[ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15957897#comment-15957897 ]
ASF GitHub Bot commented on DRILL-4335: --------------------------------------- Github user sudheeshkatkam commented on a diff in the pull request: https://github.com/apache/drill/pull/773#discussion_r110035581 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java --- @@ -335,8 +350,27 @@ public BitToUserHandshake getHandshakeResponse(UserToBitHandshake inbound) throw } } - // mention server's authentication capabilities - respBuilder.addAllAuthenticationMechanisms(config.getAuthProvider().getAllFactoryNames()); + // We are checking in UserConnectionConfig that if SASL encryption is enabled then mechanisms other + // than PLAIN are also configured otherwise throw exception + final Set<String> configuredMech = config.getAuthProvider().getAllFactoryNames(); + + if (!config.isEncryptionEnabled()) { + + respBuilder.addAllAuthenticationMechanisms(configuredMech); + } else { --- End diff -- Few things to note: + If encryption is enabled, PLAIN will fail negotiation anyway. So the special handling (and this block itself) is unnecessary? + An implication of this is that even if the Drillbit starts up with PLAIN configured correctly, the mechanism will not be offered to clients. + Consider a custom mechanism which do not support encryption, PLAIN will not be offered, but that mechanism will be offered? > Apache Drill should support network encryption > ---------------------------------------------- > > Key: DRILL-4335 > URL: https://issues.apache.org/jira/browse/DRILL-4335 > Project: Apache Drill > Issue Type: New Feature > Reporter: Keys Botzum > Assignee: Sorabh Hamirwasia > Labels: security > Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf > > > This is clearly related to Drill-291 but wanted to make explicit that this > needs to include network level encryption and not just authentication. This > is particularly important for the client connection to Drill which will often > be sending passwords in the clear until there is encryption. -- This message was sent by Atlassian JIRA (v6.3.15#6346)