You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/02/13 17:02:00 UTC

[jira] [Commented] (HADOOP-14077) Improve the patch of HADOOP-13119

    [ https://issues.apache.org/jira/browse/HADOOP-14077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362666#comment-16362666 ] 

Eric Yang commented on HADOOP-14077:
------------------------------------

[~yuanbo] Hadoop Security team has brought to my attention that this feature has potential to weaken security.  When user is not authorized in the first proxy user list, the Authorization exception is captured and return null.  This allows the second proxy list to be checked if user chain StaticUserWebFilter and another AuthenticationFilterWithProxyUser together per your comment in [HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15875737].  However, this procedure can trigger replay attack of using ProxyUser credential to fool other services because the end user credential is not authorized to use first proxy user in the first place.  Given this reason, I have no choice but revert this commit.  Sorry that I missed to spot the problem in the first round of review.  

When reverting this change, this may impact managed service, like the cluster system administrator and users are from two companies.  You may need to review if your clusters depend on this feature.

> Improve the patch of HADOOP-13119
> ---------------------------------
>
>                 Key: HADOOP-14077
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14077
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Yuanbo Liu
>            Assignee: Yuanbo Liu
>            Priority: Major
>             Fix For: 3.0.0-alpha4
>
>         Attachments: HADOOP-14077.001.patch, HADOOP-14077.002.patch, HADOOP-14077.003.patch
>
>
> For some links(such as "/jmx, /stack"), blocking the links in filter chain due to impersonation issue is not friendly for users. For example, user "sam" is not allowed to be impersonated by user "knox", and the link "/jmx" doesn't need any user to do authorization by default. It only needs user "knox" to do authentication, in this case, it's not right to  block the access in SPNEGO filter. We intend to check impersonation permission when the method "getRemoteUser" of request is used, so that such kind of links("/jmx, /stack") would not be blocked by mistake.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org