Security downgrade of token validation
--------------------------------------
Key: HDFS-2380
URL: https://issues.apache.org/jira/browse/HDFS-2380
Project: Hadoop HDFS
Issue Type: Bug
Components: security
Affects Versions: 0.20.205.0, 0.23.0, 0.24.0
Reporter: Daryn Sharp
HADOOP-7119 introduced the {{KerberosAuthenticationHandler}} for web services.
It appears to have been merged into 205 to support webhdfs.
Prior to HADOOP-7119, the web service used by hftp/hsftp would validate tokens
using long kerberos user names. Now the realm is truncated from the user name
which caused hftp/hsftp to break. The {{JspHelper}} in the namenode rejected
the token validation due to the mismatched comparison between a now short user
(from the web service) and a long user (in the token). Subsequently, HDFS-2361
changed {{JspHelper}} to use the token's short user when comparing against the
now short web user.
The security ramification is it now appears to be easier to spoof other users
and access their files. Based on commentary in HDFS-2361, the case can be made
that other parts of hadoop are insecure with respect to user names, so it
doesn't matter that security has been further downgraded. I don't have know
knowledge to know if this true, or whether higher layers effectively guard
against lower level insecurities. In any case, this logic makes me uneasy,
especially when it comes to changing the security of a "front door" to hadoop.
Is there a technical reason why {{KerberosAuthenticationHandler}} should not be
changed (1-liner) to return the long user name? This would allow HDFS-2361 to
be reverted and return the former level of security to token validation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
