drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-4280) Kerberos Authentication
Date Tue, 07 Feb 2017 18:52:41 GMT

    [ https://issues.apache.org/jira/browse/DRILL-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856538#comment-15856538
] 

ASF GitHub Bot commented on DRILL-4280:
---------------------------------------

Github user sudheeshkatkam commented on a diff in the pull request:

    https://github.com/apache/drill/pull/578#discussion_r99898478
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserClientAuthenticationHandler.java
---
    @@ -0,0 +1,229 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + *    http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.drill.exec.rpc.user;
    +
    +import com.google.common.collect.ImmutableMap;
    +import com.google.common.util.concurrent.SettableFuture;
    +import com.google.protobuf.ByteString;
    +import io.netty.buffer.ByteBuf;
    +import org.apache.drill.exec.proto.UserProtos.RpcType;
    +import org.apache.drill.exec.proto.UserProtos.SaslMessage;
    +import org.apache.drill.exec.proto.UserProtos.SaslStatus;
    +import org.apache.drill.exec.rpc.RpcException;
    +import org.apache.drill.exec.rpc.RpcOutcomeListener;
    +import org.apache.hadoop.security.UserGroupInformation;
    +
    +import javax.security.sasl.SaslClient;
    +import javax.security.sasl.SaslException;
    +import java.io.IOException;
    +import java.lang.reflect.UndeclaredThrowableException;
    +import java.security.PrivilegedExceptionAction;
    +
    +import static com.google.common.base.Preconditions.checkNotNull;
    +
    +// package private
    +class UserClientAuthenticationHandler implements RpcOutcomeListener<SaslMessage>
{
    +  private static final org.slf4j.Logger logger =
    +      org.slf4j.LoggerFactory.getLogger(UserClientAuthenticationHandler.class);
    +
    +  private static final ImmutableMap<SaslStatus, SaslChallengeProcessor> CHALLENGE_PROCESSORS
=
    +      ImmutableMap.<SaslStatus, SaslChallengeProcessor>builder()
    +          .put(SaslStatus.SASL_IN_PROGRESS, new SaslInProgressProcessor())
    +          .put(SaslStatus.SASL_SUCCESS, new SaslSuccessProcessor())
    +          .put(SaslStatus.SASL_FAILED, new SaslFailedProcessor())
    +          .build();
    +
    +  private final UserClient client;
    +  private final UserGroupInformation ugi;
    +  private final SettableFuture<Void> settableFuture;
    +
    +  public UserClientAuthenticationHandler(UserClient client, UserGroupInformation ugi,
    +                                         SettableFuture<Void> settableFuture) {
    +    this.client = client;
    +    this.ugi = ugi;
    +    this.settableFuture = settableFuture;
    +  }
    +
    +  public void initiate(final String mechanismName) {
    +    try {
    +      final ByteString responseData;
    +      final SaslClient saslClient = client.getSaslClient();
    +      if (saslClient.hasInitialResponse()) {
    +        responseData = ByteString.copyFrom(evaluateChallenge(ugi, saslClient, new byte[0]));
    +      } else {
    +        responseData = ByteString.EMPTY;
    +      }
    +      client.send(new UserClientAuthenticationHandler(client, ugi, settableFuture),
    +          RpcType.SASL_MESSAGE,
    +          SaslMessage.newBuilder()
    +              .setMechanism(mechanismName)
    +              .setStatus(SaslStatus.SASL_START)
    +              .setData(responseData)
    +              .build(),
    +          SaslMessage.class);
    +      logger.trace("Initiated SASL exchange.");
    +    } catch (final Exception e) {
    +      settableFuture.setException(e);
    +    }
    +  }
    +
    +  @Override
    +  public void failed(RpcException ex) {
    +    settableFuture.setException(new SaslException("Unexpected failure", ex));
    +  }
    +
    +  @Override
    +  public void success(SaslMessage value, ByteBuf buffer) {
    +    logger.trace("Server responded with message of type: {}", value.getStatus());
    +    final SaslChallengeProcessor processor = CHALLENGE_PROCESSORS.get(value.getStatus());
    +    if (processor == null) {
    +      settableFuture.setException(new SaslException("Server sent a corrupt message."));
    +    } else {
    +      try {
    +        final SaslChallengeContext context =
    +            new SaslChallengeContext(value, client.getSaslClient(), ugi, settableFuture);
    +
    +        final SaslMessage saslResponse = processor.process(context);
    +
    +        if (saslResponse != null) {
    +          client.send(new UserClientAuthenticationHandler(client, ugi, settableFuture),
    +              RpcType.SASL_MESSAGE, saslResponse, SaslMessage.class,
    +              true /** the connection will not be backed up at this point */);
    +        } else {
    +          // success
    +          client.disposeSaslClient();
    +          settableFuture.set(null);
    +        }
    +      } catch (final Exception e) {
    +        try {
    +          client.disposeSaslClient();
    +        } catch (Exception ignored) {
    +          //ignored
    +        }
    +        settableFuture.setException(e);
    +      }
    +    }
    +  }
    +
    +  @Override
    +  public void interrupted(InterruptedException e) {
    +    settableFuture.setException(e);
    +  }
    +
    +  private static class SaslChallengeContext {
    +
    +    final SaslMessage challenge;
    +    final SaslClient saslClient;
    +    final UserGroupInformation ugi;
    +    final SettableFuture<Void> settableFuture;
    +
    +    public SaslChallengeContext(SaslMessage challenge, SaslClient saslClient, UserGroupInformation
ugi,
    +                                SettableFuture<Void> settableFuture) {
    +      this.challenge = checkNotNull(challenge);
    +      this.saslClient = checkNotNull(saslClient);
    +      this.ugi = checkNotNull(ugi);
    +      this.settableFuture = checkNotNull(settableFuture);
    +    }
    +  }
    +
    +  private interface SaslChallengeProcessor {
    +
    +    /**
    +     * Process challenge from server, and return a response.
    +     *
    +     * Returns null iff SASL exchange is complete and successful.
    +     *
    +     * @param context challenge context
    +     * @return response
    +     * @throws Exception
    +     */
    +    SaslMessage process(SaslChallengeContext context) throws Exception;
    +
    +  }
    +
    +  private static class SaslInProgressProcessor implements SaslChallengeProcessor {
    +
    +    @Override
    +    public SaslMessage process(SaslChallengeContext context) throws Exception {
    +      final SaslMessage.Builder response = SaslMessage.newBuilder();
    +
    +      final byte[] responseBytes = evaluateChallenge(context.ugi, context.saslClient,
    +          context.challenge.getData().toByteArray());
    +
    +      final boolean isComplete = context.saslClient.isComplete();
    +      logger.trace("Evaluated challenge. Completed? {}.", isComplete);
    +      response.setData(responseBytes != null ? ByteString.copyFrom(responseBytes) : ByteString.EMPTY);
    +      // if isComplete, the client will get one more response from server
    +      response.setStatus(isComplete ? SaslStatus.SASL_SUCCESS : SaslStatus.SASL_IN_PROGRESS);
    +      return response.build();
    +    }
    +  }
    +
    +  private static class SaslSuccessProcessor implements SaslChallengeProcessor {
    +
    +    @Override
    +    public SaslMessage process(SaslChallengeContext context) throws Exception {
    +      if (context.saslClient.isComplete()) {
    +        logger.trace("Successfully authenticated to server using {}", context.saslClient.getMechanismName());
    +        return null;
    +      } else {
    +
    +        // server completed before client; so try once, fail otherwise
    +        evaluateChallenge(context.ugi, context.saslClient,
    +            context.challenge.getData().toByteArray()); // discard response
    +
    +        if (context.saslClient.isComplete()) {
    +          logger.trace("Successfully authenticated to server using {}", context.saslClient.getMechanismName());
    +          return null;
    +        } else {
    +          throw new SaslException("Server allegedly succeeded authentication, but client
did not. Suspicious?");
    +        }
    +      }
    +    }
    +  }
    +
    +  private static class SaslFailedProcessor implements SaslChallengeProcessor {
    +
    +    @Override
    +    public SaslMessage process(SaslChallengeContext context) throws Exception {
    +      throw new SaslException("Authentication failed. Incorrect credentials?");
    --- End diff --
    
    Typically the client is not notified why auth failed, except that something went wrong.


> Kerberos Authentication
> -----------------------
>
>                 Key: DRILL-4280
>                 URL: https://issues.apache.org/jira/browse/DRILL-4280
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: security
>
> Drill should support Kerberos based authentication from clients. This means that both
the ODBC and JDBC drivers as well as the web/REST interfaces should support inbound Kerberos.
For Web this would most likely be SPNEGO while for ODBC and JDBC this will be more generic
Kerberos.
> Since Hive and much of Hadoop supports Kerberos there is a potential for a lot of reuse
of ideas if not implementation.
> Note that this is related to but not the same as https://issues.apache.org/jira/browse/DRILL-3584




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message