[jira] [Commented] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism

Tue, 07 Nov 2017 17:59:43 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16243208#comment-16243208
 ] 

ASF GitHub Bot commented on DRILL-5943:
---------------------------------------

GitHub user sohami opened a pull request:

    https://github.com/apache/drill/pull/1028

    DRILL-5943: Avoid the strong check introduced by DRILL-5582 for PLAIN…

    … mechanism

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sohami/drill DRILL-5943

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/drill/pull/1028.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1028
    
----
commit 708dbc203b63700fb520445e585826a5c1e911e4
Author: Sorabh Hamirwasia <[email protected]>
Date:   2017-11-07T23:27:45Z

    DRILL-5943: Avoid the strong check introduced by DRILL-5582 for PLAIN 
mechanism

----


> Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
> -------------------------------------------------------------------
>
>                 Key: DRILL-5943
>                 URL: https://issues.apache.org/jira/browse/DRILL-5943
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>             Fix For: 1.12.0
>
>
> For PLAIN mechanism we will weaken the strong check introduced with 
> DRILL-5582 to keep the forward compatibility between Drill 1.12 client and 
> Drill 1.9 server. This is fine since with and without this strong check PLAIN 
> mechanism is still vulnerable to MITM during handshake itself unlike mutual 
> authentication protocols like Kerberos.
> Also for keeping forward compatibility with respect to SASL we will treat 
> UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a 
> client which is running on later version (let say 1.13) then Drillbit (1.12) 
> and having a new value for SaslSupport field which is unknown to server, this 
> field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will 
> be treated as one aware about SASL protocol but server doesn't know exact 
> capabilities of client. Hence the SASL handshake will still be required from 
> server side.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to