[jira] [Commented] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism

Thu, 09 Nov 2017 15:37:18 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16246769#comment-16246769
 ] 

ASF GitHub Bot commented on DRILL-5943:
---------------------------------------

Github user laurentgo commented on a diff in the pull request:

    https://github.com/apache/drill/pull/1028#discussion_r150118518
  
    --- Diff: contrib/native/client/src/clientlib/saslAuthenticatorImpl.hpp ---
    @@ -59,6 +59,12 @@ class SaslAuthenticatorImpl {
     
         const char *getErrorMessage(int errorCode);
     
    +    static const std::string KERBEROS_SIMPLE_NAME;
    +
    +    static const std::string KERBEROS_SASL_NAME;
    --- End diff --
    
    do we need to expose it? (it looks like we only look for the keys)


> Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
> -------------------------------------------------------------------
>
>                 Key: DRILL-5943
>                 URL: https://issues.apache.org/jira/browse/DRILL-5943
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.12.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>             Fix For: 1.12.0
>
>
> For PLAIN mechanism we will weaken the strong check introduced with 
> DRILL-5582 to keep the forward compatibility between Drill 1.12 client and 
> Drill 1.9 server. This is fine since with and without this strong check PLAIN 
> mechanism is still vulnerable to MITM during handshake itself unlike mutual 
> authentication protocols like Kerberos.
> Also for keeping forward compatibility with respect to SASL we will treat 
> UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a 
> client which is running on later version (let say 1.13) then Drillbit (1.12) 
> and having a new value for SaslSupport field which is unknown to server, this 
> field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will 
> be treated as one aware about SASL protocol but server doesn't know exact 
> capabilities of client. Hence the SASL handshake will still be required from 
> server side.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to