[
https://issues.apache.org/jira/browse/DRILL-5881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208829#comment-16208829
]
Sorabh Hamirwasia commented on DRILL-5881:
------------------------------------------
This change introduces stricter checks on client side for security negotiation
between client and Drillbit. Before this patch Drillbit was dictating to client
side if it needs authentication or not and client was abiding with that. But
with this PR we are checking for indication from client connection URL if it
needs the underlying connection to be secure or not. If client needs secure
connection and Drillbit is not configured for security then client will fail
the connection.
This is a change in behavior w.r.t current functionality, since with the
presence of username&password in connection URL now DrillClient will take that
as an indication for authenticated connection request and if server doesn't
support authentication then DrillClient connection will fail. Whereas currently
if server is not secured then the username and password is ignored. So with
this patch any client connection URL which has username&password in it and
trying to connect to unsecure cluster will fail.
> Java Client: [Threat Modeling] Drillbit may be spoofed by an attacker and
> this may lead to data being written to the attacker's target instead of
> Drillbit
> ----------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DRILL-5881
> URL: https://issues.apache.org/jira/browse/DRILL-5881
> Project: Apache Drill
> Issue Type: Sub-task
> Components: Client - Java
> Affects Versions: 1.10.0
> Reporter: Sorabh Hamirwasia
> Assignee: Sorabh Hamirwasia
> Fix For: 1.12.0
>
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
