[
https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334163#comment-14334163
]
Hadoop QA commented on HBASE-13085:
-----------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12700266/HBASE-13085-0.98.patch
against 0.98 branch at commit e405017a31a9253e5eecdd5cc2ba43ab182e16a0.
ATTACHMENT ID: 12700266
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 hadoop versions{color}. The patch compiles with all
supported hadoop versions (2.4.1 2.5.2 2.6.0)
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated
25 warning messages.
{color:green}+1 checkstyle{color}. The applied patch does not increase the
total number of checkstyle errors
{color:red}-1 findbugs{color}. The patch appears to introduce 4 new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 lineLengths{color}. The patch does not introduce lines
longer than 100
{color:green}+1 site{color}. The mvn site goal succeeds with this patch.
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//testReport/
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-prefix-tree.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-examples.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-common.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-annotations.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop-compat.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-rest.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-client.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-thrift.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-protocol.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-server.html
Findbugs warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/newPatchFindbugsWarningshbase-hadoop2-compat.html
Checkstyle Errors:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/checkstyle-aggregate.html
Javadoc warnings:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//artifact/patchprocess/patchJavadocWarnings.txt
Console output:
https://builds.apache.org/job/PreCommit-HBASE-Build/12942//console
This message is automatically generated.
> Security issue in the implementation of Rest gataway 'doAs' proxy user support
> ------------------------------------------------------------------------------
>
> Key: HBASE-13085
> URL: https://issues.apache.org/jira/browse/HBASE-13085
> Project: HBase
> Issue Type: Bug
> Components: REST, security
> Affects Versions: 1.0.0, 2.0.0, 0.98.10
> Reporter: Jerry He
> Assignee: Jerry He
> Priority: Critical
> Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11
>
> Attachments: HBASE-13085-0.98.patch
>
>
> When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support
> 'doAs' proxy user from the Rest client.
> The current implementation checks to see if the 'rest server user' is
> authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query
> string).
> {code}
> if (doAsUserFromQuery != null) {
> Configuration conf = servlet.getConfiguration();
> if (!servlet.supportsProxyuser()) {
> throw new ServletException("Support for proxyuser is not configured");
> }
> UserGroupInformation ugi = servlet.getRealUser();
> // create and attempt to authorize a proxy user (the client is
> attempting
> // to do proxy user)
> ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
> // validate the proxy user authorization
> try {
> ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
> } catch(AuthorizationException e) {
> throw new ServletException(e.getMessage());
> }
> servlet.setEffectiveUser(doAsUserFromQuery);
> }
> {code}
> The current implementation allows anyone from the rest client side to
> impersonate another user by 'doAs'.
> For example, potentially, 'user1' can 'doAs=admin'
> The correct implementation should check to see if the rest client user is
> authorized to do impersonation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
