[
https://issues.apache.org/jira/browse/HADOOP-15896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673580#comment-16673580
]
Daryn Sharp commented on HADOOP-15896:
--------------------------------------
Let's unpack the description: Other than guilt through association, kerberos
service principal validation is irrelevant to JWT. We need to be careful to
not conflate service principal validation with proxy users. These are
completely independent concepts. Authenticators authenticate, they do not
implement the authorization of proxy users.
The only nugget of truth in the description is the host in a service principal
isn't validated as the remote peer.
> Refine Kerberos based AuthenticationHandler to check proxyuser ACL
> ------------------------------------------------------------------
>
> Key: HADOOP-15896
> URL: https://issues.apache.org/jira/browse/HADOOP-15896
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Eric Yang
> Assignee: Larry McCay
> Priority: Major
>
> JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler,
> and authentication method in KerberosAuthenticationHandler basically do this:
> {code}
> String clientPrincipal = gssContext.getSrcName().toString();
> KerberosName kerberosName = new KerberosName(clientPrincipal);
> String userName = kerberosName.getShortName();
> token = new AuthenticationToken(userName, clientPrincipal, getType());
> response.setStatus(HttpServletResponse.SC_OK);
> LOG.trace("SPNEGO completed for client principal [{}]",
> clientPrincipal);
> {code}
> It obtains the short name of the client principal and respond OK. This is
> fine for verifying end user. However, in proxy user case (knox), this
> authentication is insufficient because knox principal name is:
> knox/[email protected] . KerberosAuthenticationHandler will
> gladly confirm that knox is knox. Even if the
> knox/[email protected] is used from botnet.rogueresearchlab.tld
> host. KerberosAuthenticationHandler may not need to change, if it does not
> have plan to support proxy, and ignores instance name of kerberos principal.
> For JWTRedirectAuthenticationHandler which is designed for proxy use case.
> It should check remote host matches the clientPrincipal instance name,
> without this check, it makes Kerberos vulnerable.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
