drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sorabh Hamirwasia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5881) Java Client: [Threat Modeling] Drillbit may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Drillbit
Date Wed, 18 Oct 2017 05:23:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208829#comment-16208829
] 

Sorabh Hamirwasia commented on DRILL-5881:
------------------------------------------

This change introduces stricter checks on client side for security negotiation between client
and Drillbit. Before this patch Drillbit was dictating to client side if it needs authentication
or not and client was abiding with that. But with this PR we are checking for indication from
client connection URL if it needs the underlying connection to be secure or not. If client
needs secure connection and Drillbit is not configured for security then client will fail
the connection.

This is a change in behavior w.r.t current functionality, since with the presence of username&password
in connection URL now DrillClient will take that as an indication for authenticated connection
request and if server doesn't support authentication then DrillClient connection will fail.
Whereas currently if server is not secured then the username and password is ignored. So with
this patch any client connection URL which has username&password in it and trying to connect
to unsecure cluster will fail.

> Java Client: [Threat Modeling] Drillbit may be spoofed by an attacker and this may lead
to data being written to the attacker's target instead of Drillbit
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-5881
>                 URL: https://issues.apache.org/jira/browse/DRILL-5881
>             Project: Apache Drill
>          Issue Type: Sub-task
>          Components: Client - Java
>    Affects Versions: 1.10.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>             Fix For: 1.12.0
>
>




--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message