[ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358251#comment-14358251 ]
Hive QA commented on HIVE-9934: ------------------------------- {color:green}Overall{color}: +1 all checks pass Here are the results of testing the latest attachment: https://issues.apache.org/jira/secure/attachment/12704024/HIVE-9934.1.patch {color:green}SUCCESS:{color} +1 7762 tests passed Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/testReport Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/console Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3012/ Messages: {noformat} Executing org.apache.hive.ptest.execution.PrepPhase Executing org.apache.hive.ptest.execution.ExecutionPhase Executing org.apache.hive.ptest.execution.ReportingPhase {noformat} This message is automatically generated. ATTACHMENT ID: 12704024 - PreCommit-HIVE-TRUNK-Build > Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to > degrade the authentication mechanism to "none", allowing authentication > without password > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HIVE-9934 > URL: https://issues.apache.org/jira/browse/HIVE-9934 > Project: Hive > Issue Type: Bug > Components: Security > Affects Versions: 1.1.0 > Reporter: Chao > Assignee: Chao > Attachments: HIVE-9934.1.patch > > > Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to > degrade the authentication mechanism to "none", allowing authentication > without password. > See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html > “If you supply an empty string, an empty byte/char array, or null to the > Context.SECURITY_CREDENTIALS environment property, then the authentication > mechanism will be "none". This is because the LDAP requires the password to > be nonempty for simple authentication. The protocol automatically converts > the authentication to "none" if a password is not supplied.” > > Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a > NamingException being thrown during creation of initial context, it does not > fail when the context result is an “unauthenticated” positive response from > the LDAP server. The end result is, one can authenticate with HiveServer2 > using the LdapAuthenticationProviderImpl with only a user name and an empty > password. -- This message was sent by Atlassian JIRA (v6.3.4#6332)