[jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password

[Hive QA (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358251#comment-14358251
 ] 

Hive QA commented on HIVE-9934:
-------------------------------



{color:green}Overall{color}: +1 all checks pass

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12704024/HIVE-9934.1.patch

{color:green}SUCCESS:{color} +1 7762 tests passed

Test results: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/testReport
Console output: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/console
Test logs: 
http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3012/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12704024 - PreCommit-HIVE-TRUNK-Build

> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-9934
>                 URL: https://issues.apache.org/jira/browse/HIVE-9934
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1.0
>            Reporter: Chao
>            Assignee: Chao
>         Attachments: HIVE-9934.1.patch
>
>
> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password.
> See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
> “If you supply an empty string, an empty byte/char array, or null to the 
> Context.SECURITY_CREDENTIALS environment property, then the authentication 
> mechanism will be "none". This is because the LDAP requires the password to 
> be nonempty for simple authentication. The protocol automatically converts 
> the authentication to "none" if a password is not supplied.”
>  
> Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a 
> NamingException being thrown during creation of initial context, it does not 
> fail when the context result is an “unauthenticated” positive response from 
> the LDAP server. The end result is, one can authenticate with HiveServer2 
> using the LdapAuthenticationProviderImpl with only a user name and an empty 
> password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)