hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jerry He (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-13085) Security issue in the implementation of Rest gataway 'doAs' proxy user support
Date Mon, 23 Feb 2015 21:57:12 GMT

     [ https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jerry He updated HBASE-13085:
-----------------------------
    Status: Patch Available  (was: Open)

Attached a patch for 0.98. 
master branch is identical.

> Security issue in the implementation of Rest gataway 'doAs' proxy user support
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13085
>                 URL: https://issues.apache.org/jira/browse/HBASE-13085
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, security
>    Affects Versions: 0.98.10, 1.0.0, 2.0.0
>            Reporter: Jerry He
>            Assignee: Jerry He
>            Priority: Critical
>         Attachments: HBASE-13085-0.98.patch
>
>
> When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy
user from the Rest client.
> The current implementation checks to see if the 'rest server user' is authorized to impersonate
the 'doAs' user (the user in the 'doAs' Rest query string).
> {code}
> if (doAsUserFromQuery != null) {
>       Configuration conf = servlet.getConfiguration();
>       if (!servlet.supportsProxyuser()) {
>         throw new ServletException("Support for proxyuser is not configured");
>       }
>       UserGroupInformation ugi = servlet.getRealUser();
>       // create and attempt to authorize a proxy user (the client is attempting
>       // to do proxy user)
>       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
>       // validate the proxy user authorization
>       try {
>         ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
>       } catch(AuthorizationException e) {
>         throw new ServletException(e.getMessage());
>       }
>       servlet.setEffectiveUser(doAsUserFromQuery);
>     } 
> {code}
> The current implementation allows anyone from the rest client side to impersonate another
user by 'doAs'. 
> For example, potentially, 'user1' can 'doAs=admin'
> The correct implementation should check to see if the rest client user is authorized
to do impersonation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message