hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hive QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password
Date Tue, 17 Mar 2015 19:00:40 GMT

    [ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14365794#comment-14365794
] 

Hive QA commented on HIVE-9934:
-------------------------------



{color:red}Overall{color}: -1 no tests executed

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12705130/HIVE-9934.4.patch

Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3059/testReport
Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3059/console
Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3059/

Messages:
{noformat}
**** This message was trimmed, see log for full details ****
[INFO] Excluding org.scala-lang:scala-compiler:jar:2.10.0 from the shaded jar.
[INFO] Excluding org.scala-lang:scala-reflect:jar:2.10.0 from the shaded jar.
[INFO] Excluding com.fasterxml.jackson.core:jackson-databind:jar:2.3.1 from the shaded jar.
[INFO] Excluding com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0 from the shaded
jar.
[INFO] Excluding com.fasterxml.jackson.core:jackson-core:jar:2.3.1 from the shaded jar.
[INFO] Excluding org.apache.mesos:mesos:jar:shaded-protobuf:0.18.1 from the shaded jar.
[INFO] Excluding com.clearspring.analytics:stream:jar:2.7.0 from the shaded jar.
[INFO] Excluding com.codahale.metrics:metrics-core:jar:3.0.0 from the shaded jar.
[INFO] Excluding com.codahale.metrics:metrics-jvm:jar:3.0.0 from the shaded jar.
[INFO] Excluding com.codahale.metrics:metrics-json:jar:3.0.0 from the shaded jar.
[INFO] Excluding com.codahale.metrics:metrics-graphite:jar:3.0.0 from the shaded jar.
[INFO] Excluding org.tachyonproject:tachyon-client:jar:0.5.0 from the shaded jar.
[INFO] Excluding org.tachyonproject:tachyon:jar:0.5.0 from the shaded jar.
[INFO] Excluding org.spark-project:pyrolite:jar:2.0.1 from the shaded jar.
[INFO] Excluding net.sf.py4j:py4j:jar:0.8.2.1 from the shaded jar.
[INFO] Excluding org.spark-project.spark:unused:jar:1.0.0 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-common:jar:2.6.0 from the shaded jar.
[INFO] Excluding xmlenc:xmlenc:jar:0.52 from the shaded jar.
[INFO] Excluding javax.servlet:servlet-api:jar:2.5 from the shaded jar.
[INFO] Excluding org.mortbay.jetty:jetty:jar:6.1.26 from the shaded jar.
[INFO] Excluding org.mortbay.jetty:jetty-util:jar:6.1.26 from the shaded jar.
[INFO] Excluding com.sun.jersey:jersey-core:jar:1.14 from the shaded jar.
[INFO] Excluding com.sun.jersey:jersey-json:jar:1.14 from the shaded jar.
[INFO] Excluding org.codehaus.jettison:jettison:jar:1.1 from the shaded jar.
[INFO] Excluding com.sun.xml.bind:jaxb-impl:jar:2.2.3-1 from the shaded jar.
[INFO] Excluding com.sun.jersey:jersey-server:jar:1.14 from the shaded jar.
[INFO] Excluding asm:asm:jar:3.1 from the shaded jar.
[INFO] Excluding tomcat:jasper-compiler:jar:5.5.23 from the shaded jar.
[INFO] Excluding tomcat:jasper-runtime:jar:5.5.23 from the shaded jar.
[INFO] Excluding javax.servlet.jsp:jsp-api:jar:2.1 from the shaded jar.
[INFO] Excluding commons-el:commons-el:jar:1.0 from the shaded jar.
[INFO] Excluding commons-configuration:commons-configuration:jar:1.6 from the shaded jar.
[INFO] Excluding commons-digester:commons-digester:jar:1.8 from the shaded jar.
[INFO] Excluding commons-beanutils:commons-beanutils:jar:1.7.0 from the shaded jar.
[INFO] Excluding commons-beanutils:commons-beanutils-core:jar:1.8.0 from the shaded jar.
[INFO] Excluding com.google.code.gson:gson:jar:2.2.4 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-auth:jar:2.6.0 from the shaded jar.
[INFO] Excluding org.apache.directory.server:apacheds-kerberos-codec:jar:2.0.0-M15 from the
shaded jar.
[INFO] Excluding org.apache.directory.server:apacheds-i18n:jar:2.0.0-M15 from the shaded jar.
[INFO] Excluding org.apache.directory.api:api-asn1-api:jar:1.0.0-M20 from the shaded jar.
[INFO] Excluding org.apache.directory.api:api-util:jar:1.0.0-M20 from the shaded jar.
[INFO] Excluding com.jcraft:jsch:jar:0.1.42 from the shaded jar.
[INFO] Excluding org.htrace:htrace-core:jar:3.0.4 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-archives:jar:2.6.0 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0 from the shaded
jar.
[INFO] Excluding com.google.inject.extensions:guice-servlet:jar:3.0 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-yarn-server-common:jar:2.6.0 from the shaded jar.
[INFO] Excluding org.fusesource.leveldbjni:leveldbjni-all:jar:1.8 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-hdfs:jar:2.6.0 from the shaded jar.
[INFO] Excluding commons-daemon:commons-daemon:jar:1.0.13 from the shaded jar.
[INFO] Excluding xerces:xercesImpl:jar:2.9.1 from the shaded jar.
[INFO] Excluding xml-apis:xml-apis:jar:1.3.04 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-yarn-api:jar:2.6.0 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-yarn-common:jar:2.6.0 from the shaded jar.
[INFO] Excluding javax.xml.bind:jaxb-api:jar:2.2.2 from the shaded jar.
[INFO] Excluding javax.xml.stream:stax-api:jar:1.0-2 from the shaded jar.
[INFO] Excluding javax.activation:activation:jar:1.1 from the shaded jar.
[INFO] Excluding com.sun.jersey:jersey-client:jar:1.9 from the shaded jar.
[INFO] Excluding org.codehaus.jackson:jackson-jaxrs:jar:1.9.2 from the shaded jar.
[INFO] Excluding org.codehaus.jackson:jackson-xc:jar:1.9.2 from the shaded jar.
[INFO] Excluding com.google.inject:guice:jar:3.0 from the shaded jar.
[INFO] Excluding javax.inject:javax.inject:jar:1 from the shaded jar.
[INFO] Excluding aopalliance:aopalliance:jar:1.0 from the shaded jar.
[INFO] Excluding com.sun.jersey.contribs:jersey-guice:jar:1.9 from the shaded jar.
[INFO] Excluding org.apache.hadoop:hadoop-yarn-client:jar:2.6.0 from the shaded jar.
[INFO] Excluding org.slf4j:slf4j-api:jar:1.7.5 from the shaded jar.
[INFO] Excluding org.slf4j:slf4j-log4j12:jar:1.7.5 from the shaded jar.
[INFO] Replacing original artifact with shaded artifact.
[INFO] Replacing /data/hive-ptest/working/apache-svn-trunk-source/ql/target/hive-exec-1.2.0-SNAPSHOT.jar
with /data/hive-ptest/working/apache-svn-trunk-source/ql/target/hive-exec-1.2.0-SNAPSHOT-shaded.jar
[INFO] Dependency-reduced POM written at: /data/hive-ptest/working/apache-svn-trunk-source/ql/dependency-reduced-pom.xml
[INFO] Dependency-reduced POM written at: /data/hive-ptest/working/apache-svn-trunk-source/ql/dependency-reduced-pom.xml
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ hive-exec ---
[INFO] Installing /data/hive-ptest/working/apache-svn-trunk-source/ql/target/hive-exec-1.2.0-SNAPSHOT.jar
to /data/hive-ptest/working/maven/org/apache/hive/hive-exec/1.2.0-SNAPSHOT/hive-exec-1.2.0-SNAPSHOT.jar
[INFO] Installing /data/hive-ptest/working/apache-svn-trunk-source/ql/dependency-reduced-pom.xml
to /data/hive-ptest/working/maven/org/apache/hive/hive-exec/1.2.0-SNAPSHOT/hive-exec-1.2.0-SNAPSHOT.pom
[INFO] Installing /data/hive-ptest/working/apache-svn-trunk-source/ql/target/hive-exec-1.2.0-SNAPSHOT-tests.jar
to /data/hive-ptest/working/maven/org/apache/hive/hive-exec/1.2.0-SNAPSHOT/hive-exec-1.2.0-SNAPSHOT-tests.jar
[INFO] Installing /data/hive-ptest/working/apache-svn-trunk-source/ql/target/hive-exec-1.2.0-SNAPSHOT-core.jar
to /data/hive-ptest/working/maven/org/apache/hive/hive-exec/1.2.0-SNAPSHOT/hive-exec-1.2.0-SNAPSHOT-core.jar
[INFO]                                                                         
[INFO] ------------------------------------------------------------------------
[INFO] Building Hive Service 1.2.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[INFO] 
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ hive-service ---
[INFO] Deleting /data/hive-ptest/working/apache-svn-trunk-source/service (includes = [datanucleus.log,
derby.log], excludes = [])
[INFO] 
[INFO] --- maven-enforcer-plugin:1.3.1:enforce (enforce-no-snapshots) @ hive-service ---
[INFO] 
[INFO] --- build-helper-maven-plugin:1.8:add-source (add-source) @ hive-service ---
[INFO] Source directory: /data/hive-ptest/working/apache-svn-trunk-source/service/src/model
added.
[INFO] Source directory: /data/hive-ptest/working/apache-svn-trunk-source/service/src/gen/thrift/gen-javabean
added.
[INFO] 
[INFO] --- maven-remote-resources-plugin:1.5:process (default) @ hive-service ---
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ hive-service ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /data/hive-ptest/working/apache-svn-trunk-source/service/src/main/resources
[INFO] Copying 3 resources
[INFO] 
[INFO] --- maven-antrun-plugin:1.7:run (define-classpath) @ hive-service ---
[INFO] Executing tasks

main:
[INFO] Executed tasks
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ hive-service ---
[INFO] Compiling 176 source files to /data/hive-ptest/working/apache-svn-trunk-source/service/target/classes
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/java/org/apache/hive/service/cli/operation/SQLOperation.java:
Some input files use or override a deprecated API.
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/java/org/apache/hive/service/cli/operation/SQLOperation.java:
Recompile with -Xlint:deprecation for details.
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java:
Some input files use unchecked or unsafe operations.
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java:
Recompile with -Xlint:unchecked for details.
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ hive-service
---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /data/hive-ptest/working/apache-svn-trunk-source/service/src/test/resources
[INFO] Copying 3 resources
[INFO] 
[INFO] --- maven-antrun-plugin:1.7:run (setup-test-dirs) @ hive-service ---
[INFO] Executing tasks

main:
    [mkdir] Created dir: /data/hive-ptest/working/apache-svn-trunk-source/service/target/tmp
    [mkdir] Created dir: /data/hive-ptest/working/apache-svn-trunk-source/service/target/warehouse
    [mkdir] Created dir: /data/hive-ptest/working/apache-svn-trunk-source/service/target/tmp/conf
     [copy] Copying 11 files to /data/hive-ptest/working/apache-svn-trunk-source/service/target/tmp/conf
[INFO] Executed tasks
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ hive-service ---
[INFO] Compiling 9 source files to /data/hive-ptest/working/apache-svn-trunk-source/service/target/test-classes
[INFO] -------------------------------------------------------------
[WARNING] COMPILATION WARNING : 
[INFO] -------------------------------------------------------------
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/test/org/apache/hive/service/cli/TestHiveSQLException.java:
Some input files use or override a deprecated API.
[WARNING] /data/hive-ptest/working/apache-svn-trunk-source/service/src/test/org/apache/hive/service/cli/TestHiveSQLException.java:
Recompile with -Xlint:deprecation for details.
[INFO] 2 warnings 
[INFO] -------------------------------------------------------------
[INFO] -------------------------------------------------------------
[ERROR] COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
[ERROR] /data/hive-ptest/working/apache-svn-trunk-source/service/src/test/org/apache/hive/service/auth/TestLdapAuthenticationProviderImpl.java:[29,4]
cannot find symbol
  symbol:   class Test
  location: class org.apache.hive.service.auth.TestLdapAuthenticationProviderImpl
[INFO] 1 error
[INFO] -------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Hive .............................................. SUCCESS [11.554s]
[INFO] Hive Shims Common ................................. SUCCESS [11.449s]
[INFO] Hive Shims 0.20S .................................. SUCCESS [3.234s]
[INFO] Hive Shims 0.23 ................................... SUCCESS [10.993s]
[INFO] Hive Shims Scheduler .............................. SUCCESS [2.037s]
[INFO] Hive Shims ........................................ SUCCESS [2.736s]
[INFO] Hive Common ....................................... SUCCESS [26.647s]
[INFO] Hive Serde ........................................ SUCCESS [17.567s]
[INFO] Hive Metastore .................................... SUCCESS [35.653s]
[INFO] Hive Ant Utilities ................................ SUCCESS [1.739s]
[INFO] Spark Remote Client ............................... SUCCESS [24.281s]
[INFO] Hive Query Language ............................... SUCCESS [1:52.865s]
[INFO] Hive Service ...................................... FAILURE [5.764s]
[INFO] Hive Accumulo Handler ............................. SKIPPED
[INFO] Hive JDBC ......................................... SKIPPED
[INFO] Hive Beeline ...................................... SKIPPED
[INFO] Hive CLI .......................................... SKIPPED
[INFO] Hive Contrib ...................................... SKIPPED
[INFO] Hive HBase Handler ................................ SKIPPED
[INFO] Hive HCatalog ..................................... SKIPPED
[INFO] Hive HCatalog Core ................................ SKIPPED
[INFO] Hive HCatalog Pig Adapter ......................... SKIPPED
[INFO] Hive HCatalog Server Extensions ................... SKIPPED
[INFO] Hive HCatalog Webhcat Java Client ................. SKIPPED
[INFO] Hive HCatalog Webhcat ............................. SKIPPED
[INFO] Hive HCatalog Streaming ........................... SKIPPED
[INFO] Hive HWI .......................................... SKIPPED
[INFO] Hive ODBC ......................................... SKIPPED
[INFO] Hive Shims Aggregator ............................. SKIPPED
[INFO] Hive TestUtils .................................... SKIPPED
[INFO] Hive Packaging .................................... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4:29.556s
[INFO] Finished at: Tue Mar 17 15:00:16 EDT 2015
[INFO] Final Memory: 132M/700M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:testCompile
(default-testCompile) on project hive-service: Compilation failure
[ERROR] /data/hive-ptest/working/apache-svn-trunk-source/service/src/test/org/apache/hive/service/auth/TestLdapAuthenticationProviderImpl.java:[29,4]
cannot find symbol
[ERROR] symbol:   class Test
[ERROR] location: class org.apache.hive.service.auth.TestLdapAuthenticationProviderImpl
[ERROR] -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following
articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <goals> -rf :hive-service
+ exit 1
'
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12705130 - PreCommit-HIVE-TRUNK-Build

> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade
the authentication mechanism to "none", allowing authentication without password
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-9934
>                 URL: https://issues.apache.org/jira/browse/HIVE-9934
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1.0
>            Reporter: Chao
>            Assignee: Chao
>         Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, HIVE-9934.3.patch,
HIVE-9934.4.patch
>
>
> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade
the authentication mechanism to "none", allowing authentication without password.
> See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
> “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS
environment property, then the authentication mechanism will be "none". This is because the
LDAP requires the password to be nonempty for simple authentication. The protocol automatically
converts the authentication to "none" if a password is not supplied.”
>  
> Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException
being thrown during creation of initial context, it does not fail when the context result
is an “unauthenticated” positive response from the LDAP server. The end result is, one
can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user
name and an empty password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message