You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/11/08 01:11:00 UTC

[jira] [Commented] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism

    [ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16243208#comment-16243208 ] 

ASF GitHub Bot commented on DRILL-5943:
---------------------------------------

GitHub user sohami opened a pull request:

    https://github.com/apache/drill/pull/1028

    DRILL-5943: Avoid the strong check introduced by DRILL-5582 for PLAIN…

    … mechanism

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sohami/drill DRILL-5943

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/drill/pull/1028.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1028
    
----
commit 708dbc203b63700fb520445e585826a5c1e911e4
Author: Sorabh Hamirwasia <sh...@maprtech.com>
Date:   2017-11-07T23:27:45Z

    DRILL-5943: Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism

----


> Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
> -------------------------------------------------------------------
>
>                 Key: DRILL-5943
>                 URL: https://issues.apache.org/jira/browse/DRILL-5943
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>             Fix For: 1.12.0
>
>
> For PLAIN mechanism we will weaken the strong check introduced with DRILL-5582 to keep the forward compatibility between Drill 1.12 client and Drill 1.9 server. This is fine since with and without this strong check PLAIN mechanism is still vulnerable to MITM during handshake itself unlike mutual authentication protocols like Kerberos.
> Also for keeping forward compatibility with respect to SASL we will treat UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a client which is running on later version (let say 1.13) then Drillbit (1.12) and having a new value for SaslSupport field which is unknown to server, this field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will be treated as one aware about SASL protocol but server doesn't know exact capabilities of client. Hence the SASL handshake will still be required from server side.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)