Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15922

DelegationTokenAuthenticationFilter get wrong doAsUser since it does not decode URL

VotersStop watchingWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.3.0, 3.2.1, 3.1.3
    • common, kms
    • None
    • Incompatible change, Reviewed
    • - Fix DelegationTokenAuthentication filter for incorrectly double encode doAs user parameter.

    Description

      DelegationTokenAuthenticationFilter get wrong doAsUser when proxy user from client is complete kerberos name (e.g., user/hostname@REALM.COM, actually it is acceptable), because DelegationTokenAuthenticationFilter does not decode DOAS parameter in URL which is encoded by URLEncoder at client.
      e.g. KMS as example:
      a. KMSClientProvider creates connection to KMS Server using DelegationTokenAuthenticatedURL#openConnection.
      b. If KMSClientProvider is a doAsUser, KMSClientProvider will put doas with url encoded user as one parameter of http request.

          // proxyuser
          if (doAs != null) {
            extraParams.put(DO_AS, URLEncoder.encode(doAs, "UTF-8"));
          }
      

      c. when KMS server receives the request, it does not decode the proxy user.

      As result, KMS Server will get the wrong proxy user if this proxy user is complete Kerberos Name or it includes some special character. Some other authentication and authorization exception will throws next to it.

      Attachments

        1. HADOOP-15922.007.patch
          4 kB
          Xiaoqiao He
        2. HADOOP-15922.006.patch
          4 kB
          Xiaoqiao He
        3. HADOOP-15922.005.patch
          4 kB
          Xiaoqiao He
        4. HADOOP-15922.004.patch
          5 kB
          Xiaoqiao He
        5. HADOOP-15922.003.patch
          5 kB
          Xiaoqiao He
        6. HADOOP-15922.002.patch
          5 kB
          Xiaoqiao He
        7. HADOOP-15922.001.patch
          1 kB
          Xiaoqiao He

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            hexiaoqiao Xiaoqiao He
            hexiaoqiao Xiaoqiao He
            Votes:
            0 Vote for this issue
            Watchers:
            9 Stop watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment