hadoop-hdfs-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HDFS-2380) Security downgrade of token validation
Date Wed, 28 Sep 2011 14:29:45 GMT
Security downgrade of token validation

                 Key: HDFS-2380
                 URL: https://issues.apache.org/jira/browse/HDFS-2380
             Project: Hadoop HDFS
          Issue Type: Bug
          Components: security
    Affects Versions:, 0.23.0, 0.24.0
            Reporter: Daryn Sharp

HADOOP-7119 introduced the {{KerberosAuthenticationHandler}} for web services.  It appears
to have been merged into 205 to support webhdfs.

Prior to HADOOP-7119, the web service used by hftp/hsftp would validate tokens using long
kerberos user names.  Now the realm is truncated from the user name which caused hftp/hsftp
to break.  The {{JspHelper}} in the namenode rejected the token validation due to the mismatched
comparison between a now short user (from the web service) and a long user (in the token).
 Subsequently, HDFS-2361 changed {{JspHelper}} to use the token's short user when comparing
against the now short web user.

The security ramification is it now appears to be easier to spoof other users and access their
files.  Based on commentary in HDFS-2361, the case can be made that other parts of hadoop
are insecure with respect to user names, so it doesn't matter that security has been further
downgraded.  I don't have know knowledge to know if this true, or whether higher layers effectively
guard against lower level insecurities.  In any case, this logic makes me uneasy, especially
when it comes to changing the security of a "front door" to hadoop.

Is there a technical reason why {{KerberosAuthenticationHandler}} should not be changed (1-liner)
to return the long user name?  This would allow HDFS-2361 to be reverted and return the former
level of security to token validation.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message