Eric Yang created HADOOP-15896:
----------------------------------
Summary: Refine Kerberos based AuthenticationHandler to check
proxyuser ACL
Key: HADOOP-15896
URL: https://issues.apache.org/jira/browse/HADOOP-15896
Project: Hadoop Common
Issue Type: Bug
Reporter: Eric Yang
JWTRedirectAuthenticationHandler is based on KerberosAuthenticationHandler, and
authentication method in KerberosAuthenticationHandler basically do this:
{code}
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]",
clientPrincipal);
{code}
It obtains the short name of the client principal and respond OK. This is fine
for verifying end user. However, in proxy user case (knox), this
authentication is insufficient because knox principal name is:
knox/host1.example....@example.com . KerberosAuthenticationHandler will gladly
confirm that knox is knox. Even if the knox/host1.example....@example.com is
used from botnet.rogueresearchlab.tld host. KerberosAuthenticationHandler does
not need to change, but additional authentication with proxy user list should
take place in JWTRedirectAuthenticationHandler to properly fulfill the proxy
use case.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
