You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by lm...@apache.org on 2017/03/13 15:59:09 UTC
knox git commit: KNOX-906 - Log WARN of Removed Impersonation Params
Repository: knox
Updated Branches:
refs/heads/master 318fb19d1 -> 8857bef1e
KNOX-906 - Log WARN of Removed Impersonation Params
Project: http://git-wip-us.apache.org/repos/asf/knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/knox/commit/8857bef1
Tree: http://git-wip-us.apache.org/repos/asf/knox/tree/8857bef1
Diff: http://git-wip-us.apache.org/repos/asf/knox/diff/8857bef1
Branch: refs/heads/master
Commit: 8857bef1ec39d1af0075dae86e0de3601752d883
Parents: 318fb19
Author: Larry McCay <lm...@hortonworks.com>
Authored: Mon Mar 13 11:58:21 2017 -0400
Committer: Larry McCay <lm...@hortonworks.com>
Committed: Mon Mar 13 11:58:55 2017 -0400
----------------------------------------------------------------------
...entityAsserterHttpServletRequestWrapper.java | 36 ++++++++++++++++++--
...yAssertionHttpServletRequestWrapperTest.java | 20 +++++++++++
.../hadoop/gateway/SpiGatewayMessages.java | 3 ++
3 files changed, 56 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/knox/blob/8857bef1/gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java b/gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java
index a4e8546..68f57f4 100644
--- a/gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java
+++ b/gateway-provider-identity-assertion-common/src/main/java/org/apache/hadoop/gateway/identityasserter/common/filter/IdentityAsserterHttpServletRequestWrapper.java
@@ -36,10 +36,12 @@ import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.security.Principal;
import java.util.ArrayList;
+import java.util.List;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
public class IdentityAsserterHttpServletRequestWrapper extends HttpServletRequestWrapper {
@@ -121,7 +123,7 @@ private static SpiGatewayMessages log = MessagesFactory.get( SpiGatewayMessages.
private Map<String, String[]> getParams() {
return getParams( super.getQueryString() );
}
-
+
@Override
public String getQueryString() {
String q = null;
@@ -135,13 +137,15 @@ private static SpiGatewayMessages log = MessagesFactory.get( SpiGatewayMessages.
al.add(username);
String[] a = { "" };
+ List<String> principalParamNames = getImpersonationParamNames();
+ params = scrubOfExistingPrincipalParams(params, principalParamNames);
+
if ("true".equals(System.getProperty(GatewayConfig.HADOOP_KERBEROS_SECURED))) {
params.put(DOAS_PRINCIPAL_PARAM, al.toArray(a));
- params.remove(PRINCIPAL_PARAM);
} else {
params.put(PRINCIPAL_PARAM, al.toArray(a));
}
-
+
String encoding = getCharacterEncoding();
if (encoding == null) {
encoding = Charset.defaultCharset().name();
@@ -150,6 +154,32 @@ private static SpiGatewayMessages log = MessagesFactory.get( SpiGatewayMessages.
return q;
}
+ private List<String> getImpersonationParamNames() {
+ // TODO: let's have service definitions register their impersonation
+ // params in a future release and get this list from a central registry.
+ // This will provide better coverage of protection by removing any
+ // prepopulated impersonation params.
+ ArrayList<String> principalParamNames = new ArrayList<String>();
+ principalParamNames.add(DOAS_PRINCIPAL_PARAM);
+ principalParamNames.add(PRINCIPAL_PARAM);
+ return principalParamNames;
+ }
+
+ private Map<String, String[]> scrubOfExistingPrincipalParams(
+ Map<String, String[]> params, List<String> principalParamNames) {
+ HashSet<String> remove = new HashSet<String>();
+ for (String paramKey : params.keySet()) {
+ for (String p : principalParamNames) {
+ if (p.equalsIgnoreCase(paramKey)) {
+ remove.add(paramKey);
+ log.possibleIdentitySpoofingAttempt(paramKey);
+ }
+ }
+ }
+ params.keySet().removeAll(remove);
+ return params;
+ }
+
@Override
public int getContentLength() {
int len;
http://git-wip-us.apache.org/repos/asf/knox/blob/8857bef1/gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java
----------------------------------------------------------------------
diff --git a/gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java b/gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java
index e892717..568c950 100644
--- a/gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java
+++ b/gateway-provider-identity-assertion-common/src/test/java/org/apache/hadoop/gateway/identityasserter/filter/IdentityAssertionHttpServletRequestWrapperTest.java
@@ -18,12 +18,14 @@
package org.apache.hadoop.gateway.identityasserter.filter;
import org.apache.commons.io.IOUtils;
+import org.apache.hadoop.gateway.config.GatewayConfig;
import org.apache.hadoop.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper;
import org.apache.hadoop.test.category.FastTests;
import org.apache.hadoop.test.category.UnitTests;
import org.apache.hadoop.test.mock.MockHttpServletRequest;
import org.apache.hadoop.test.mock.MockServletInputStream;
import org.junit.Test;
+import org.junit.After;
import org.junit.experimental.categories.Category;
import java.io.ByteArrayInputStream;
@@ -38,6 +40,11 @@ import static org.hamcrest.Matchers.not;
@Category( { UnitTests.class, FastTests.class } )
public class IdentityAssertionHttpServletRequestWrapperTest {
+ @After
+ public void resetSystemProps() {
+ System.setProperty(GatewayConfig.HADOOP_KERBEROS_SECURED, "false");
+ }
+
@Test
public void testInsertUserNameInPostMethod() throws IOException {
String inputBody = "jar=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaWebHCat%2Fhadoop-examples.jar&class=org.apache.org.apache.hadoop.examples.WordCount&arg=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaTempleton%2Finput&arg=%2Ftmp%2FGatewayWebHdfsFuncTest%2FtestJavaMapReduceViaTempleton%2Foutput";
@@ -144,6 +151,19 @@ public class IdentityAssertionHttpServletRequestWrapperTest {
}
@Test
+ public void testInsertDoAsInQueryString() {
+ System.setProperty(GatewayConfig.HADOOP_KERBEROS_SECURED, "true");
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ request.setQueryString("op=LISTSTATUS&user.name=jack&User.Name=jill&DOas=admin&doas=root");
+
+ IdentityAsserterHttpServletRequestWrapper wrapper
+ = new IdentityAsserterHttpServletRequestWrapper( request, "output-user" );
+
+ String output = wrapper.getQueryString();
+ assertThat(output, is("op=LISTSTATUS&doAs=output-user"));
+ }
+
+ @Test
public void testInsertUserNameInNullQueryString() {
String input = null;
http://git-wip-us.apache.org/repos/asf/knox/blob/8857bef1/gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java
----------------------------------------------------------------------
diff --git a/gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java b/gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java
index ff80714..25226f5 100644
--- a/gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java
+++ b/gateway-spi/src/main/java/org/apache/hadoop/gateway/SpiGatewayMessages.java
@@ -67,4 +67,7 @@ public interface SpiGatewayMessages {
@Message( level = MessageLevel.DEBUG, text = "Inbound response entity content type: {0}" )
void inboundResponseEntityContentType( String fullContentType );
+
+ @Message( level = MessageLevel.WARN, text = "Possible identity spoofing attempt - impersonation parameter removed: {0}" )
+ void possibleIdentitySpoofingAttempt( String impersonationParam );
}