[
https://issues.apache.org/jira/browse/HDDS-15467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ivan Andika updated HDDS-15467:
-------------------------------
Description: Found a possible security issue where
OmClientRequest#getUserInfoNotExists might user an admin user (OM starter user)
privilege if the client does not specify any user info. The current usage is
for internal Ozone background service like OM Trash emptier and I don't think
normal clients will gain admin user currently since both Hadoop RPC and gRPC
clients should already have the user info. However, I think it's best to be
defensive and for getUserInfoNotExists to not fallback to the admin user since
if we make any changes in getUserInfo that causes userInfo's remoteAddress and
userInfo's username to not be set, it might cause cause privilege escalations.
(was: Found a possible security issue where
OmClientRequest#getUserInfoNotExists might user an admin user (OM starter user)
privilege if the client does not specify any user info. I don't think normal
clients will gain admin user currently since both Hadoop RPC and gRPC clients
should already have the user info. However, I think it's best to be defensive
and for getUserInfoNotExists to not fallback to the admin user since if we make
any changes in getUserInfo that causes userInfo's remoteAddress and userInfo's
username to not be set, it might cause cause privilege escalations.)
> OmClientRequest#getUserInfoNotExists should not fallback to starter user by
> default
> -----------------------------------------------------------------------------------
>
> Key: HDDS-15467
> URL: https://issues.apache.org/jira/browse/HDDS-15467
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: Ivan Andika
> Priority: Major
>
> Found a possible security issue where OmClientRequest#getUserInfoNotExists
> might user an admin user (OM starter user) privilege if the client does not
> specify any user info. The current usage is for internal Ozone background
> service like OM Trash emptier and I don't think normal clients will gain
> admin user currently since both Hadoop RPC and gRPC clients should already
> have the user info. However, I think it's best to be defensive and for
> getUserInfoNotExists to not fallback to the admin user since if we make any
> changes in getUserInfo that causes userInfo's remoteAddress and userInfo's
> username to not be set, it might cause cause privilege escalations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
