hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10895) HTTP KerberosAuthenticator fallback should have a flag to disable it
Date Mon, 03 Nov 2014 22:57:36 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195295#comment-14195295

Robert Kanter commented on HADOOP-10895:

I discussed this with [~yzhangal] and he showed me the security issue at that link from ATM's
comment.  If my understanding is correct, the problem with allowing fallback is that a man-in-the-middle
attack could trick the client into giving it information without needing Kerberos credentials.
 For example, if a malicious fake NameNode somehow tricked a client into talking to it instead
of the real NameNode, it normally would have a problem because it would have to get valid
Kerberos credentials to actually talk to the client.  However, with the fallback enabled,
it could trick the client into falling back to pseudo auth, where it could then continue talking
to the client, and getting potentially sensitive information from it (e.g. you're trying to
upload a file with social security numbers in it or something).

In that case, we should disable this and we'll just have to break compatibility.  Projects
depending on the fallback behavior will have to update their code to enable it, or decide
that they don't want to allow the fallback anymore.

> HTTP KerberosAuthenticator fallback should have a flag to disable it
> --------------------------------------------------------------------
>                 Key: HADOOP-10895
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10895
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Yongjun Zhang
>            Priority: Blocker
>         Attachments: HADOOP-10895.001.patch, HADOOP-10895.002.patch, HADOOP-10895.003.patch,
> Per review feedback in HADOOP-10771, {{KerberosAuthenticator}} and the delegation token
version coming in with HADOOP-10771 should have a flag to disable fallback to pseudo, similarly
to the one that was introduced in Hadoop RPC client with HADOOP-9698.

This message was sent by Atlassian JIRA

View raw message