Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5BDA0200C59 for ; Mon, 17 Apr 2017 09:42:50 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 5A9C6160BAB; Mon, 17 Apr 2017 07:42:50 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id A9F78160BAE for ; Mon, 17 Apr 2017 09:42:49 +0200 (CEST) Received: (qmail 94165 invoked by uid 500); 17 Apr 2017 07:42:48 -0000 Mailing-List: contact issues-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@drill.apache.org Delivered-To: mailing list issues@drill.apache.org Received: (qmail 94156 invoked by uid 99); 17 Apr 2017 07:42:48 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Apr 2017 07:42:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 7B007C0B41 for ; Mon, 17 Apr 2017 07:42:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id Sb0Nz22_G0ij for ; Mon, 17 Apr 2017 07:42:47 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 84FE7623EC for ; Mon, 17 Apr 2017 07:42:45 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id EFF55E0A31 for ; Mon, 17 Apr 2017 07:42:44 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4F12C240A0 for ; Mon, 17 Apr 2017 07:42:43 +0000 (UTC) Date: Mon, 17 Apr 2017 07:42:43 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@drill.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DRILL-4335) Apache Drill should support network encryption MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 17 Apr 2017 07:42:50 -0000 [ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15970779#comment-15970779 ] ASF GitHub Bot commented on DRILL-4335: --------------------------------------- Github user sohami commented on a diff in the pull request: https://github.com/apache/drill/pull/773#discussion_r111646250 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/rpc/BitConnectionConfig.java --- @@ -46,16 +47,40 @@ protected BitConnectionConfig(BufferAllocator allocator, BootStrapContext contex super(allocator, context); final DrillConfig config = context.getConfig(); + final AuthenticatorProvider authProvider = getAuthProvider(); + if (config.getBoolean(ExecConstants.BIT_AUTHENTICATION_ENABLED)) { this.authMechanismToUse = config.getString(ExecConstants.BIT_AUTHENTICATION_MECHANISM); try { - getAuthProvider().getAuthenticatorFactory(authMechanismToUse); + authProvider.getAuthenticatorFactory(authMechanismToUse); } catch (final SaslException e) { throw new DrillbitStartupException(String.format( "'%s' mechanism not found for bit-to-bit authentication. Please check authentication configuration.", authMechanismToUse)); } - logger.info("Configured bit-to-bit connections to require authentication using: {}", authMechanismToUse); + + // Update encryption related configurations + encryptionContext.setEncryption(config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED)); + + int maxEncodeSize = config.getInt(ExecConstants.BIT_SASL_ENCRYPTION_ENCODESIZE); + + if(maxEncodeSize > RpcConstants.MAX_WRAP_SIZE) { + logger.warn("Setting bit.sasl.encryption.encodesize to maximum allowed value of 16MB"); + maxEncodeSize = RpcConstants.MAX_WRAP_SIZE; + } + encryptionContext.setWrappedChunkSize(maxEncodeSize); + + if (encryptionContext.isEncryptionEnabled() && authProvider.isOnlyPlainConfigured()) { + throw new DrillbitStartupException("Encryption is enabled but only PLAIN mechanism is configured." + + " Please check the security.bit configurations."); + } + + logger.info("Configured bit-to-bit connections to require authentication using: {} with encryption: {}", + authMechanismToUse, encryptionContext.getEncryptionString()); + + } else if (config.getBoolean(ExecConstants.BIT_SASL_ENCRYPTION_ENABLED)) { + throw new DrillbitStartupException("Invalid security configuration. Encryption is enabled with authentication " + --- End diff -- Fixed > Apache Drill should support network encryption > ---------------------------------------------- > > Key: DRILL-4335 > URL: https://issues.apache.org/jira/browse/DRILL-4335 > Project: Apache Drill > Issue Type: New Feature > Reporter: Keys Botzum > Assignee: Sorabh Hamirwasia > Labels: security > Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf > > > This is clearly related to Drill-291 but wanted to make explicit that this needs to include network level encryption and not just authentication. This is particularly important for the client connection to Drill which will often be sending passwords in the clear until there is encryption. -- This message was sent by Atlassian JIRA (v6.3.15#6346)