Brahma Reddy Battula created HDFS-17941:
-------------------------------------------
Summary: Delegation token leaked in DataNode WebHDFS request log
Key: HDFS-17941
URL: https://issues.apache.org/jira/browse/HDFS-17941
Project: Hadoop HDFS
Issue Type: Bug
Components: datanode, webhdfs
Affects Versions: 3.4.1
Reporter: Brahma Reddy Battula
{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
The DataNode WebHDFS access logger writes the full request URI, including the
delegation= query parameter, in cleartext:
{code:java}
{code:java}
REQLOG.info(host + " " + req.method() + " " + req.uri() + " " +
getResponseCode());
{code}{code}
WebHDFS passes the delegation token as a URL query parameter
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log
(operators, log aggregation/SIEM, backups) obtains valid, often still-live,
delegation tokens that can
be replayed to impersonate the user.
*Proposed fix:* redact the delegation value before logging, e.g. a helper
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g.
signatures)
should be considered for the same treatment
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]