You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/08/10 18:30:00 UTC

[jira] [Commented] (KUDU-1921) Add ability for clients to require authentication/encryption

    [ https://issues.apache.org/jira/browse/KUDU-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17396832#comment-17396832 ] 

ASF subversion and git services commented on KUDU-1921:
-------------------------------------------------------

Commit 592ba3c5f7abfba43ee5ef1b339a4743006b6e3b in kudu's branch refs/heads/master from Attila Bukor
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=592ba3c ]

KUDU-1921 Add ability to require auth/encryption to C++ client

Kudu servers support requiring authentication and encryption to be
enabled, and clients prefer connecting in a secure way, but if a server
doesn't support authentication and/or encryption, the client will
silently connect insecurely, which can lead to a downgrade attack.

With this patch, clients can require authentication and encryption to be
set using the client API, where if such an attack is attempted, the
client will fail to connect to the cluster.

Change-Id: Ia3e800eb7c4e2f8787f0adf1f040d47358d29320
Reviewed-on: http://gerrit.cloudera.org:8080/17731
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <as...@cloudera.com>


> Add ability for clients to require authentication/encryption
> ------------------------------------------------------------
>
>                 Key: KUDU-1921
>                 URL: https://issues.apache.org/jira/browse/KUDU-1921
>             Project: Kudu
>          Issue Type: Improvement
>          Components: client, security
>    Affects Versions: 1.3.0
>            Reporter: Todd Lipcon
>            Assignee: Attila Bukor
>            Priority: Critical
>              Labels: roadmap-candidate
>
> Currently, the clients always operate in "optional" mode for authentication and encryption. This means that they are vulnerable to downgrade attacks by a MITM. We should provide APIs so that clients can be configured to prohibit downgrade when connecting to clusters they know to be secure.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)