accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Havanki (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-2700) SecurityOperation.authenticateSystemUser fails to properly validate system user
Date Mon, 21 Apr 2014 19:42:15 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-2700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13975945#comment-13975945
] 

Bill Havanki commented on ACCUMULO-2700:
----------------------------------------

The randomwalk issue can be ignored. The "system" user that is created for the randomwalk
test is distinct from the system user "!SYSTEM" whose authentication is being fixed in this
ticket.

> SecurityOperation.authenticateSystemUser fails to properly validate system user
> -------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-2700
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2700
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>            Priority: Blocker
>              Labels: 16_qa_bug
>             Fix For: 1.6.0
>
>
> FindBugs found in the 1.6.0-SNAPSHOT branch that {{SecurityOperation.authenticateSystemUser(TCredentials
credentials)}} does an improper comparison (equals) between AuthenticationToken and byte array.
> Additionally, upon visual inspection, it looks like the condition is not'd (missing a
! to throw the exception when the credentials don't match).
> The result appears to be that the system user is always authenticated, even if the credentials
don't match. I haven't checked 1.5 yet to see if the bug applies there also.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message