[
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Yang updated HADOOP-16314:
-------------------------------
Component/s: security
> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
> Key: HADOOP-16314
> URL: https://issues.apache.org/jira/browse/HADOOP-16314
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Priority: Major
> Attachments: Hadoop Web Security.xlsx, scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent. Most of entry point
> do not support ?doAs parameter. This creates problem for secure gateway like
> Knox to proxy Hadoop web interface on behave of the end user. When the
> receiving end does not check for ?doAs flag, web interface would be accessed
> using proxy user credential. This can lead to all kind of security holes
> using path traversal to exploit Hadoop.
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to
> solve the web impersonation problem. This task is to track changes required
> in Hadoop code base to apply authentication filter globally for each of the
> web service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
