You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/11/02 16:48:00 UTC
[jira] [Created] (HADOOP-15896) Refine Kerberos based
AuthenticationHandler to check proxyuser ACL
Eric Yang created HADOOP-15896:
----------------------------------
Summary: Refine Kerberos based AuthenticationHandler to check proxyuser ACL
Key: HADOOP-15896
URL: https://issues.apache.org/jira/browse/HADOOP-15896
Project: Hadoop Common
Issue Type: Bug
Reporter: Eric Yang
JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and authentication method in KerberosAuthenticationHandler basically do this:
{code}
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]",
clientPrincipal);
{code}
It obtains the short name of the client principal and respond OK. This is fine for verifying end user. However, in proxy user case (knox), this authentication is insufficient because knox principal name is: knox/host1.example.com@EXAMPLE.COM . KerberosAuthenticationHandler will gladly confirm that knox is knox. Even if the knox/host1.example.com@EXAMPLE.COM is used from botnet.rogueresearchlab.tld host. KerberosAuthenticationHandler does not need to change, but additional authentication with proxy user list should take place in JWTRedirectAuthenticationHandler to properly fulfill the proxy use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org