[ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15904070#comment-15904070 ]
Sorabh Hamirwasia commented on DRILL-4335: ------------------------------------------ [~laurentgo], Yes there are multiple copies (~3) involved here. Below is the summary of it. I am not sure if there is any way to avoid these unless we use heap array for Drill ByteBuff as well. 1) Converting the paylod to encrypt from Drill ByteBuff which is on direct memory to the byte array which is on heap. 2) Copy inside wrap/unwrap method which allocates a new byte array internally to copy the provided input. 3) Copying the output encrypted byte array back to Drill ByteBuff to transfer over network. We will share the estimation/benchmark to quantify the impact on throughput once available. Netty's SSL/TLS will have same impact since the internal implementation also uses the jdk's wrap/unwrap methods which involves same amount of copying. We are planning to provide SSL support in future too. SASL is mainly focussed for the use case where we have Kerberos setup. If user wants privacy over channel along with Kerberos authentication then encryption using SASL will help there. Sorry for the delay but I have finally updated the design document to reflect changes with current implementation and attaching that too for review. Note: This pull request doesn't have C++ client side changes which I am planning to post as separate pull request. > Apache Drill should support network encryption > ---------------------------------------------- > > Key: DRILL-4335 > URL: https://issues.apache.org/jira/browse/DRILL-4335 > Project: Apache Drill > Issue Type: New Feature > Reporter: Keys Botzum > Assignee: Sorabh Hamirwasia > Labels: security > > This is clearly related to Drill-291 but wanted to make explicit that this > needs to include network level encryption and not just authentication. This > is particularly important for the client connection to Drill which will often > be sending passwords in the clear until there is encryption. -- This message was sent by Atlassian JIRA (v6.3.15#6346)