You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hbase.apache.org by ap...@apache.org on 2015/02/24 19:23:50 UTC

[4/4] hbase git commit: HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support (Jerry He)

HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support (Jerry He)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/f4fa876c
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/f4fa876c
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/f4fa876c

Branch: refs/heads/0.98
Commit: f4fa876c537af078b4c2cf1c06c4d28dbc113b29
Parents: 51d7529
Author: Andrew Purtell <ap...@apache.org>
Authored: Tue Feb 24 10:18:17 2015 -0800
Committer: Andrew Purtell <ap...@apache.org>
Committed: Tue Feb 24 10:18:34 2015 -0800

----------------------------------------------------------------------
 .../java/org/apache/hadoop/hbase/rest/RESTServletContainer.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/f4fa876c/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
----------------------------------------------------------------------
diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
index 2ce8ede..b5ecb35 100644
--- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
+++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
@@ -56,7 +56,8 @@ public class RESTServletContainer extends ServletContainer {
       if (!servlet.supportsProxyuser()) {
         throw new ServletException("Support for proxyuser is not configured");
       }
-      UserGroupInformation ugi = servlet.getRealUser();
+      // Authenticated remote user is attempting to do 'doAs' proxy user.
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
       // create and attempt to authorize a proxy user (the client is attempting
       // to do proxy user)
       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);