[
https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Prabhu Joseph updated HADOOP-16314:
-----------------------------------
Attachment: HADOOP-16314-007.patch
> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>
> Key: HADOOP-16314
> URL: https://issues.apache.org/jira/browse/HADOOP-16314
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Reporter: Eric Yang
> Assignee: Prabhu Joseph
> Priority: Major
> Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch,
> HADOOP-16314-003.patch, HADOOP-16314-004.patch, HADOOP-16314-005.patch,
> HADOOP-16314-006.patch, HADOOP-16314-007.patch, Hadoop Web Security.xlsx,
> scan.txt
>
>
> In the enclosed spreadsheet, it shows the list of web applications deployed
> by Hadoop, and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent. Most of entry point
> do not support ?doAs parameter. This creates problem for secure gateway like
> Knox to proxy Hadoop web interface on behave of the end user. When the
> receiving end does not check for ?doAs flag, web interface would be accessed
> using proxy user credential. This can lead to all kind of security holes
> using path traversal to exploit Hadoop.
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to
> solve the web impersonation problem. This task is to track changes required
> in Hadoop code base to apply authentication filter globally for each of the
> web service port.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
