drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sorabh Hamirwasia <shamirwa...@mapr.com>
Subject Re: Using SASL encryption from Clients to Drillbits
Date Fri, 30 Jun 2017 04:38:46 GMT
Hi Knapp,

SASL Plain mechanism doesn't support encryption [1] hence encryption as of now is only available
via Kerberos. LDAP module which you have configured for Drill will work as an authenticator
module in PLAIN mechanism and you won't be able to use encryption capabilities with it.


Also there is no connection parameter named sasl_enabled on client side. In default case you
don't have to provide or set any connection parameters on client side.


[1]: https://tools.ietf.org/html/rfc4616

The PLAIN mechanism should not be used without adequate data security protection as this mechanism
affords no integrity or confidentiality
protections itself.



Thanks,
Sorabh

________________________________
From: Knapp, Michael <Michael.Knapp@capitalone.com>
Sent: Thursday, June 29, 2017 12:36 PM
To: user@drill.apache.org; shamirwasia@maprtech.com
Cc: Yalamanchilli, Leela
Subject: Using SASL encryption from Clients to Drillbits


Hi,



I am having trouble using SASL encryption between my SQL Workbench client and Drill.  I am
not trying to setup encryption between Drillbit nodes, just between clients and Drillbits.



I have been using this commit<https://github.com/apache/drill/pull/773/files> as my
reference.



Here is what I have done:

·         I built Drill from source and deployed it.  This was using the 1.11.0-SNAPSHOT
as of yesterday (June 28).

·         I started Drill with DRILLBIT_JAVA_OPTS including “-Ddrill.exec.security.user.encryption.sasl.enabled=true”

·         Note that my Drill also has a custom LDAP authenticator written that is configured
in my drill-module.conf and works.  So “drill.exec.security.user.auth.enabled” is set
to true and “drill.exec.security.user.auth.impl” is set to “ldap”.  The “ldap”
mechanism is provided by a jar I wrote.

·         I use my own LDAP username and password when connecting with the drillbit, this
has always worked in the past.

·          I updated my SQL Workbench driver to use all of the jars from the distribution
I just built.

·         In my SQL Workbench connection configuration, I have added two extended properties:
“sasl_enabled” which is set to “true”, and “auth” which I am not sure what to
set it to.



I have attempted connecting with auth set to “plain”, “Kerberos”, “ldap”, “otp”,
“SKEY”, “PAM”, and “EXTERNAL”.  Every time it either was not a supported authentication
mechanism, or it was supported but the mechanism did not support the configured security layers.



Example failure messages:



When using “ldap” as the “auth” mechanism:

Failure in connecting to Drill: oadd.org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException:
Authentication failed. [Details: Encryption: enabled , MaxWrappedSize: 65536 , WrapSizeLimit:
0, Error Unknown mechanism: ldap] [Caused by javax.security.sasl.SaslException: Unknown mechanism:
ldap]



When using “plain” as the “auth” mechanism:

Failure in connecting to Drill: oadd.org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException:
Authentication failed. [Details: Encryption: enabled , MaxWrappedSize: 65536 , WrapSizeLimit:
0, Error Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or
selected mechanism doesn't support configured security layers?] [Caused by javax.security.sasl.SaslException:
Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or selected
mechanism doesn't support configured security layers?]



Please let me know what I am missing here.



Michael Knapp



________________________________

The information contained in this e-mail is confidential and/or proprietary to Capital One
and/or its affiliates and may only be used solely in performance of work or services for Capital
One. The information transmitted herewith is intended only for use by the individual or entity
to which it is addressed. If the reader of this message is not the intended recipient, you
are hereby notified that any review, retransmission, dissemination, distribution, copying
or other use of, or taking of any action in reliance upon this information is strictly prohibited.
If you have received this communication in error, please contact the sender and delete the
material from your computer.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message