[jira] [Commented] (DRILL-4335) Apache Drill should support network encryption

Wed, 05 Apr 2017 15:21:05 -0700 

    [ 
https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957868#comment-15957868
 ] 

ASF GitHub Bot commented on DRILL-4335:
---------------------------------------

Github user sudheeshkatkam commented on a diff in the pull request:

    https://github.com/apache/drill/pull/773#discussion_r109956559
  
    --- Diff: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/security/AuthenticationOutcomeListener.java
 ---
    @@ -243,4 +247,43 @@ public SaslMessage process(SaslChallengeContext 
context) throws Exception {
           }
         }
       }
    +
    +  private static void handleSuccess(SaslChallengeContext context) throws 
SaslException {
    +    final ClientConnection connection = context.connection;
    +    final SaslClient saslClient = connection.getSaslClient();
    +
    +    if (connection.isEncrypted()) {
    +      try {
    +        // Check if connection was marked for being secure then verify for 
negotiated QOP value for
    +        // correctness.
    +        final String negotiatedQOP = 
saslClient.getNegotiatedProperty(Sasl.QOP).toString();
    +        assert 
(negotiatedQOP.equals(SaslProperties.QualityOfProtection.PRIVACY.getSaslQop()));
    +
    +        // Update the rawWrapChunkSize with the negotiated buffer size 
since we cannot call encode with more than
    +        // negotiated size of buffer.
    +        final int negotiatedRawSendSize = Integer.parseInt(saslClient
    +                                                            
.getNegotiatedProperty(SaslProperties.WRAP_RAW_SEND_SIZE)
    --- End diff --
    
    Why not use `Sasl.RAW_SEND_SIZE`?


> Apache Drill should support network encryption
> ----------------------------------------------
>
>                 Key: DRILL-4335
>                 URL: https://issues.apache.org/jira/browse/DRILL-4335
>             Project: Apache Drill
>          Issue Type: New Feature
>            Reporter: Keys Botzum
>            Assignee: Sorabh Hamirwasia
>              Labels: security
>         Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this 
> needs to include network level encryption and not just authentication. This 
> is particularly important for the client connection to Drill which will often 
> be sending passwords in the clear until there is encryption.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to