Hi Knox experts, I have my environment running with Knox 0.12.0 already but I am still getting the same impersonate warning messages as shown below -
"2018-02-22 21:14:39,671 WARN hadoop.gateway (IdentityAsserterHttpServletRequestWrapper.java:scrubOfExistingPrincipalParams(199)) - Possible identity spoofing attempt - impersonation parameter removed: user.name” The way I produce this first I make a request to create a file - url='https://' + hostip + ':8443/gateway/default/webhdfs/v1/user/clsadmin/test/' + filetag + '_' + str(num) + '.txt?op=CREATE&overwrite=true' req=requests.put(url,verify=False,auth=(user,pwd),allow_redirects=False) The above put request will not trigger any warning messages like that. then I have the following request to put some data into the file - location=req.headers['Location'] with open(dataFile) as mydata: newreq=requests.put(location,verify=False,auth=(user, pwd), data=mydata) This second request will trigger the warning message mentioned above. Is this an issue? or what’s the recommended approach to avoid the warning? Thanks a lot! - Yongli On 2017/05/26 18:26:44, larry mccay <l...@apache.org> wrote: > CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS> > > Severity: Important> > > Vendor:> > The Apache Software Foundation> > > Versions Affected:> > All versions of Apache Knox prior to 0.12.0> > > An authenticated user may use a specially crafted URL to impersonate another> > user while accessing WebHDFS through Apache Knox. This may result in> > escalated> > privileges and unauthorized data access. While this activity is audit logged> > and can be easily associated with the authenticated user, this is still a> > serious security issue.> > > Mitigation:> > All users are recommended to upgrade to Apache Knox 0.12.0,> > where validation, scrubbing and logging of such attempts has been added.> > > The Apache Knox 0.12.0 release can be downloaded from:> > Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0-src.zip> > Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip> > Best regards, Yongli An