Re: Drill SASL Forward Compatibility

Hi Laurent, Please see the responses inline. Thanks, Sorabh From: Laurent Goujon <laur...@dremio.com> Sent: Thursday, November 2, 2017 11:52 AM To: dev Subject: Re: Drill SASL Forward Compatibility I have a parallel scenario: - Scenario 1: 1) A handshak

Re: Drill SASL Forward Compatibility

ce no data is compromised. > > > Thanks, > Sorabh > > > From: Parth Chandra <par...@apache.org> > Sent: Wednesday, November 1, 2017 1:42:14 PM > To: dev > Subject: Re: Drill SASL Forward Compatibility > > I sort of lost tr

Re: Drill SASL Forward Compatibility

I have a parallel scenario: - Scenario 1: 1) A handshake from a (1.12) client expecting authentication and encryption is intercepted by a rogue server. The rogue server then responds first with AUTH_REQUIRED, but authenticationMechanisms doesn't provide gssapi/kerberos as a sasl mechanism. The

Re: Drill SASL Forward Compatibility

, Sorabh From: Parth Chandra <par...@apache.org> Sent: Wednesday, November 1, 2017 1:42:14 PM To: dev Subject: Re: Drill SASL Forward Compatibility I sort of lost track of the arguments in the thread. Is my understanding below correct ? 1) A handshake from a

Re: Drill SASL Forward Compatibility

I sort of lost track of the arguments in the thread. Is my understanding below correct ? 1) A handshake from a (1.12) client expecting authentication and encryption is intercepted by a rogue server. The server then responds with a success message and bypasses the auth and encryption for the

Re: Drill SASL Forward Compatibility

eld sasl_support is set and > not check the value alltogether. I'm not convinced you need to do some > extra logic around UNKNOWN_SASL_SERVER which would just keep people > confused (although it doesn't seem something you need to apply to 1.11 or > higher) > > > > > >

Re: Drill SASL Forward Compatibility

> Thanks, > Sorabh > > > From: Laurent Goujon <laur...@dremio.com> > Sent: Tuesday, October 31, 2017 5:42 PM > To: dev > Cc: Arina Lelchieva; sudhe...@apache.org > Subject: Re: Drill SASL Forward Compatibility > > Regarding DR

Re: Drill SASL Forward Compatibility

From: Laurent Goujon <laur...@dremio.com> Sent: Tuesday, October 31, 2017 5:42 PM To: dev Cc: Arina Lelchieva; sudhe...@apache.org Subject: Re: Drill SASL Forward Compatibility Regarding DRILL-5582 patch which broke compatibility with 1.9 version (which is les

Re: Drill SASL Forward Compatibility

ll 1.10 > server, I think the fix should be made which is mentioned in first email of > this thread. > > Thanks, > Sorabh > > > From: Laurent Goujon <laur...@dremio.com> > Sent: Tuesday, October 31, 2017 9:38:13 AM > To: dev >

Re: Drill SASL Forward Compatibility

hich is mentioned in first email of this thread. Thanks, Sorabh From: Laurent Goujon <laur...@dremio.com> Sent: Tuesday, October 31, 2017 9:38:13 AM To: dev Cc: Arina Lelchieva; sudhe...@apache.org Subject: Re: Drill SASL Forward Compatibility See my answ

Re: Drill SASL Forward Compatibility

t; ________ > From: Laurent Goujon <laur...@dremio.com> > Sent: Monday, October 30, 2017 5:47 PM > To: dev > Cc: Arina Lelchieva; sudhe...@apache.org > Subject: Re: Drill SASL Forward Compatibility > > Regarding DRILL-5582, I see that fix as a breakag

Re: Drill SASL Forward Compatibility

> Sent: Monday, October 30, 2017 5:47 PM To: dev Cc: Arina Lelchieva; sudhe...@apache.org Subject: Re: Drill SASL Forward Compatibility Regarding DRILL-5582, I see that fix as a breakage of the work to maintain compatibility for an newer client to connect to a older version of the serve

Re: Drill SASL Forward Compatibility

Regarding DRILL-5582, I see that fix as a breakage of the work to maintain compatibility for an newer client to connect to a older version of the server. Or put it differently: current (master) client does not connect anymore to a server not supporting SASL (<=1.9). Note that the client could

Drill SASL Forward Compatibility

Hi All, We recently added a check (as part of DRILL-5582) on DrillClient side to enforce that if client showed intent for authentication and Drillbit say's it doesn't require authentication then connection will fail with proper error message.