Hi All, We recently added a check (as part of DRILL-5582<https://issues.apache.org/jira/browse/DRILL-5582>) on DrillClient side to enforce that if client showed intent for authentication and Drillbit say's it doesn't require authentication then connection will fail with proper error message.
With this change we found a hidden issue w.r.t forward compatibility of Drill. New clients running on 1.11+ authenticating to older Drillbit running on 1.10 are treated as client running without any SASL support or (<=1.9 version). The root cause for this issue is as follows: In 1.10 a new field SASL_SUPPORT was introduced in Handshake message between DrillCilent and Drillbit. The supported values for that field are: Drill 1.10: [1] enum SASL_SUPPORT { UNKNOWN_SASL_SUPPORT = 0; SASL_AUTH = 1; } Drill 1.11/1.12: [2] enum SASL_SUPPORT { UNKNOWN_SASL_SUPPORT = 0; SASL_AUTH = 1; SASL_PRIVACY = 2; } A 1.11 client always has SASL_PRIVACY set in handshake. A 1.10 Drillbit getting the message interprets the value as UNKNOWN_SASL_SUPPORT [3]. In 1.10 Drillbit treats that value as an indication of older client < 1.10 [4], and it will try to authenticate using the 1.9 mechanism and send the SUCCESS/FAILURE state in Handshake Response. The 1.12 DrillClient will fail the connection as it will expect AUTH_REQUIRED from Drillbit instead of SUCCESS/FAILURE. The fix for this issue can be to use only absence of field as indication of client < 1.10 and if the field is present but it evaluates to UNKNOWN_SASL_SUPPORT value then Drillbit should consider corresponding client to be of future version at least for authentication purpose and speak SASL protocol. We have to either back port above forward compatibility fix into 1.10 and 1.11 or just fix in current release and support forward compatibility post 1.12+. Arina/Sudheesh - Please suggest if the analysis and fix sounds good and what are the releases we should consider the fix for. Considering 1.12 release is planned soon can we take the fix in 1.12 release ? [1]: https://github.com/apache/drill/blob/1.10.0/protocol/src/main/protobuf/User.proto#L70 [2]: https://github.com/apache/drill/blob/1.11.0/protocol/src/main/protobuf/User.proto#L70 [3]: http://androiddevblog.com/protocol-buffers-pitfall-adding-enum-values/ [4]: https://github.com/apache/drill/blob/1.10.0/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserServer.java#L297 Thanks, Sorabh