You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2018/01/10 18:51:01 UTC
[jira] [Resolved] (HADOOP-15162)
UserGroupInformation.createRemoteUser hardcode authentication method to
SIMPLE
[ https://issues.apache.org/jira/browse/HADOOP-15162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Yang resolved HADOOP-15162.
--------------------------------
Resolution: Not A Problem
Close this as not a problem. Bad assumption for SIMPLE security mode doesn't check for proxy ACL. I verified that SIMPLE security mode also checks for proxy ACL. UGI.createRemoteUser(remoteUser) has no effect to proxy ACL check. Thanks to [~jlowe] and [~daryn] for advices and recommendations.
> UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE
> ------------------------------------------------------------------------------
>
> Key: HADOOP-15162
> URL: https://issues.apache.org/jira/browse/HADOOP-15162
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Eric Yang
>
> {{UserGroupInformation.createRemoteUser(String user)}} is hard coded Authentication method to SIMPLE by HADOOP-10683. This by passed proxyuser ACL check, isSecurityEnabled check, and allow caller to impersonate as anyone. This method could be abused in the main code base, which can cause part of Hadoop to become insecure without proxyuser check for both SIMPLE or Kerberos enabled environment.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org