[jira] [Commented] (HBASE-13085) Security issue in the implementation of Rest gataway 'doAs' proxy user support

Mon, 23 Feb 2015 17:55:23 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334241#comment-14334241
 ] 

Jerry He commented on HBASE-13085:
----------------------------------

Thanks for the comment.

The issue is about the 'doAs' impersonation introduced in HBASE-9866.
I don't see this feature documented in the current documentation.
The part of the doc you mentioned is for the original Rest gateway 
impersonation, whose settings are still valid.
The overall documentation on Rest impersonation can be improved.  I can open 
another JIRA for that.

Yes, I have done testing on a kerberos cluster with both types of impersonation.

> Security issue in the implementation of Rest gataway 'doAs' proxy user support
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13085
>                 URL: https://issues.apache.org/jira/browse/HBASE-13085
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>            Assignee: Jerry He
>            Priority: Critical
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11
>
>         Attachments: HBASE-13085-0.98.patch
>
>
> When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 
> 'doAs' proxy user from the Rest client.
> The current implementation checks to see if the 'rest server user' is 
> authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query 
> string).
> {code}
> if (doAsUserFromQuery != null) {
>       Configuration conf = servlet.getConfiguration();
>       if (!servlet.supportsProxyuser()) {
>         throw new ServletException("Support for proxyuser is not configured");
>       }
>       UserGroupInformation ugi = servlet.getRealUser();
>       // create and attempt to authorize a proxy user (the client is 
> attempting
>       // to do proxy user)
>       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
>       // validate the proxy user authorization
>       try {
>         ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
>       } catch(AuthorizationException e) {
>         throw new ServletException(e.getMessage());
>       }
>       servlet.setEffectiveUser(doAsUserFromQuery);
>     } 
> {code}
> The current implementation allows anyone from the rest client side to 
> impersonate another user by 'doAs'. 
> For example, potentially, 'user1' can 'doAs=admin'
> The correct implementation should check to see if the rest client user is 
> authorized to do impersonation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to