[
https://issues.apache.org/jira/browse/HADOOP-15922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16705131#comment-16705131
]
Eric Yang commented on HADOOP-15922:
------------------------------------
If doAs=john/admin, the difference between patch 004 and 005 are:
Patch 004 will result in:
|In flight value |Old Server|New Server|
|Old Client (john%252Fadmin)|john%2Fadmin|john/admin|
|New Client (john%252Fadmin)|john%2Fadmin|john/admin|
Patch 005 will result in:
| In flight value|Old Server|New Server|
|Old Client (john%252Fadmin)|john%2Fadmin|john%2Fadmin|
|New Client (john%2Fadmin)|john/admin|john/admin|
If server store the old DO_AS user in database, it is an incompatible changes
that server needs to handle the decoded values differently between new client
and old client. Mark this as incompatible change for precaution.
> DelegationTokenAuthenticationFilter get wrong doAsUser since it does not
> decode URL
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-15922
> URL: https://issues.apache.org/jira/browse/HADOOP-15922
> Project: Hadoop Common
> Issue Type: Bug
> Components: common, kms
> Reporter: He Xiaoqiao
> Assignee: He Xiaoqiao
> Priority: Major
> Fix For: 3.3.0, 3.1.2, 3.2.1
>
> Attachments: HADOOP-15922.001.patch, HADOOP-15922.002.patch,
> HADOOP-15922.003.patch, HADOOP-15922.004.patch, HADOOP-15922.005.patch
>
>
> DelegationTokenAuthenticationFilter get wrong doAsUser when proxy user from
> client is complete kerberos name (e.g., user/[email protected], actually it
> is acceptable), because DelegationTokenAuthenticationFilter does not decode
> DOAS parameter in URL which is encoded by {{URLEncoder}} at client.
> e.g. KMS as example:
> a. KMSClientProvider creates connection to KMS Server using
> DelegationTokenAuthenticatedURL#openConnection.
> b. If KMSClientProvider is a doAsUser, KMSClientProvider will put {{doas}}
> with url encoded user as one parameter of http request.
> {code:java}
> // proxyuser
> if (doAs != null) {
> extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
> }
> {code}
> c. when KMS server receives the request, it does not decode the proxy user.
> As result, KMS Server will get the wrong proxy user if this proxy user is
> complete Kerberos Name or it includes some special character. Some other
> authentication and authorization exception will throws next to it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
