hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-15896) Refine Kerberos based AuthenticationHandler to check proxyuser ACL
Date Fri, 02 Nov 2018 16:48:00 GMT
Eric Yang created HADOOP-15896:

             Summary: Refine Kerberos based AuthenticationHandler to check proxyuser ACL
                 Key: HADOOP-15896
                 URL: https://issues.apache.org/jira/browse/HADOOP-15896
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Eric Yang

JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and authentication
method in KerberosAuthenticationHandler basically do this:

String clientPrincipal = gssContext.getSrcName().toString();
        KerberosName kerberosName = new KerberosName(clientPrincipal);
        String userName = kerberosName.getShortName();
        token = new AuthenticationToken(userName, clientPrincipal, getType());
        LOG.trace("SPNEGO completed for client principal [{}]",

It obtains the short name of the client principal and respond OK.  This is fine for verifying
end user.  However, in proxy user case (knox), this authentication is insufficient because
knox principal name is: knox/host1.example.com@EXAMPLE.COM . KerberosAuthenticationHandler
will gladly confirm that knox is knox.  Even if the knox/host1.example.com@EXAMPLE.COM is
used from botnet.rogueresearchlab.tld host.  KerberosAuthenticationHandler does not need to
change, but additional authentication with proxy user list should take place in JWTRedirectAuthenticationHandler
to properly fulfill the proxy use case.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message