Hi Knapp, SASL Plain mechanism doesn't support encryption [1] hence encryption as of now is only available via Kerberos. LDAP module which you have configured for Drill will work as an authenticator module in PLAIN mechanism and you won't be able to use encryption capabilities with it.
Also there is no connection parameter named sasl_enabled on client side. In default case you don't have to provide or set any connection parameters on client side. [1]: https://tools.ietf.org/html/rfc4616 The PLAIN mechanism should not be used without adequate data security protection as this mechanism affords no integrity or confidentiality protections itself. Thanks, Sorabh ________________________________ From: Knapp, Michael <michael.kn...@capitalone.com> Sent: Thursday, June 29, 2017 12:36 PM To: user@drill.apache.org; shamirwa...@maprtech.com Cc: Yalamanchilli, Leela Subject: Using SASL encryption from Clients to Drillbits Hi, I am having trouble using SASL encryption between my SQL Workbench client and Drill. I am not trying to setup encryption between Drillbit nodes, just between clients and Drillbits. I have been using this commit<https://github.com/apache/drill/pull/773/files> as my reference. Here is what I have done: · I built Drill from source and deployed it. This was using the 1.11.0-SNAPSHOT as of yesterday (June 28). · I started Drill with DRILLBIT_JAVA_OPTS including “-Ddrill.exec.security.user.encryption.sasl.enabled=true” · Note that my Drill also has a custom LDAP authenticator written that is configured in my drill-module.conf and works. So “drill.exec.security.user.auth.enabled” is set to true and “drill.exec.security.user.auth.impl” is set to “ldap”. The “ldap” mechanism is provided by a jar I wrote. · I use my own LDAP username and password when connecting with the drillbit, this has always worked in the past. · I updated my SQL Workbench driver to use all of the jars from the distribution I just built. · In my SQL Workbench connection configuration, I have added two extended properties: “sasl_enabled” which is set to “true”, and “auth” which I am not sure what to set it to. I have attempted connecting with auth set to “plain”, “Kerberos”, “ldap”, “otp”, “SKEY”, “PAM”, and “EXTERNAL”. Every time it either was not a supported authentication mechanism, or it was supported but the mechanism did not support the configured security layers. Example failure messages: When using “ldap” as the “auth” mechanism: Failure in connecting to Drill: oadd.org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Authentication failed. [Details: Encryption: enabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0, Error Unknown mechanism: ldap] [Caused by javax.security.sasl.SaslException: Unknown mechanism: ldap] When using “plain” as the “auth” mechanism: Failure in connecting to Drill: oadd.org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Authentication failed. [Details: Encryption: enabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0, Error Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or selected mechanism doesn't support configured security layers?] [Caused by javax.security.sasl.SaslException: Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or selected mechanism doesn't support configured security layers?] Please let me know what I am missing here. Michael Knapp ________________________________ The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.