[jira] [Commented] (HBASE-13085) Security issue in the implementation of Rest gataway 'doAs' proxy user support

Mon, 23 Feb 2015 18:04:25 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-13085?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14334249#comment-14334249
 ] 

Jerry He commented on HBASE-13085:
----------------------------------

Another confusing part is that the proxy property settings to support 'doAs' 
impersonation go into the hbase-site.xml on each Rest gateway, 
and the proxy property settings for the normal Rest gateway impersonation go to 
the hbase-site.xml on each hbase server.
In theory, they are separate. In practice, they probably share.

> Security issue in the implementation of Rest gataway 'doAs' proxy user support
> ------------------------------------------------------------------------------
>
>                 Key: HBASE-13085
>                 URL: https://issues.apache.org/jira/browse/HBASE-13085
>             Project: HBase
>          Issue Type: Bug
>          Components: REST, security
>    Affects Versions: 1.0.0, 2.0.0, 0.98.10
>            Reporter: Jerry He
>            Assignee: Jerry He
>            Priority: Critical
>             Fix For: 2.0.0, 1.0.1, 1.1.0, 0.98.11
>
>         Attachments: HBASE-13085-0.98.patch
>
>
> When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 
> 'doAs' proxy user from the Rest client.
> The current implementation checks to see if the 'rest server user' is 
> authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query 
> string).
> {code}
> if (doAsUserFromQuery != null) {
>       Configuration conf = servlet.getConfiguration();
>       if (!servlet.supportsProxyuser()) {
>         throw new ServletException("Support for proxyuser is not configured");
>       }
>       UserGroupInformation ugi = servlet.getRealUser();
>       // create and attempt to authorize a proxy user (the client is 
> attempting
>       // to do proxy user)
>       ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
>       // validate the proxy user authorization
>       try {
>         ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
>       } catch(AuthorizationException e) {
>         throw new ServletException(e.getMessage());
>       }
>       servlet.setEffectiveUser(doAsUserFromQuery);
>     } 
> {code}
> The current implementation allows anyone from the rest client side to 
> impersonate another user by 'doAs'. 
> For example, potentially, 'user1' can 'doAs=admin'
> The correct implementation should check to see if the rest client user is 
> authorized to do impersonation.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to