[jira] [Commented] (DRILL-4335) Apache Drill should support network encryption

Thu, 09 Mar 2017 15:43:01 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15904070#comment-15904070
 ] 

Sorabh Hamirwasia commented on DRILL-4335:
------------------------------------------

[~laurentgo],
Yes there are multiple copies (~3) involved here. Below is the summary of it. I 
am not sure if there is any way to avoid these unless we use heap array for 
Drill ByteBuff as well.
1) Converting the paylod to encrypt from Drill ByteBuff which is on direct 
memory to the byte array which is on heap.
2) Copy inside wrap/unwrap method which allocates a new byte array internally 
to copy the provided input.
3) Copying the output encrypted byte array back to Drill ByteBuff to transfer 
over network.

We will share the estimation/benchmark to quantify the impact on throughput 
once available. Netty's SSL/TLS will have same impact since the internal 
implementation also uses the jdk's wrap/unwrap methods which involves same 
amount of copying. We are planning to provide SSL support in future too. SASL 
is mainly focussed for the use case where we have Kerberos setup. If user wants 
privacy over channel along with Kerberos authentication then encryption using 
SASL will help there. Sorry for the delay but I have finally updated the design 
document to reflect changes with current implementation and attaching that too 
for review.

Note: This pull request doesn't have C++ client side changes which I am 
planning to post as separate pull request.

> Apache Drill should support network encryption
> ----------------------------------------------
>
>                 Key: DRILL-4335
>                 URL: https://issues.apache.org/jira/browse/DRILL-4335
>             Project: Apache Drill
>          Issue Type: New Feature
>            Reporter: Keys Botzum
>            Assignee: Sorabh Hamirwasia
>              Labels: security
>
> This is clearly related to Drill-291 but wanted to make explicit that this 
> needs to include network level encryption and not just authentication. This 
> is particularly important for the client connection to Drill which will often 
> be sending passwords in the clear until there is encryption.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to