hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-16314) Make sure all end point URL is covered by the same AuthenticationFilter
Date Wed, 15 May 2019 16:06:00 GMT
Eric Yang created HADOOP-16314:
----------------------------------

             Summary: Make sure all end point URL is covered by the same AuthenticationFilter
                 Key: HADOOP-16314
                 URL: https://issues.apache.org/jira/browse/HADOOP-16314
             Project: Hadoop Common
          Issue Type: Improvement
            Reporter: Eric Yang


In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop, and
filters applied to each entry point.

Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not support
?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop web interface
on behave of the end user.  When the receiving end does not check for ?doAs flag, web interface
would be accessed using proxy user credential.  This can lead to all kind of security holes
using path traversal to exploit Hadoop. 

In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web impersonation
problem.  This task is to track changes required in Hadoop code base to apply authentication
filter globally for each of the web service port.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message