[jira] [Updated] (HADOOP-15162) UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE

Mon, 08 Jan 2018 08:34:40 -0800 

     [ 
https://issues.apache.org/jira/browse/HADOOP-15162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jason Lowe updated HADOOP-15162:
--------------------------------
    Summary: UserGroupInformation.createRemoteUser hardcode authentication 
method to SIMPLE  (was: UserGroupInformation.createRmoteUser hardcode 
authentication method to SIMPLE)

Could you elaborate on how this allows the caller to impersonate anyone?  
Putting a check in UGI's createRemoteUser seems like a client-side security 
fix, and that's not going to be very helpful since we should never trust the 
client.  Allowing that UGI to gain access to a secured server simply because 
the client says they want to authenticate via SIMPLE would be very bad.  A 
properly secured server should reject such shenanigans.  But the fix in that 
case would be in the authentication handshake and not in preventing the UGI 
from being created in the first place.  We cannot control the code an untrusted 
client is using.

I don't think it's directly harmful to create a UGI with no credentials even if 
the caller is not an official proxy user.  It can be useful for simply setting 
up a user with no initial credentials and then later attaching credentials 
(e.g.: security tokens) as is done in the YARN container localizer, log 
aggregator, etc.  Those are cases where the caller is not an official proxy 
user.

> UserGroupInformation.createRemoteUser hardcode authentication method to SIMPLE
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-15162
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15162
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Eric Yang
>
> {{UserGroupInformation.createRemoteUser(String user)}} is hard coded 
> Authentication method to SIMPLE by HADOOP-10683.  This by passed proxyuser 
> ACL check, isSecurityEnabled check, and allow caller to impersonate as 
> anyone.  This method could be abused in the main code base, which can cause 
> part of Hadoop to become insecure without proxyuser check for both SIMPLE or 
> Kerberos enabled environment.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to