You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Daryn Sharp (Created) (JIRA)" <ji...@apache.org> on 2011/09/28 16:29:45 UTC

[jira] [Created] (HDFS-2380) Security downgrade of token validation

Security downgrade of token validation
--------------------------------------

                 Key: HDFS-2380
                 URL: https://issues.apache.org/jira/browse/HDFS-2380
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security
    Affects Versions: 0.20.205.0, 0.23.0, 0.24.0
            Reporter: Daryn Sharp


HADOOP-7119 introduced the {{KerberosAuthenticationHandler}} for web services.  It appears to have been merged into 205 to support webhdfs.

Prior to HADOOP-7119, the web service used by hftp/hsftp would validate tokens using long kerberos user names.  Now the realm is truncated from the user name which caused hftp/hsftp to break.  The {{JspHelper}} in the namenode rejected the token validation due to the mismatched comparison between a now short user (from the web service) and a long user (in the token).  Subsequently, HDFS-2361 changed {{JspHelper}} to use the token's short user when comparing against the now short web user.

The security ramification is it now appears to be easier to spoof other users and access their files.  Based on commentary in HDFS-2361, the case can be made that other parts of hadoop are insecure with respect to user names, so it doesn't matter that security has been further downgraded.  I don't have know knowledge to know if this true, or whether higher layers effectively guard against lower level insecurities.  In any case, this logic makes me uneasy, especially when it comes to changing the security of a "front door" to hadoop.

Is there a technical reason why {{KerberosAuthenticationHandler}} should not be changed (1-liner) to return the long user name?  This would allow HDFS-2361 to be reverted and return the former level of security to token validation.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira