Uploaded image for project: 'Hadoop HDFS'
  1. Hadoop HDFS
  2. HDFS-2380

Security downgrade of token validation

Add voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    •, 0.23.0, 2.0.0-alpha
    • None
    • security
    • None


      HADOOP-7119 introduced the KerberosAuthenticationHandler for web services. It appears to have been merged into 205 to support webhdfs.

      Prior to HADOOP-7119, the web service used by hftp/hsftp would validate tokens using long kerberos user names. Now the realm is truncated from the user name which caused hftp/hsftp to break. The JspHelper in the namenode rejected the token validation due to the mismatched comparison between a now short user (from the web service) and a long user (in the token). Subsequently, HDFS-2361 changed JspHelper to use the token's short user when comparing against the now short web user.

      The security ramification is it now appears to be easier to spoof other users and access their files. Based on commentary in HDFS-2361, the case can be made that other parts of hadoop are insecure with respect to user names, so it doesn't matter that security has been further downgraded. I don't know if this true, or whether higher layers effectively guard against lower level insecurities. In any case, this logic makes me uneasy, especially when it comes to changing the security of a "front door" to hadoop.

      Is there a technical reason why KerberosAuthenticationHandler should not be changed (1-liner) to return the long user name? This would allow HDFS-2361 to be reverted and return the former level of security to token validation.


        Issue Links


          This comment will be Viewable by All Users Viewable by All Users


            Unassigned Unassigned
            daryn Daryn Sharp




                Issue deployment