hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10880) Move HTTP delegation tokens out of URL querystring to a header
Date Fri, 15 Aug 2014 16:35:18 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14098734#comment-14098734
] 

Alejandro Abdelnur commented on HADOOP-10880:
---------------------------------------------

[~daryn],

I’ve gone the digest approach to see how things would work but I’ve found a few issues
with it which I think make the use of digest a moot thing:

Digest typically assumes a challenge with a nonce from the server, the nonce is use to create
the hash of the common secret. In our case, we would be doing a proactive digest (we don’t
want 2 HTTP calls on every HTTP call using a DT), this means we don’t have a nonce from
the server. We could get the server side to use proactively the AuthenticationInfo to provide
a nonce in advance, that that would break pipelined requests. We could get the client to issue
a nonce and the server honor it, but that would not work without using our client and server
that understand that (curl would break).

Even if we sort it out, we have another problem, the DT is an opaque string blob to the client.
The DT includes the token identifier and the password, we would have to use the token identifier
as the 'user' and the password as the 'password' in creating the Disgest 'user:digest(password)'
client header. A curl client would not have a way to break down the DT opaque string into
identifier and password.

Another point, when getting, renewing or canceling a DT, we send the full DT opaque string.
So using a digest for does not prevent for an attacker to get the full DT.

Given all this, my take is, the current patch that moves the DTs from URL to headers and just
use HTTPS.

Thoughts? Am I missing something?


> Move HTTP delegation tokens out of URL querystring to a header
> --------------------------------------------------------------
>
>                 Key: HADOOP-10880
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10880
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>            Priority: Blocker
>         Attachments: HADOOP-10880.patch, HADOOP-10880.patch, HADOOP-10880.patch
>
>
> Following up on a discussion in HADOOP-10799.
> Because URLs are often logged, delegation tokens may end up in LOG files while they are
still valid. 
> We should move the tokens to a header.
> We should still support tokens in the querystring for backwards compatibility.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message