslResult == SASL_CONTINUE) { + if (done) { + break; + } + // receive challenge + InBoundRpcMessage inboundMessage; + readMessage(inboundMessage); + if (m_pError) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Something failed." << std::endl;) + return CONN_AUTH_FAILED; + } + exec::user::SaslMessage challenge; + challenge.ParseFromArray(inboundMessage.m_pbody.data(), inboundMessage.m_pbody.size()); --- End diff -- you should check the return value for parsing errors > Kerberos Authentication > ----------------------- > > Key: DRILL-4280 > URL: https://issues.apache.org/jira/browse/DRILL-4280 > Project: Apache Drill > Issue Type: Improvement > Reporter: Keys Botzum > Assignee: Chunhui Shi > Labels: security > > Drill should support Kerberos based authentication from clients. This means > that both the ODBC and JDBC drivers as well as the web/REST interfaces should > support inbound Kerberos. For Web this would most likely be SPNEGO while for > ODBC and JDBC this will be more generic Kerberos. > Since Hive and much of Hadoop supports Kerberos there is a potential for a > lot of reuse of ideas if not implementation. > Note that this is related to but not the same as > https://issues.apache.org/jira/browse/DRILL-3584 -- This message was sent by Atlassian JIRA (v6.3.4#6332)