[
https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623245#comment-15623245
]
ASF GitHub Bot commented on DRILL-4280:
---------------------------------------
Github user laurentgo commented on a diff in the pull request:
https://github.com/apache/drill/pull/578#discussion_r85797062
--- Diff: contrib/native/client/src/clientlib/drillClientImpl.cpp ---
@@ -427,6 +511,121 @@ connectionStatus_t
DrillClientImpl::validateHandshake(DrillUserProperties* prope
getMessage(ERR_CONN_AUTHFAIL,
this->m_handshakeErrorId.c_str(),
this->m_handshakeErrorMsg.c_str()));
+ case exec::user::AUTH_REQUIRED: {
+ DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Server requires SASL
authentication." << std::endl;)
+ SaslAuthenticatorImpl saslAuthenticator(properties);
+ int saslResult = 0;
+ std::string chosenMech;
+ const char *out;
+ unsigned outlen;
+ saslResult = saslAuthenticator.init(m_mechanisms,
chosenMech, &out, &outlen);
+ if (saslResult != SASL_OK) {
+ DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Authenticator
init failed. Code: " << saslResult << std::endl;)
+ return handleConnError(CONN_AUTH_FAILED, "User
authentication init failed.");
+ }
+ if (NULL == out) {
+ out =
(&::google::protobuf::internal::kEmptyString)->c_str();
+ }
+ // send initial response
+ {
+ exec::user::SaslMessage response;
+ response.set_data(out, outlen);
+ response.set_mechanism(chosenMech[0]);
+
response.set_status(exec::user::SaslStatus::SASL_START);
+ {
+ boost::lock_guard<boost::mutex>
lock(this->m_dcMutex);
+ int32_t coordId = this->getNextCoordinationId();
+
+ OutBoundRpcMessage out_msg(exec::rpc::REQUEST,
exec::user::SASL_MESSAGE, coordId, &response);
+ sendSync(out_msg);
+ DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Sent SASL
init response, id: " << coordId
+ << " result: "
<< saslResult << std::endl;)
+ }
+ }
+
+ bool done = false;
+ while (saslResult == SASL_OK || saslResult ==
SASL_CONTINUE) {
+ if (done) {
+ break;
+ }
+ // receive challenge
+ InBoundRpcMessage inboundMessage;
+ readMessage(inboundMessage);
+ if (m_pError) {
+ DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Something
failed." << std::endl;)
+ return CONN_AUTH_FAILED;
+ }
+ exec::user::SaslMessage challenge;
+
challenge.ParseFromArray(inboundMessage.m_pbody.data(),
inboundMessage.m_pbody.size());
--- End diff --
you should check the return value for parsing errors
> Kerberos Authentication
> -----------------------
>
> Key: DRILL-4280
> URL: https://issues.apache.org/jira/browse/DRILL-4280
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: Keys Botzum
> Assignee: Chunhui Shi
> Labels: security
>
> Drill should support Kerberos based authentication from clients. This means
> that both the ODBC and JDBC drivers as well as the web/REST interfaces should
> support inbound Kerberos. For Web this would most likely be SPNEGO while for
> ODBC and JDBC this will be more generic Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a
> lot of reuse of ideas if not implementation.
> Note that this is related to but not the same as
> https://issues.apache.org/jira/browse/DRILL-3584
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
