Return-Path: <issues-return-40230-archive-asf-public=cust-asf.ponee.io@drill.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 75A8A200C86
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 26 Apr 2017 04:37:16 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 744BD160BB9; Wed, 26 Apr 2017 02:37:16 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id A06EC160BB8
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 26 Apr 2017 04:37:15 +0200 (CEST)
Received: (qmail 67254 invoked by uid 500); 26 Apr 2017 02:37:14 -0000
Mailing-List: contact issues-help@drill.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@drill.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@drill.apache.org>
List-Post: <mailto:issues@drill.apache.org>
List-Id: <issues.drill.apache.org>
Reply-To: dev@drill.apache.org
Delivered-To: mailing list issues@drill.apache.org
Received: (qmail 67245 invoked by uid 99); 26 Apr 2017 02:37:14 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 Apr 2017 02:37:14 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 68D281A0668
	for <issues@drill.apache.org>; Wed, 26 Apr 2017 02:37:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id VLY7qqbC6FnG for <issues@drill.apache.org>;
	Wed, 26 Apr 2017 02:37:12 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 676905FCCB
	for <issues@drill.apache.org>; Wed, 26 Apr 2017 02:37:09 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 23BEBE0DCD
	for <issues@drill.apache.org>; Wed, 26 Apr 2017 02:37:08 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 4D4D221E3D
	for <issues@drill.apache.org>; Wed, 26 Apr 2017 02:37:06 +0000 (UTC)
Date: Wed, 26 Apr 2017 02:37:06 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: issues@drill.apache.org
Message-ID: <JIRA.12935747.1454359820000.51105.1493174226315@Atlassian.JIRA>
In-Reply-To: <JIRA.12935747.1454359820000@Atlassian.JIRA>
References: <JIRA.12935747.1454359820000@Atlassian.JIRA> <JIRA.12935747.1454359820542@jira-lw-us.apache.org>
Subject: [jira] [Commented] (DRILL-4335) Apache Drill should support network
 encryption
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Wed, 26 Apr 2017 02:37:16 -0000


    [ https://issues.apache.org/jira/browse/DRILL-4335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15984066#comment-15984066 ] 

ASF GitHub Bot commented on DRILL-4335:
---------------------------------------

Github user sudheeshkatkam commented on a diff in the pull request:

    https://github.com/apache/drill/pull/773#discussion_r113349330
  
    --- Diff: exec/rpc/src/main/java/org/apache/drill/exec/rpc/SaslEncryptionHandler.java ---
    @@ -0,0 +1,181 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +
    +package org.apache.drill.exec.rpc;
    +
    +import io.netty.buffer.ByteBuf;
    +import io.netty.buffer.CompositeByteBuf;
    +import io.netty.channel.ChannelHandlerContext;
    +import io.netty.handler.codec.MessageToMessageEncoder;
    +
    +import org.apache.drill.exec.exception.OutOfMemoryException;
    +
    +import java.io.IOException;
    +import java.nio.ByteBuffer;
    +import java.nio.ByteOrder;
    +import java.util.List;
    +
    +import static com.google.common.base.Preconditions.checkArgument;
    +
    +
    +/**
    + * Handler to wrap the input Composite ByteBuf components separately and append the encrypted length for each
    + * component in the output ByteBuf. If there are multiple components in the input ByteBuf then each component will be
    + * encrypted individually and added to output ByteBuf with it's length prepended.
    + * <p>
    + * Example:
    + * <li>Input ByteBuf  --> [B1,B2] - 2 component ByteBuf of 16K byte each.
    + * <li>Output ByteBuf --> [[EBLN1, EB1], [EBLN2, EB2]] - List of ByteBuf's with each ByteBuf containing
    + *                    Encrypted Byte Length (EBLNx) in network order as per SASL RFC and Encrypted Bytes (EBx).
    + * </p>
    + */
    +class SaslEncryptionHandler extends MessageToMessageEncoder<ByteBuf> {
    +
    +  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(
    +      SaslEncryptionHandler.class.getCanonicalName());
    +
    +  private final SaslCodec saslCodec;
    +
    +  private final int maxRawWrapSize;
    +
    +  private byte[] origMsgBuffer;
    +
    +  private final ByteBuffer lengthOctets;
    +
    +  private final OutOfMemoryHandler outOfMemoryHandler;
    +
    +  /**
    +   * We don't provide preference to allocator to use heap buffer instead of direct buffer.
    +   * Drill uses it's own buffer allocator which doesn't support heap buffer allocation. We use
    +   * Drill buffer allocator in the channel.
    +   */
    +  SaslEncryptionHandler(SaslCodec saslCodec, final int maxRawWrapSize, final OutOfMemoryHandler oomHandler) {
    +    this.saslCodec = saslCodec;
    +    this.maxRawWrapSize = maxRawWrapSize;
    +    this.outOfMemoryHandler = oomHandler;
    +
    +    // The maximum size of the component will be maxRawWrapSize. Since this is maximum size we can allocate once
    +    // and reuse it for each component encode.
    +    origMsgBuffer = new byte[this.maxRawWrapSize];
    +    lengthOctets = ByteBuffer.allocate(RpcConstants.LENGTH_FIELD_LENGTH);
    +    lengthOctets.order(ByteOrder.BIG_ENDIAN);
    +  }
    +
    +  @Override
    +  public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
    +    super.handlerAdded(ctx);
    +    logger.trace("Added " + RpcConstants.SASL_ENCRYPTION_HANDLER + " handler!");
    +  }
    +
    +  @Override
    +  public void handlerRemoved(ChannelHandlerContext ctx) throws Exception {
    +    super.handlerRemoved(ctx);
    +    logger.trace("Removed " + RpcConstants.SASL_ENCRYPTION_HANDLER + " handler");
    +  }
    +
    +  public void encode(ChannelHandlerContext ctx, ByteBuf msg, List<Object> out) throws IOException {
    +
    +    if (!ctx.channel().isOpen()) {
    +      logger.debug("In " + RpcConstants.SASL_ENCRYPTION_HANDLER + " and channel is not open. " +
    +          "So releasing msg memory before encryption.");
    +      msg.release();
    +      return;
    +    }
    +
    +    try {
    +      // If encryption is enabled then this handler will always get ByteBuf of type Composite ByteBuf
    +      checkArgument(msg instanceof CompositeByteBuf);
    +
    +      final CompositeByteBuf cbb = (CompositeByteBuf) msg;
    +      int numComponents = cbb.numComponents();
    --- End diff --
    
    Why not a for loop with one index variable (rather than numComponents and currentIndex)?


> Apache Drill should support network encryption
> ----------------------------------------------
>
>                 Key: DRILL-4335
>                 URL: https://issues.apache.org/jira/browse/DRILL-4335
>             Project: Apache Drill
>          Issue Type: New Feature
>            Reporter: Keys Botzum
>            Assignee: Sorabh Hamirwasia
>              Labels: security
>         Attachments: ApacheDrillEncryptionUsingSASLDesign.pdf
>
>
> This is clearly related to Drill-291 but wanted to make explicit that this needs to include network level encryption and not just authentication. This is particularly important for the client connection to Drill which will often be sending passwords in the clear until there is encryption.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)