hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-13085) Security issue in the implementation of Rest gataway 'doAs' proxy user support
Date Tue, 24 Feb 2015 19:49:04 GMT

    [ https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14335319#comment-14335319
] 

Hudson commented on HBASE-13085:
--------------------------------

FAILURE: Integrated in HBase-1.1 #211 (See [https://builds.apache.org/job/HBase-1.1/211/])
HBASE-13085 Security issue in the implementation of Rest gataway 'doAs' proxy user support
(Jerry He) (apurtell: rev 514dd584201252b737e1b462bbe50a33c4b8d672)
* hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServletContainer.java


> Security issue in the implementation of Rest gataway 'doAs' proxy user support
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13085
>                 URL: https://issues.apache.org/jira/browse/HBASE-13085
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>            Assignee: Jerry He
>            Priority: Critical
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11
>
>         Attachments: HBASE-13085-0.98.patch
>
>
> When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy
user from the Rest client.
> The current implementation checks to see if the 'rest server user' is authorized to impersonate
the 'doAs' user (the user in the 'doAs' Rest query string).
> {code}
> if (doAsUserFromQuery != null) {
>       Configuration conf = servlet.getConfiguration();
>       if (!servlet.supportsProxyuser()) {
>         throw new ServletException("Support for proxyuser is not configured");
>       }
>       UserGroupInformation ugi = servlet.getRealUser();
>       // create and attempt to authorize a proxy user (the client is attempting
>       // to do proxy user)
>       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
>       // validate the proxy user authorization
>       try {
>         ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
>       } catch(AuthorizationException e) {
>         throw new ServletException(e.getMessage());
>       }
>       servlet.setEffectiveUser(doAsUserFromQuery);
>     } 
> {code}
> The current implementation allows anyone from the rest client side to impersonate another
user by 'doAs'. 
> For example, potentially, 'user1' can 'doAs=admin'
> The correct implementation should check to see if the rest client user is authorized
to do impersonation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message