[ 
https://issues.apache.org/jira/browse/HDFS-17941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brahma Reddy Battula updated HDFS-17941:
----------------------------------------
    Description: 
WebHdfsHandler logs the raw request URI, exposing the delegation token in 
DataNode access logs (CWE-532)
{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
  The DataNode WebHDFS access logger writes the full request URI, including the 
delegation= query parameter, in cleartext:
{code:java}
  {code:java}
  REQLOG.info(host + " " + req.method() + " "  + req.uri() + " " +
      getResponseCode());
  {code}
WebHDFS passes the delegation token as a URL query parameter 
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log 
(operators, log aggregation/SIEM, backups) obtains valid, often still-live, 
delegation tokens that can
  be replayed to impersonate the user.

  *Proposed fix:* redact the delegation value before logging, e.g. a helper 
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the 
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g. 
signatures)
  should be considered for the same treatment

  was:
{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
  The DataNode WebHDFS access logger writes the full request URI, including the 
delegation= query parameter, in cleartext:
{code:java}
  {code:java}
  REQLOG.info(host + " " + req.method() + " "  + req.uri() + " " +
      getResponseCode());
  {code}
WebHDFS passes the delegation token as a URL query parameter 
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log 
(operators, log aggregation/SIEM, backups) obtains valid, often still-live, 
delegation tokens that can
  be replayed to impersonate the user.

  *Proposed fix:* redact the delegation value before logging, e.g. a helper 
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the 
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g. 
signatures)
  should be considered for the same treatment


> Delegation token leaked in DataNode WebHDFS request log
> -------------------------------------------------------
>
>                 Key: HDFS-17941
>                 URL: https://issues.apache.org/jira/browse/HDFS-17941
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, webhdfs
>    Affects Versions: 3.4.1
>            Reporter: Brahma Reddy Battula
>            Assignee: Brahma Reddy Battula
>            Priority: Major
>
> WebHdfsHandler logs the raw request URI, exposing the delegation token in 
> DataNode access logs (CWE-532)
> {code:java}
> hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
>   The DataNode WebHDFS access logger writes the full request URI, including 
> the delegation= query parameter, in cleartext:
> {code:java}
>   {code:java}
>   REQLOG.info(host + " " + req.method() + " "  + req.uri() + " " +
>       getResponseCode());
>   {code}
> WebHDFS passes the delegation token as a URL query parameter 
> (?...&delegation=<token>). Anyone with read access to the datanode.webhdfs 
> log (operators, log aggregation/SIEM, backups) obtains valid, often 
> still-live, delegation tokens that can
>   be replayed to impersonate the user.
>   *Proposed fix:* redact the delegation value before logging, e.g. a helper 
> that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log 
> the redacted URI instead of req.uri(). Other tokens/secrets in query strings 
> (e.g. signatures)
>   should be considered for the same treatment



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to