[jira] [Commented] (HADOOP-15162) UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE

Mon, 08 Jan 2018 18:55:40 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-15162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16317583#comment-16317583
 ] 

Eric Yang commented on HADOOP-15162:
------------------------------------

[~daryn] Thank you for your reply.  

{quote}
Based on the snippets of code that conclude with "if authentication are in 
place, server side code can be simplified to [...] 
UserGroupInformation.createRemoteUser(remoteUser);", I think you are suggesting 
that createRemote should auto-magically create a proxy user with the login 
user? If you say yes, I'll provide a litany of reasons why that'd be completely 
broken. If no, please more concisely state your use case.{quote}

Proxy user credential should be verified if it can impersonate.  In my usage, I 
am writing a component for YARN, and end user credential is verified in http 
request.  If code is written as UGI.createRemoteUser(remoteUser), should there 
be a check to determine if the current service user can proxy?  Some Hadoop PMC 
told me no because they assumed isSecurityEnabled == false, there should be no 
proxy ACL check.  If this type of assumption is applied, then we will have 
components talking to other components without honoring proxy user ACL, and 
leading to part of Hadoop being completely insecure.  This is the reason that I 
think createRemoteUser default authentication method to SIMPLE is a bad 
practice.  The server should decide which authentication method to use, setup 
authentication method and verify proxy ACL explicitly.


> UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-15162
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15162
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Eric Yang
>
> {{UserGroupInformation.createRemoteUser(String user)}} is hard coded 
> Authentication method to SIMPLE by HADOOP-10683.  This by passed proxyuser 
> ACL check, isSecurityEnabled check, and allow caller to impersonate as 
> anyone.  This method could be abused in the main code base, which can cause 
> part of Hadoop to become insecure without proxyuser check for both SIMPLE or 
> Kerberos enabled environment.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to