You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2018/11/02 19:07:00 UTC

[jira] [Commented] (HADOOP-15896) Refine Kerberos based AuthenticationHandler to check proxyuser ACL

    [ https://issues.apache.org/jira/browse/HADOOP-15896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673559#comment-16673559 ] 

Larry McCay commented on HADOOP-15896:
--------------------------------------

JWTRedirectAuthenticationHandler is not specific to proxy usecase it is merely an authentication handler that accepts a JWT based cookie.

> Refine Kerberos based AuthenticationHandler to check proxyuser ACL
> ------------------------------------------------------------------
>
>                 Key: HADOOP-15896
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15896
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>            Reporter: Eric Yang
>            Assignee: Larry McCay
>            Priority: Major
>
> JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and authentication method in KerberosAuthenticationHandler basically do this:
>  {code}
> String clientPrincipal = gssContext.getSrcName().toString();
>         KerberosName kerberosName = new KerberosName(clientPrincipal);
>         String userName = kerberosName.getShortName();
>         token = new AuthenticationToken(userName, clientPrincipal, getType());
>         response.setStatus(HttpServletResponse.SC_OK);
>         LOG.trace("SPNEGO completed for client principal [{}]",
>             clientPrincipal);
> {code}
> It obtains the short name of the client principal and respond OK.  This is fine for verifying end user.  However, in proxy user case (knox), this authentication is insufficient because knox principal name is: knox/host1.example.com@EXAMPLE.COM . KerberosAuthenticationHandler will gladly confirm that knox is knox.  Even if the knox/host1.example.com@EXAMPLE.COM is used from botnet.rogueresearchlab.tld host.  KerberosAuthenticationHandler may not need to change, if it does not have plan to support proxy, and ignores instance name of kerberos principal.  For JWTRedirectAuthenticationHandler which is designed for proxy use case.  It should check remote host matches the clientPrincipal instance name, without this check, it makes Kerberos vulnerable.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org