Hello Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/6148
to look at the new patch set (#2).
Change subject: [security] protect against master SASL negotiation short-circuit
......................................................................
[security] protect against master SASL negotiation short-circuit
In both clients we weren't checking that the local SASL client
considered the negotiation to be complete when the server sent us a
SASL_SUCCESS message. This would allow a malicious server to trick the
client into thinking it had authenticated the server, when in reality it
had not. This ended up being easier in the Java client because the JDK
SASL API includes an 'isComplete', and there is not equivalent in cyrus
SASL, so the state has to be tracked explicitly.
Change-Id: I8f3b3d4f47e887b48c1c704c900e9260c22cec3a
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/client_negotiation.h
3 files changed, 40 insertions(+), 21 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/48/6148/2
--
To view, visit http://gerrit.cloudera.org:8080/6148
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I8f3b3d4f47e887b48c1c704c900e9260c22cec3a
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Dan Burkert <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <[email protected]>
