Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E0430200BD3 for ; Mon, 31 Oct 2016 21:15:03 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id DF2BE160B06; Mon, 31 Oct 2016 20:15:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E84F7160B0E for ; Mon, 31 Oct 2016 21:15:02 +0100 (CET) Received: (qmail 52652 invoked by uid 500); 31 Oct 2016 20:15:02 -0000 Mailing-List: contact issues-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@drill.apache.org Delivered-To: mailing list issues@drill.apache.org Received: (qmail 52085 invoked by uid 99); 31 Oct 2016 20:15:01 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 31 Oct 2016 20:15:01 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 0697C2C2AE1 for ; Mon, 31 Oct 2016 20:15:01 +0000 (UTC) Date: Mon, 31 Oct 2016 20:15:01 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@drill.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DRILL-4280) Kerberos Authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 31 Oct 2016 20:15:04 -0000 [ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623250#comment-15623250 ] ASF GitHub Bot commented on DRILL-4280: --------------------------------------- Github user laurentgo commented on a diff in the pull request: https://github.com/apache/drill/pull/578#discussion_r85798971 --- Diff: contrib/native/client/src/clientlib/drillClientImpl.cpp --- @@ -1849,4 +2048,150 @@ void ZookeeperImpl:: debugPrint(){ } } +typedef int (*sasl_callback_proc_t)(void); // see sasl_callback_ft + +static int SaslAuthenticatorImpl::userNameCallback(void *context, int id, const char **result, unsigned *len) { + const std::string* const username = (const std::string* const) context; + + if ((SASL_CB_USER == id || SASL_CB_AUTHNAME == id) + && username != NULL) { + *result = username->c_str(); +// *len = (unsigned int) username->length(); + } + return SASL_OK; +} + +static int SaslAuthenticatorImpl::passwordCallback(sasl_conn_t *conn, void *context, int id, sasl_secret_t **psecret) { + const SaslAuthenticatorImpl* const authenticator = (const SaslAuthenticatorImpl* const) context; + + if (SASL_CB_PASS == id) { + const std::string password = authenticator->m_password; + const size_t length = password.length(); + authenticator->m_secret->len = length; + std::memcpy(authenticator->m_secret->data, password.c_str(), length); + *psecret = authenticator->m_secret; + } + return SASL_OK; +} + +SaslAuthenticatorImpl::SaslAuthenticatorImpl(const DrillUserProperties* const properties) : + m_properties(properties), m_pConnection(NULL), m_secret(NULL), m_servicename(NULL), m_servicehost(NULL) { +} + +SaslAuthenticatorImpl::~SaslAuthenticatorImpl() { + if (m_secret) { + free(m_secret); + } + // may be to use negotiated security layers before disposing in the future + if (m_pConnection) { + sasl_dispose(&m_pConnection); + } + m_pConnection = NULL; +} + +int SaslAuthenticatorImpl::init(std::vector mechanisms, + std::string &chosenMech, + const char **out, + unsigned *outlen) { + // set params + std::string authMechanismToUse = NULL; + for (size_t i = 0; i < m_properties->size(); i++) { + const std::map::const_iterator it = + DrillUserProperties::USER_PROPERTIES.find(m_properties->keyAt(i)); + if (it == DrillUserProperties::USER_PROPERTIES.end()) { + continue; + } + if (IS_BITSET((*it).second, USERPROP_FLAGS_USERNAME)) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Setting name" << std::endl;) + m_username = m_properties->valueAt(i); + continue; + } + if (IS_BITSET((*it).second, USERPROP_FLAGS_PASSWORD)) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Setting password" << std::endl;) + m_password = m_properties->valueAt(i); + m_secret = (sasl_secret_t *) malloc(sizeof(sasl_secret_t) + m_password.length()); + authMechanismToUse = "plain"; + continue; + } + if (IS_BITSET((*it).second, USERPROP_FLAGS_AUTH_MECHANISM)) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Setting service name" << std::endl;) + authMechanismToUse = m_properties->valueAt(i); + continue; + } + if (IS_BITSET((*it).second, USERPROP_FLAGS_SERVICE_NAME)) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Setting service name" << std::endl;) + m_servicename = m_properties->valueAt(i); + continue; + } + if (IS_BITSET((*it).second, USERPROP_FLAGS_SERVICE_HOST)) { + DRILL_MT_LOG(DRILL_LOG(LOG_TRACE) << "Setting service host" << std::endl;) + m_servicehost = m_properties->valueAt(i); + } + } + if (authMechanismToUse == NULL) { + return SASL_NOMECH; + } + + bool isSupportedByServer = false; + for (size_t i = 0; i < mechanisms.size(); i++) { --- End diff -- you can use the find function... > Kerberos Authentication > ----------------------- > > Key: DRILL-4280 > URL: https://issues.apache.org/jira/browse/DRILL-4280 > Project: Apache Drill > Issue Type: Improvement > Reporter: Keys Botzum > Assignee: Chunhui Shi > Labels: security > > Drill should support Kerberos based authentication from clients. This means that both the ODBC and JDBC drivers as well as the web/REST interfaces should support inbound Kerberos. For Web this would most likely be SPNEGO while for ODBC and JDBC this will be more generic Kerberos. > Since Hive and much of Hadoop supports Kerberos there is a potential for a lot of reuse of ideas if not implementation. > Note that this is related to but not the same as https://issues.apache.org/jira/browse/DRILL-3584 -- This message was sent by Atlassian JIRA (v6.3.4#6332)