[ 
https://issues.apache.org/jira/browse/HDFS-17941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brahma Reddy Battula reassigned HDFS-17941:
-------------------------------------------

    Assignee: Brahma Reddy Battula

> Delegation token leaked in DataNode WebHDFS request log
> -------------------------------------------------------
>
>                 Key: HDFS-17941
>                 URL: https://issues.apache.org/jira/browse/HDFS-17941
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, webhdfs
>    Affects Versions: 3.4.1
>            Reporter: Brahma Reddy Battula
>            Assignee: Brahma Reddy Battula
>            Priority: Major
>
> {code:java}
> hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
>   The DataNode WebHDFS access logger writes the full request URI, including 
> the delegation= query parameter, in cleartext:
> {code:java}
>   {code:java}
>   REQLOG.info(host + " " + req.method() + " "  + req.uri() + " " +
>       getResponseCode());
>   {code}
> WebHDFS passes the delegation token as a URL query parameter 
> (?...&delegation=<token>). Anyone with read access to the datanode.webhdfs 
> log (operators, log aggregation/SIEM, backups) obtains valid, often 
> still-live, delegation tokens that can
>   be replayed to impersonate the user.
>   *Proposed fix:* redact the delegation value before logging, e.g. a helper 
> that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log 
> the redacted URI instead of req.uri(). Other tokens/secrets in query strings 
> (e.g. signatures)
>   should be considered for the same treatment



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to