hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15896) Refine Kerberos based AuthenticationHandler to check proxyuser ACL
Date Fri, 02 Nov 2018 19:21:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673580#comment-16673580

Daryn Sharp commented on HADOOP-15896:

Let's unpack the description:  Other than guilt through association, kerberos service principal
validation is irrelevant to JWT.  We need to be careful to not conflate service principal
validation with proxy users.  These are completely independent concepts.  Authenticators authenticate,
they do not implement the authorization of proxy users.

The only nugget of truth in the description is the host in a service principal isn't validated
as the remote peer.

> Refine Kerberos based AuthenticationHandler to check proxyuser ACL
> ------------------------------------------------------------------
>                 Key: HADOOP-15896
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15896
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>            Reporter: Eric Yang
>            Assignee: Larry McCay
>            Priority: Major
> JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and authentication
method in KerberosAuthenticationHandler basically do this:
>  {code}
> String clientPrincipal = gssContext.getSrcName().toString();
>         KerberosName kerberosName = new KerberosName(clientPrincipal);
>         String userName = kerberosName.getShortName();
>         token = new AuthenticationToken(userName, clientPrincipal, getType());
>         response.setStatus(HttpServletResponse.SC_OK);
>         LOG.trace("SPNEGO completed for client principal [{}]",
>             clientPrincipal);
> {code}
> It obtains the short name of the client principal and respond OK.  This is fine for verifying
end user.  However, in proxy user case (knox), this authentication is insufficient because
knox principal name is: knox/host1.example.com@EXAMPLE.COM . KerberosAuthenticationHandler
will gladly confirm that knox is knox.  Even if the knox/host1.example.com@EXAMPLE.COM is
used from botnet.rogueresearchlab.tld host.  KerberosAuthenticationHandler may not need to
change, if it does not have plan to support proxy, and ignores instance name of kerberos principal.
 For JWTRedirectAuthenticationHandler which is designed for proxy use case.  It should check
remote host matches the clientPrincipal instance name, without this check, it makes Kerberos

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message