[
https://issues.apache.org/jira/browse/HADOOP-15896?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-15896:
-------------------------------
Description:
JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and
authentication method in KerberosAuthenticationHandler basically do this:
{code}
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]",
clientPrincipal);
{code}
It obtains the short name of the client principal and respond OK. This is fine
for verifying end user. However, in proxy user case (knox), this
authentication is insufficient because knox principal name is:
knox/[email protected] . KerberosAuthenticationHandler will gladly
confirm that knox is knox. Even if the knox/[email protected] is
used from botnet.rogueresearchlab.tld host. KerberosAuthenticationHandler may
not need to change, if it does not have plan to support proxy, and ignores
instance name of kerberos principal. For JWTRedirectAuthenticationHandler
which is designed for proxy use case. It should check remote host matches the
clientPrincipal instance name, without this check, it makes Kerberos vulnerable.
was:
JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and
authentication method in KerberosAuthenticationHandler basically do this:
{code}
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]",
clientPrincipal);
{code}
It obtains the short name of the client principal and respond OK. This is fine
for verifying end user. However, in proxy user case (knox), this
authentication is insufficient because knox principal name is:
knox/[email protected] . KerberosAuthenticationHandler will gladly
confirm that knox is knox. Even if the knox/[email protected] is
used from botnet.rogueresearchlab.tld host. KerberosAuthenticationHandler does
not need to change, but additional authentication with proxy user list should
take place in JWTRedirectAuthenticationHandler to properly fulfill the proxy
use case.
> Refine Kerberos based AuthenticationHandler to check proxyuser ACL
> ------------------------------------------------------------------
>
> Key: HADOOP-15896
> URL: https://issues.apache.org/jira/browse/HADOOP-15896
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Eric Yang
> Priority: Major
>
> JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler,
> and authentication method in KerberosAuthenticationHandler basically do this:
> {code}
> String clientPrincipal = gssContext.getSrcName().toString();
> KerberosName kerberosName = new KerberosName(clientPrincipal);
> String userName = kerberosName.getShortName();
> token = new AuthenticationToken(userName, clientPrincipal, getType());
> response.setStatus(HttpServletResponse.SC_OK);
> LOG.trace("SPNEGO completed for client principal [{}]",
> clientPrincipal);
> {code}
> It obtains the short name of the client principal and respond OK. This is
> fine for verifying end user. However, in proxy user case (knox), this
> authentication is insufficient because knox principal name is:
> knox/[email protected] . KerberosAuthenticationHandler will
> gladly confirm that knox is knox. Even if the
> knox/[email protected] is used from botnet.rogueresearchlab.tld
> host. KerberosAuthenticationHandler may not need to change, if it does not
> have plan to support proxy, and ignores instance name of kerberos principal.
> For JWTRedirectAuthenticationHandler which is designed for proxy use case.
> It should check remote host matches the clientPrincipal instance name,
> without this check, it makes Kerberos vulnerable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
