[jira] [Comment Edited] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password

[Thejas M Nair (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14370602#comment-14370602
 ] 

Thejas M Nair edited comment on HIVE-9934 at 3/20/15 2:44 AM:
--------------------------------------------------------------

Thanks [~csun] [~prasadm] !
However, looking at the hadoop code, it does not seem to get added via static 
code blocks (unlike the hive one). It gets initialized through calls to 
SaslRpcServer.init(). So it looks like the hive one would get added first, and 
the hadoop one would get added next (when hive functions such as 
HadoopThriftAuthBridge23.getHadoopSaslProperties are called. This is then 
getting stored in a HashTable, which means that the second one is what would 
get used. It seems like the hadoop one would always get used. (I haven't 
verified this by testing).



was (Author: thejas):
Thanks [~csun] [~prasadm] !


> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-9934
>                 URL: https://issues.apache.org/jira/browse/HIVE-9934
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1.0
>            Reporter: Chao
>            Assignee: Chao
>             Fix For: 1.2.0
>
>         Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, 
> HIVE-9934.3.patch
>
>
> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password.
> See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
> “If you supply an empty string, an empty byte/char array, or null to the 
> Context.SECURITY_CREDENTIALS environment property, then the authentication 
> mechanism will be "none". This is because the LDAP requires the password to 
> be nonempty for simple authentication. The protocol automatically converts 
> the authentication to "none" if a password is not supplied.”
>  
> Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a 
> NamingException being thrown during creation of initial context, it does not 
> fail when the context result is an “unauthenticated” positive response from 
> the LDAP server. The end result is, one can authenticate with HiveServer2 
> using the LdapAuthenticationProviderImpl with only a user name and an empty 
> password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)