You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hbase.apache.org by "Jerry He (JIRA)" <ji...@apache.org> on 2015/02/23 22:54:11 UTC
[jira] [Created] (HBASE-13085) Security issue in the implementatoin
of Rest gataway 'doAs' proxy user support
Jerry He created HBASE-13085:
--------------------------------
Summary: Security issue in the implementatoin of Rest gataway 'doAs' proxy user support
Key: HBASE-13085
URL: https://issues.apache.org/jira/browse/HBASE-13085
Project: HBase
Issue Type: Bug
Components: REST, security
Affects Versions: 0.98.10, 1.0.0, 2.0.0
Reporter: Jerry He
Assignee: Jerry He
Priority: Critical
When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy user from the Rest client.
The current implementation checks to see if the 'rest server user' is authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query string).
{code}
if (doAsUserFromQuery != null) {
Configuration conf = servlet.getConfiguration();
if (!servlet.supportsProxyuser()) {
throw new ServletException("Support for proxyuser is not configured");
}
UserGroupInformation ugi = servlet.getRealUser();
// create and attempt to authorize a proxy user (the client is attempting
// to do proxy user)
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
// validate the proxy user authorization
try {
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
} catch(AuthorizationException e) {
throw new ServletException(e.getMessage());
}
servlet.setEffectiveUser(doAsUserFromQuery);
}
{code}
The current implementation allows anyone from the rest client side to impersonate another user by 'doAs'.
For example, potentially, 'user1' can 'doAs=admin'
The correct implementation should check to see if the rest client user is authorized to do impersonation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)