Hi Yongli - I'm not sure whether you will see this response or not given that I had to moderate your email. It doesn't seem that you are subscribed.
However, this is a good question and will be helpful for the community at large. The warning that you are seeing above is part of the fix of the issue to which you are referring. The way to avoid it is to not try and impersonate a user with your client call. To fully explain the scenario here - which it seems that you were actually using as a feature: 1. There was an issue wherein a specially crafted URL could specify a user.name or doas to impersonate anyone they want 2. As long as we authenticated the user and they were authorized to access the requested resource they would be provided access 3. This was never an intended feature of Knox for authenticated users and represented a possible security issue So, your particular client happens to be setting a user.name. The fix for the above described issue was to scrub any incoming impersonation attempts and log a warning to that effect. Your client usage needs to assume that the only impersonation is done by Knox on behalf of the authenticated user - the user authenticated by Knox. There are separate ways for Knox to map one user to another within a topology if that is what you want but we do not support endusers/applications impersonating users on their own. Hope this is helpful. thanks, --larry On Thu, Feb 22, 2018 at 4:29 PM, Yongli An <[email protected]> wrote: > Hi Knox experts, > > I have my environment running with Knox 0.12.0 already but I am still > getting the same impersonate warning messages as shown below - > > "2018-02-22 21:14:39,671 WARN hadoop.gateway ( > IdentityAsserterHttpServletRequestWrapper.java: > scrubOfExistingPrincipalParams(199)) - Possible identity spoofing attempt > - impersonation parameter removed: user.name” > > The way I produce this first I make a request to create a file - > > url='https://' + hostip + ':8443/gateway/default/ > webhdfs/v1/user/clsadmin/test/' + filetag + '_' + str(num) + > '.txt?op=CREATE&overwrite=true' > req=requests.put(url,verify=False,auth=(user,pwd),allow_ > redirects=False) > The above put request will not trigger any warning messages like that. > > then I have the following request to put some data into the file - > > location=req.headers['Location'] > with open(dataFile) as mydata: > newreq=requests.put(location,verify=False,auth=(user, pwd), > data=mydata) > > This second request will trigger the warning message mentioned above. > > Is this an issue? or what’s the recommended approach to avoid the warning? > > Thanks a lot! > > - Yongli > > On 2017/05/26 18:26:44, larry mccay <[email protected]> wrote: > > CVE-2017-5646: Apache Knox Impersonation Issue for WebHDFS> > > > > Severity: Important> > > > > Vendor:> > > The Apache Software Foundation> > > > > Versions Affected:> > > All versions of Apache Knox prior to 0.12.0> > > > > An authenticated user may use a specially crafted URL to impersonate > another> > > user while accessing WebHDFS through Apache Knox. This may result in> > > escalated> > > privileges and unauthorized data access. While this activity is audit > logged> > > and can be easily associated with the authenticated user, this is still > a> > > serious security issue.> > > > > Mitigation:> > > All users are recommended to upgrade to Apache Knox 0.12.0,> > > where validation, scrubbing and logging of such attempts has been > added.> > > > > The Apache Knox 0.12.0 release can be downloaded from:> > > Source: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0. > 12.0-src.zip> > > Binary: http://www.apache.org/dyn/closer.cgi/knox/0.12.0/knox-0.12.0.zip > > > > > > > Best regards, > Yongli An > > > > >
