drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
Date Tue, 14 Nov 2017 23:41:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16252695#comment-16252695
] 

ASF GitHub Bot commented on DRILL-5943:
---------------------------------------

Github user priteshm commented on the issue:

    https://github.com/apache/drill/pull/1028
  
    @parthchandra can you please review this?


> Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
> -------------------------------------------------------------------
>
>                 Key: DRILL-5943
>                 URL: https://issues.apache.org/jira/browse/DRILL-5943
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.12.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>              Labels: ready-to-commit
>             Fix For: 1.12.0
>
>
> For PLAIN mechanism we will weaken the strong check introduced with DRILL-5582 to keep
the forward compatibility between Drill 1.12 client and Drill 1.9 server. This is fine since
with and without this strong check PLAIN mechanism is still vulnerable to MITM during handshake
itself unlike mutual authentication protocols like Kerberos.
> Also for keeping forward compatibility with respect to SASL we will treat UNKNOWN_SASL_SUPPORT
as valid value. For handshake message received from a client which is running on later version
(let say 1.13) then Drillbit (1.12) and having a new value for SaslSupport field which is
unknown to server, this field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client
will be treated as one aware about SASL protocol but server doesn't know exact capabilities
of client. Hence the SASL handshake will still be required from server side.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message