hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hive QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password
Date Thu, 12 Mar 2015 07:58:39 GMT

    [ https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14358251#comment-14358251
] 

Hive QA commented on HIVE-9934:
-------------------------------



{color:green}Overall{color}: +1 all checks pass

Here are the results of testing the latest attachment:
https://issues.apache.org/jira/secure/attachment/12704024/HIVE-9934.1.patch

{color:green}SUCCESS:{color} +1 7762 tests passed

Test results: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/testReport
Console output: http://ec2-174-129-184-35.compute-1.amazonaws.com/jenkins/job/PreCommit-HIVE-TRUNK-Build/3012/console
Test logs: http://ec2-174-129-184-35.compute-1.amazonaws.com/logs/PreCommit-HIVE-TRUNK-Build-3012/

Messages:
{noformat}
Executing org.apache.hive.ptest.execution.PrepPhase
Executing org.apache.hive.ptest.execution.ExecutionPhase
Executing org.apache.hive.ptest.execution.ReportingPhase
{noformat}

This message is automatically generated.

ATTACHMENT ID: 12704024 - PreCommit-HIVE-TRUNK-Build

> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade
the authentication mechanism to "none", allowing authentication without password
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-9934
>                 URL: https://issues.apache.org/jira/browse/HIVE-9934
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1.0
>            Reporter: Chao
>            Assignee: Chao
>         Attachments: HIVE-9934.1.patch
>
>
> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade
the authentication mechanism to "none", allowing authentication without password.
> See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
> “If you supply an empty string, an empty byte/char array, or null to the Context.SECURITY_CREDENTIALS
environment property, then the authentication mechanism will be "none". This is because the
LDAP requires the password to be nonempty for simple authentication. The protocol automatically
converts the authentication to "none" if a password is not supplied.”
>  
> Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a NamingException
being thrown during creation of initial context, it does not fail when the context result
is an “unauthenticated” positive response from the LDAP server. The end result is, one
can authenticate with HiveServer2 using the LdapAuthenticationProviderImpl with only a user
name and an empty password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message