Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-13085

Security issue in the implementation of Rest gataway 'doAs' proxy user support

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 1.0.0, 0.98.10, 2.0.0
    • 1.0.1, 1.1.0, 0.98.11, 2.0.0
    • REST, security
    • None
    • Reviewed

    Description

      When 'hbase.rest.support.proxyuser' is turned on, HBase Rest gateway support 'doAs' proxy user from the Rest client.

      The current implementation checks to see if the 'rest server user' is authorized to impersonate the 'doAs' user (the user in the 'doAs' Rest query string).

      if (doAsUserFromQuery != null) {
      Configuration conf = servlet.getConfiguration();
      if (!servlet.supportsProxyuser()) {
        throw new ServletException("Support for proxyuser is not configured");
      }
      UserGroupInformation ugi = servlet.getRealUser();
      // create and attempt to authorize a proxy user (the client is attempting
      // to do proxy user)
      ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, ugi);
      // validate the proxy user authorization
      try {
        ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
      } catch(AuthorizationException e) {
        throw new ServletException(e.getMessage());
      }
      servlet.setEffectiveUser(doAsUserFromQuery);
    }

      The current implementation allows anyone from the rest client side to impersonate another user by 'doAs'.
      For example, potentially, 'user1' can 'doAs=admin'

      The correct implementation should check to see if the rest client user is authorized to do impersonation.

      Attachments

        1. HBASE-13085-0.98.patch
          1.0 kB
          Jerry He

        Issue Links

          relates to

          Sub-task - The sub-task of the issue HBASE-13116 Enhance the documentation for usage of "doAs" through REST and Thrift gateways

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. HBASE-13115 Fix the usage of remote user in thrift doAs implementation.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              jinghe Jerry He
              jinghe Jerry He
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: