[ 
https://issues.apache.org/jira/browse/HADOOP-14077?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362666#comment-16362666
 ] 

Eric Yang commented on HADOOP-14077:
------------------------------------

[~yuanbo] Hadoop Security team has brought to my attention that this feature 
has potential to weaken security.  When user is not authorized in the first 
proxy user list, the Authorization exception is captured and return null.  This 
allows the second proxy list to be checked if user chain StaticUserWebFilter 
and another AuthenticationFilterWithProxyUser together per your comment in 
[HADOOP-14060|https://issues.apache.org/jira/browse/HADOOP-14060?focusedCommentId=15875737&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15875737].
  However, this procedure can trigger replay attack of using ProxyUser 
credential to fool other services because the end user credential is not 
authorized to use first proxy user in the first place.  Given this reason, I 
have no choice but revert this commit.  Sorry that I missed to spot the problem 
in the first round of review.  

When reverting this change, this may impact managed service, like the cluster 
system administrator and users are from two companies.  You may need to review 
if your clusters depend on this feature.

> Improve the patch of HADOOP-13119
> ---------------------------------
>
>                 Key: HADOOP-14077
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14077
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Yuanbo Liu
>            Assignee: Yuanbo Liu
>            Priority: Major
>             Fix For: 3.0.0-alpha4
>
>         Attachments: HADOOP-14077.001.patch, HADOOP-14077.002.patch, 
> HADOOP-14077.003.patch
>
>
> For some links(such as "/jmx, /stack"), blocking the links in filter chain 
> due to impersonation issue is not friendly for users. For example, user "sam" 
> is not allowed to be impersonated by user "knox", and the link "/jmx" doesn't 
> need any user to do authorization by default. It only needs user "knox" to do 
> authentication, in this case, it's not right to  block the access in SPNEGO 
> filter. We intend to check impersonation permission when the method 
> "getRemoteUser" of request is used, so that such kind of links("/jmx, 
> /stack") would not be blocked by mistake.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to