[
https://issues.apache.org/jira/browse/DRILL-5485?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16025417#comment-16025417
]
ASF GitHub Bot commented on DRILL-5485:
---------------------------------------
Github user sudheeshkatkam commented on a diff in the pull request:
https://github.com/apache/drill/pull/829#discussion_r118587783
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/WebServer.java
---
@@ -219,12 +232,43 @@ public void sessionDestroyed(HttpSessionEvent se) {
securityHandler.logout(sessionAuth);
session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
}
+
+ // Clear all the custom attributes set as part of session
+ clearSessionCustomAttributes(session);
}
});
return new SessionHandler(sessionManager);
}
+ private void clearSessionCustomAttributes(HttpSession session) {
--- End diff --
(I somehow managed to delete this in my comment..) The life cycle of those
resources could be placed together in one class, as resources are being
initialized in one place but closed in different places.
> Remove WebServer dependency on DrillClient
> ------------------------------------------
>
> Key: DRILL-5485
> URL: https://issues.apache.org/jira/browse/DRILL-5485
> Project: Apache Drill
> Issue Type: Improvement
> Components: Web Server
> Reporter: Sorabh Hamirwasia
> Fix For: 1.11.0
>
>
> With encryption support using SASL, client's won't be able to authenticate
> using PLAIN mechanism when encryption is enabled on the cluster. Today
> WebServer which is embedded inside Drillbit creates a DrillClient instance
> for each WebClient session. And the WebUser is authenticated as part of
> authentication between DrillClient instance and Drillbit using PLAIN
> mechanism. But with encryption enabled this will fail since encryption
> doesn't support authentication using PLAN mechanism, hence no WebClient can
> connect to a Drillbit. There are below issues as well with this approach:
> 1) Since DrillClient is used per WebUser session this is expensive as it has
> heavyweight RPC layer for DrillClient and all it's dependencies.
> 2) If the Foreman for a WebUser is also selected to be a different node then
> there will be extra hop of transferring data back to WebClient.
> To resolve all the above issue it would be better to authenticate the WebUser
> locally using the Drillbit on which WebServer is running without creating
> DrillClient instance. We can use the local PAMAuthenticator to authenticate
> the user. After authentication is successful the local Drillbit can also
> serve as the Foreman for all the queries submitted by WebUser. This can be
> achieved by submitting the query to the local Drillbit Foreman work queue.
> This will also remove the requirement to encrypt the channel opened between
> WebServer (DrillClient) and selected Drillbit since with this approach there
> won't be any physical channel opened between them.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
