Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-5943

Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.0
    • Fix Version/s: 1.12.0
    • Component/s: None
    • Labels:

      Description

      For PLAIN mechanism we will weaken the strong check introduced with DRILL-5582 to keep the forward compatibility between Drill 1.12 client and Drill 1.9 server. This is fine since with and without this strong check PLAIN mechanism is still vulnerable to MITM during handshake itself unlike mutual authentication protocols like Kerberos.

      Also for keeping forward compatibility with respect to SASL we will treat UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a client which is running on later version (let say 1.13) then Drillbit (1.12) and having a new value for SaslSupport field which is unknown to server, this field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will be treated as one aware about SASL protocol but server doesn't know exact capabilities of client. Hence the SASL handshake will still be required from server side.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shamirwasia Sorabh Hamirwasia
                Reporter:
                shamirwasia Sorabh Hamirwasia
                Reviewer:
                Laurent Goujon
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: