[jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it

Mon, 03 Nov 2014 14:58:02 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195295#comment-14195295
 ] 

Robert Kanter commented on HADOOP-10895:
----------------------------------------

I discussed this with [~yzhangal] and he showed me the security issue at that 
link from ATM's comment.  If my understanding is correct, the problem with 
allowing fallback is that a man-in-the-middle attack could trick the client 
into giving it information without needing Kerberos credentials.  For example, 
if a malicious fake NameNode somehow tricked a client into talking to it 
instead of the real NameNode, it normally would have a problem because it would 
have to get valid Kerberos credentials to actually talk to the client.  
However, with the fallback enabled, it could trick the client into falling back 
to pseudo auth, where it could then continue talking to the client, and getting 
potentially sensitive information from it (e.g. you're trying to upload a file 
with social security numbers in it or something).

In that case, we should disable this and we'll just have to break 
compatibility.  Projects depending on the fallback behavior will have to update 
their code to enable it, or decide that they don't want to allow the fallback 
anymore.

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, 
> HADOOP-10895.003.patch, HADOOP-10895.004.patch
>
>
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the 
> delegation token version coming in with HADOOP-10771 should have a flag to 
> disable fallback to pseudo, similarly to the one that was introduced in 
> Hadoop RPC client with HADOOP-9698.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to