Brahma Reddy Battula created HDFS-17941:
-------------------------------------------

             Summary: Delegation token leaked in DataNode WebHDFS request log
                 Key: HDFS-17941
                 URL: https://issues.apache.org/jira/browse/HDFS-17941
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: datanode, webhdfs
    Affects Versions: 3.4.1
            Reporter: Brahma Reddy Battula


{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}

  The DataNode WebHDFS access logger writes the full request URI, including the 
delegation= query parameter, in cleartext:
{code:java}
  {code:java}
  REQLOG.info(host + " " + req.method() + " "  + req.uri() + " " +
      getResponseCode());
  {code}{code}

  WebHDFS passes the delegation token as a URL query parameter 
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log 
(operators, log aggregation/SIEM, backups) obtains valid, often still-live, 
delegation tokens that can
  be replayed to impersonate the user.

  *Proposed fix:* redact the delegation value before logging, e.g. a helper 
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the 
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g. 
signatures)
  should be considered for the same treatment



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to