You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@hbase.apache.org by ap...@apache.org on 2015/02/24 19:23:49 UTC

[3/4] hbase git commit: HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support (Jerry He)

HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support (Jerry He)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/514dd584
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/514dd584
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/514dd584

Branch: refs/heads/branch-1
Commit: 514dd584201252b737e1b462bbe50a33c4b8d672
Parents: f938999
Author: Andrew Purtell <ap...@apache.org>
Authored: Tue Feb 24 10:18:17 2015 -0800
Committer: Andrew Purtell <ap...@apache.org>
Committed: Tue Feb 24 10:18:31 2015 -0800

----------------------------------------------------------------------
 .../java/org/apache/hadoop/hbase/rest/RESTServletContainer.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/514dd584/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
----------------------------------------------------------------------
diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
index 2ce8ede..b5ecb35 100644
--- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
+++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java
@@ -56,7 +56,8 @@ public class RESTServletContainer extends ServletContainer {
       if (!servlet.supportsProxyuser()) {
         throw new ServletException("Support for proxyuser is not configured");
       }
-      UserGroupInformation ugi = servlet.getRealUser();
+      // Authenticated remote user is attempting to do 'doAs' proxy user.
+      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
       // create and attempt to authorize a proxy user (the client is attempting
       // to do proxy user)
       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);