Github user benchristel commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1379#discussion_r200796211
--- Diff:
pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/UGICache.java ---
@@ -0,0 +1,129 @@
+package org.apache.hawq.pxf.service;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.io.IOException;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.DelayQueue;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.security.UserGroupInformation;
+
+public class UGICache {
+
+ private static final Log LOG = LogFactory.getLog(UGICache.class);
+ private static Map<SegmentTransactionId, TimedProxyUGI> cache = new
ConcurrentHashMap<>();
+ //private static DelayQueue<TimedProxyUGI> delayQueue = new
DelayQueue<>();
+ private static DelayQueue<TimedProxyUGI>[] delayQueues = new
DelayQueue<>[64];
+ public static long UGI_CACHE_EXPIRY = 15 * 1 * 1000L; // 15 Minutes
+
+ public UGICache() {
+ for (int i = 0; i < delayQueues.length; i++) {
+ delayQueues[i] = new DelayQueue<>();
+ }
+ }
+
+ public TimedProxyUGI getTimedProxyUGI(String user,
SegmentTransactionId session) throws IOException {
--- End diff --
I think there's a potential session hijacking vulnerability here. If you
pass a `session` that exists in the cacheâfor any userâthe `user` param is
ignored when looking up the corresponding UGI. This means that if I know a
transaction ID for one of your recent transactions I can authenticate as you
and use your UGI.
At a minimum, I think there should be some information in the session that
is more difficult to guess than a transaction ID. I'm not sure what else needs
to be done to make this secure.
---
