[jira] [Updated] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
[ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sorabh Hamirwasia updated DRILL-5943: - Labels: ready-to-commit (was: ) Reviewer: Laurent Goujon (was: Parth Chandra) > Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism > --- > > Key: DRILL-5943 > URL: https://issues.apache.org/jira/browse/DRILL-5943 > Project: Apache Drill > Issue Type: Improvement >Affects Versions: 1.12.0 >Reporter: Sorabh Hamirwasia >Assignee: Sorabh Hamirwasia > Labels: ready-to-commit > Fix For: 1.12.0 > > > For PLAIN mechanism we will weaken the strong check introduced with > DRILL-5582 to keep the forward compatibility between Drill 1.12 client and > Drill 1.9 server. This is fine since with and without this strong check PLAIN > mechanism is still vulnerable to MITM during handshake itself unlike mutual > authentication protocols like Kerberos. > Also for keeping forward compatibility with respect to SASL we will treat > UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a > client which is running on later version (let say 1.13) then Drillbit (1.12) > and having a new value for SaslSupport field which is unknown to server, this > field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will > be treated as one aware about SASL protocol but server doesn't know exact > capabilities of client. Hence the SASL handshake will still be required from > server side. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
[ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arina Ielchiieva updated DRILL-5943: Affects Version/s: 1.12.0 > Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism > --- > > Key: DRILL-5943 > URL: https://issues.apache.org/jira/browse/DRILL-5943 > Project: Apache Drill > Issue Type: Improvement >Affects Versions: 1.12.0 >Reporter: Sorabh Hamirwasia >Assignee: Sorabh Hamirwasia > Fix For: 1.12.0 > > > For PLAIN mechanism we will weaken the strong check introduced with > DRILL-5582 to keep the forward compatibility between Drill 1.12 client and > Drill 1.9 server. This is fine since with and without this strong check PLAIN > mechanism is still vulnerable to MITM during handshake itself unlike mutual > authentication protocols like Kerberos. > Also for keeping forward compatibility with respect to SASL we will treat > UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a > client which is running on later version (let say 1.13) then Drillbit (1.12) > and having a new value for SaslSupport field which is unknown to server, this > field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will > be treated as one aware about SASL protocol but server doesn't know exact > capabilities of client. Hence the SASL handshake will still be required from > server side. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
[ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sorabh Hamirwasia updated DRILL-5943: - Reviewer: Parth Chandra > Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism > --- > > Key: DRILL-5943 > URL: https://issues.apache.org/jira/browse/DRILL-5943 > Project: Apache Drill > Issue Type: Improvement >Reporter: Sorabh Hamirwasia >Assignee: Sorabh Hamirwasia > Fix For: 1.12.0 > > > For PLAIN mechanism we will weaken the strong check introduced with > DRILL-5582 to keep the forward compatibility between Drill 1.12 client and > Drill 1.9 server. This is fine since with and without this strong check PLAIN > mechanism is still vulnerable to MITM during handshake itself unlike mutual > authentication protocols like Kerberos. > Also for keeping forward compatibility with respect to SASL we will treat > UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a > client which is running on later version (let say 1.13) then Drillbit (1.12) > and having a new value for SaslSupport field which is unknown to server, this > field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will > be treated as one aware about SASL protocol but server doesn't know exact > capabilities of client. Hence the SASL handshake will still be required from > server side. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (DRILL-5943) Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism
[ https://issues.apache.org/jira/browse/DRILL-5943?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sorabh Hamirwasia updated DRILL-5943: - Fix Version/s: 1.12.0 > Avoid the strong check introduced by DRILL-5582 for PLAIN mechanism > --- > > Key: DRILL-5943 > URL: https://issues.apache.org/jira/browse/DRILL-5943 > Project: Apache Drill > Issue Type: Improvement >Reporter: Sorabh Hamirwasia >Assignee: Sorabh Hamirwasia > Fix For: 1.12.0 > > > For PLAIN mechanism we will weaken the strong check introduced with > DRILL-5582 to keep the forward compatibility between Drill 1.12 client and > Drill 1.9 server. This is fine since with and without this strong check PLAIN > mechanism is still vulnerable to MITM during handshake itself unlike mutual > authentication protocols like Kerberos. > Also for keeping forward compatibility with respect to SASL we will treat > UNKNOWN_SASL_SUPPORT as valid value. For handshake message received from a > client which is running on later version (let say 1.13) then Drillbit (1.12) > and having a new value for SaslSupport field which is unknown to server, this > field will be decoded as UNKNOWN_SASL_SUPPORT. In this scenario client will > be treated as one aware about SASL protocol but server doesn't know exact > capabilities of client. Hence the SASL handshake will still be required from > server side. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
