You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2015/02/24 19:23:50 UTC
[4/4] hbase git commit: HBASE-13085 Security issue in the
implementation of Rest gataway 'doAs' proxy user support (Jerry He)
HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support (Jerry He)
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/f4fa876c
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/f4fa876c
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/f4fa876c
Branch: refs/heads/0.98
Commit: f4fa876c537af078b4c2cf1c06c4d28dbc113b29
Parents: 51d7529
Author: Andrew Purtell <ap...@apache.org>
Authored: Tue Feb 24 10:18:17 2015 -0800
Committer: Andrew Purtell <ap...@apache.org>
Committed: Tue Feb 24 10:18:34 2015 -0800
----------------------------------------------------------------------
.../java/org/apache/hadoop/hbase/rest/RESTServletContainer.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/f4fa876c/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
----------------------------------------------------------------------
diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
index 2ce8ede..b5ecb35 100644
--- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
+++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
@@ -56,7 +56,8 @@ public class RESTServletContainer extends ServletContainer {
if (!servlet.supportsProxyuser()) {
throw new ServletException("Support for proxyuser is not configured");
}
- UserGroupInformation ugi = servlet.getRealUser();
+ // Authenticated remote user is attempting to do 'doAs' proxy user.
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
// create and attempt to authorize a proxy user (the client is attempting
// to do proxy user)
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);