hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-15922) DelegationTokenAuthenticationFilter get wrong doAsUser since it does not decode URL
Date Thu, 29 Nov 2018 19:03:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15922?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703635#comment-16703635
] 

Eric Yang edited comment on HADOOP-15922 at 11/29/18 7:02 PM:
--------------------------------------------------------------

[~daryn] Good catch on the double encode.  Thanks

[~hexiaoqiao] Patch 005 is the better fix if we don't need to worry about rolling upgrade
where the caller is using existing code.  Is there a concern there?  Thanks


was (Author: eyang):
[~daryn] Good catch on the double encode.  Thanks

[~hexiaoqiao] Patch 005 is the better fix.  Thanks

> DelegationTokenAuthenticationFilter get wrong doAsUser since it does not decode URL
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-15922
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15922
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: common, kms
>            Reporter: He Xiaoqiao
>            Assignee: He Xiaoqiao
>            Priority: Major
>             Fix For: 3.3.0, 3.1.2, 3.2.1
>
>         Attachments: HADOOP-15922.001.patch, HADOOP-15922.002.patch, HADOOP-15922.003.patch,
HADOOP-15922.004.patch, HADOOP-15922.005.patch
>
>
> DelegationTokenAuthenticationFilter get wrong doAsUser when proxy user from client is
complete kerberos name (e.g., user/hostname@REALM.COM, actually it is acceptable), because
DelegationTokenAuthenticationFilter does not decode DOAS parameter in URL which is encoded
by {{URLEncoder}} at client.
> e.g. KMS as example:
> a. KMSClientProvider creates connection to KMS Server using DelegationTokenAuthenticatedURL#openConnection.
> b. If KMSClientProvider is a doAsUser, KMSClientProvider will put {{doas}} with url encoded
user as one parameter of http request. 
> {code:java}
>     // proxyuser
>     if (doAs != null) {
>       extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
>     }
> {code}
> c. when KMS server receives the request, it does not decode the proxy user.
> As result, KMS Server will get the wrong proxy user if this proxy user is complete Kerberos
Name or it includes some special character. Some other authentication and authorization exception
will throws next to it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message