hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-16314) Make sure all end point URL is covered by the same AuthenticationFilter
Date Wed, 15 May 2019 16:27:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Eric Yang updated HADOOP-16314:
    Attachment: Hadoop Web Security.xlsx

> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>                 Key: HADOOP-16314
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16314
>             Project: Hadoop Common
>          Issue Type: Sub-task
>            Reporter: Eric Yang
>            Priority: Major
>         Attachments: Hadoop Web Security.xlsx
> In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop,
and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not
support ?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop
web interface on behave of the end user.  When the receiving end does not check for ?doAs
flag, web interface would be accessed using proxy user credential.  This can lead to all
kind of security holes using path traversal to exploit Hadoop. 
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web
impersonation problem.  This task is to track changes required in Hadoop code base to apply
authentication filter globally for each of the web service port.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message