Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9B4D5105B7 for ; Tue, 24 Feb 2015 02:00:19 +0000 (UTC) Received: (qmail 7760 invoked by uid 500); 24 Feb 2015 02:00:19 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 7712 invoked by uid 500); 24 Feb 2015 02:00:19 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 7701 invoked by uid 99); 24 Feb 2015 02:00:19 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Feb 2015 02:00:19 +0000 Date: Tue, 24 Feb 2015 02:00:19 +0000 (UTC) From: "Srikanth Srungarapu (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-13085) Security issue in the implementation of Rest gataway 'doAs' proxy user support MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334244#comment-14334244 ] Srikanth Srungarapu commented on HBASE-13085: --------------------------------------------- bq. The overall documentation on Rest impersonation can be improved. I can open another JIRA for that. Yes, please. bq. Yes, I have done testing on a kerberos cluster with both types of impersonation. Thanks! +1 (non-binding). > Security issue in the implementation of Rest gataway 'doAs' proxy user support > ------------------------------------------------------------------------------ > > Key: HBASE-13085 > URL: https://issues.apache.org/jira/browse/HBASE-13085 > Project: HBase > Issue Type: Bug > Components: REST, security > Affects Versions: 1.0.0, 2.0.0, 0.98.10 > Reporter: Jerry He > Assignee: Jerry He > Priority: Critical > Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11 > > Attachments: HBASE-13085-0.98.patch > > > When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy user from the Rest client. > The current implementation checks to see if the 'rest server user' is authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query string). > {code} > if (doAsUserFromQuery != null) { > Configuration conf = servlet.getConfiguration(); > if (!servlet.supportsProxyuser()) { > throw new ServletException("Support for proxyuser is not configured"); > } > UserGroupInformation ugi = servlet.getRealUser(); > // create and attempt to authorize a proxy user (the client is attempting > // to do proxy user) > ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi); > // validate the proxy user authorization > try { > ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf); > } catch(AuthorizationException e) { > throw new ServletException(e.getMessage()); > } > servlet.setEffectiveUser(doAsUserFromQuery); > } > {code} > The current implementation allows anyone from the rest client side to impersonate another user by 'doAs'. > For example, potentially, 'user1' can 'doAs=admin' > The correct implementation should check to see if the rest client user is authorized to do impersonation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)