[
https://issues.apache.org/jira/browse/HDFS-17941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brahma Reddy Battula updated HDFS-17941:
----------------------------------------
Description:
WebHdfsHandler logs the raw request URI, exposing the delegation token in
DataNode access logs (CWE-532)
{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
The DataNode WebHDFS access logger writes the full request URI, including the
delegation= query parameter, in cleartext:
{code:java}
{code:java}
REQLOG.info(host + " " + req.method() + " " + req.uri() + " " +
getResponseCode());
{code}
WebHDFS passes the delegation token as a URL query parameter
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log
(operators, log aggregation/SIEM, backups) obtains valid, often still-live,
delegation tokens that can
be replayed to impersonate the user.
*Proposed fix:* redact the delegation value before logging, e.g. a helper
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g.
signatures)
should be considered for the same treatment
was:
{code:java}
hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
The DataNode WebHDFS access logger writes the full request URI, including the
delegation= query parameter, in cleartext:
{code:java}
{code:java}
REQLOG.info(host + " " + req.method() + " " + req.uri() + " " +
getResponseCode());
{code}
WebHDFS passes the delegation token as a URL query parameter
(?...&delegation=<token>). Anyone with read access to the datanode.webhdfs log
(operators, log aggregation/SIEM, backups) obtains valid, often still-live,
delegation tokens that can
be replayed to impersonate the user.
*Proposed fix:* redact the delegation value before logging, e.g. a helper
that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log the
redacted URI instead of req.uri(). Other tokens/secrets in query strings (e.g.
signatures)
should be considered for the same treatment
> Delegation token leaked in DataNode WebHDFS request log
> -------------------------------------------------------
>
> Key: HDFS-17941
> URL: https://issues.apache.org/jira/browse/HDFS-17941
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: datanode, webhdfs
> Affects Versions: 3.4.1
> Reporter: Brahma Reddy Battula
> Assignee: Brahma Reddy Battula
> Priority: Major
>
> WebHdfsHandler logs the raw request URI, exposing the delegation token in
> DataNode access logs (CWE-532)
> {code:java}
> hadoop-hdfs-project/hadoop-hdfs/.../datanode/web/webhdfs/WebHdfsHandler.java:147{code}
> The DataNode WebHDFS access logger writes the full request URI, including
> the delegation= query parameter, in cleartext:
> {code:java}
> {code:java}
> REQLOG.info(host + " " + req.method() + " " + req.uri() + " " +
> getResponseCode());
> {code}
> WebHDFS passes the delegation token as a URL query parameter
> (?...&delegation=<token>). Anyone with read access to the datanode.webhdfs
> log (operators, log aggregation/SIEM, backups) obtains valid, often
> still-live, delegation tokens that can
> be replayed to impersonate the user.
> *Proposed fix:* redact the delegation value before logging, e.g. a helper
> that applies uri.replaceAll("([?&]delegation=)[^&]*", "$1REDACTED") and log
> the redacted URI instead of req.uri(). Other tokens/secrets in query strings
> (e.g. signatures)
> should be considered for the same treatment
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]