hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-16314) Make sure all end point URL is covered by the same AuthenticationFilter
Date Tue, 28 May 2019 23:57:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-16314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16850245#comment-16850245

Eric Yang commented on HADOOP-16314:

Sorry [~Prabhu Joseph] I committed HDFS-14434 which breaks patch 003.  Could you rebase? 

> Make sure all end point URL is covered by the same AuthenticationFilter
> -----------------------------------------------------------------------
>                 Key: HADOOP-16314
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16314
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Eric Yang
>            Assignee: Prabhu Joseph
>            Priority: Major
>         Attachments: HADOOP-16314-001.patch, HADOOP-16314-002.patch, HADOOP-16314-003.patch,
Hadoop Web Security.xlsx, scan.txt
> In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop,
and filters applied to each entry point.
> Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not
support ?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop
web interface on behave of the end user.  When the receiving end does not check for ?doAs
flag, web interface would be accessed using proxy user credential.  This can lead to all
kind of security holes using path traversal to exploit Hadoop. 
> In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web
impersonation problem.  This task is to track changes required in Hadoop code base to apply
authentication filter globally for each of the web service port.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message