hbase-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-13085) Security issue in the implementatoin of Rest gataway 'doAs' proxy user support
Date Mon, 23 Feb 2015 21:54:11 GMT
Jerry He created HBASE-13085:

             Summary: Security issue in the implementatoin of Rest gataway 'doAs' proxy user
                 Key: HBASE-13085
                 URL: https://issues.apache.org/jira/browse/HBASE-13085
             Project: HBase
          Issue Type: Bug
          Components: REST, security
    Affects Versions: 0.98.10, 1.0.0, 2.0.0
            Reporter: Jerry He
            Assignee: Jerry He
            Priority: Critical

When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy
user from the Rest client.

The current implementation checks to see if the 'rest server user' is authorized to impersonate
the 'doAs' user (the user in the 'doAs' Rest query string).
if (doAsUserFromQuery != null) {
      Configuration conf = servlet.getConfiguration();
      if (!servlet.supportsProxyuser()) {
        throw new ServletException("Support for proxyuser is not configured");
      UserGroupInformation ugi = servlet.getRealUser();
      // create and attempt to authorize a proxy user (the client is attempting
      // to do proxy user)
      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
      // validate the proxy user authorization
      try {
        ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
      } catch(AuthorizationException e) {
        throw new ServletException(e.getMessage());

The current implementation allows anyone from the rest client side to impersonate another
user by 'doAs'. 
For example, potentially, 'user1' can 'doAs=admin'

The correct implementation should check to see if the rest client user is authorized to do

This message was sent by Atlassian JIRA

View raw message