He Xiaoqiao created HADOOP-15922:
------------------------------------
Summary: DelegationTokenAuthenticationFilter get wrong doAsUser
since it does not decode URL
Key: HADOOP-15922
URL: https://issues.apache.org/jira/browse/HADOOP-15922
Project: Hadoop Common
Issue Type: Bug
Components: common, kms
Reporter: He Xiaoqiao
Assignee: He Xiaoqiao
DelegationTokenAuthenticationFilter get wrong doAsUser when proxy user from
client is complete kerberos name (e.g., user/[email protected], actually it is
acceptable), because DelegationTokenAuthenticationFilter does not decode DOAS
parameter in URL which is encoded by {{URLEncoder}} at client.
e.g. KMS as example:
a. KMSClientProvider creates connection to KMS Server using
DelegationTokenAuthenticatedURL#openConnection.
b. If KMSClientProvider is a doAsUser, KMSClientProvider will put {{doas}} with
url encoded user as one parameter of http request.
{code:java}
// proxyuser
if (doAs != null) {
extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
}
{code}
c. when KMS server receives the request, it does not decode the proxy user.
As result, KMS Server will get the wrong proxy user if this proxy user is
complete Kerberos Name or it includes some special character. Some other
authentication and authorization exception will throws next to it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
