Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-16095 Support impersonation for AuthenticationFilter
  3. HADOOP-16314

Make sure all end point URL is covered by the same AuthenticationFilter

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.0
    • Component/s: security
    • Labels:
      None

      Description

      In the enclosed spreadsheet, it shows the list of web applications deployed by Hadoop, and filters applied to each entry point.

      Hadoop web protocol impersonation has been inconsistent.  Most of entry point do not support ?doAs parameter.  This creates problem for secure gateway like Knox to proxy Hadoop web interface on behave of the end user.  When the receiving end does not check for ?doAs flag, web interface would be accessed using proxy user credential.  This can lead to all kind of security holes using path traversal to exploit Hadoop. 

      In HADOOP-16287, ProxyUserAuthenticationFilter is proposed as solution to solve the web impersonation problem.  This task is to track changes required in Hadoop code base to apply authentication filter globally for each of the web service port.

        Attachments

        1. HADOOP-16314-001.patch
          45 kB
          Prabhu Joseph
        2. HADOOP-16314-002.patch
          46 kB
          Prabhu Joseph
        3. HADOOP-16314-003.patch
          43 kB
          Prabhu Joseph
        4. HADOOP-16314-004.patch
          43 kB
          Prabhu Joseph
        5. HADOOP-16314-005.patch
          49 kB
          Prabhu Joseph
        6. HADOOP-16314-006.patch
          43 kB
          Prabhu Joseph
        7. HADOOP-16314-007.patch
          43 kB
          Prabhu Joseph
        8. Hadoop Web Security.xlsx
          5 kB
          Eric Yang
        9. scan.txt
          3 kB
          Eric Yang

          Issue Links

            Activity

              People

              • Assignee:
                prabhujoseph Prabhu Joseph
                Reporter:
                eyang Eric Yang
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: