[jira] [Commented] (HIVE-9934) Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to degrade the authentication mechanism to "none", allowing authentication without password

[Chao (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-9934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14370664#comment-14370664
 ] 

Chao commented on HIVE-9934:
----------------------------

Yes, hadoop doesn't use static blocks. But, since Hive class still have it, the 
order could still vary depending on when the class is loaded, right?
Looks like SaslRpcServer.init() is called in several places. I debugged it a 
little, there's one call site in org.apache.hadoop.ipc.RPC which is surrounded 
by a conditional stat. It might be called before the static block is called 
(although in different thread), if the condition is true. The execution didn't 
reach HadoopThriftAuthBridge23.getHadoopSaslProperties in my test.

Looks like new Provider is always added to the end of an ArrayList, and 
therefore the one added earlier will be used.

> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-9934
>                 URL: https://issues.apache.org/jira/browse/HIVE-9934
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 1.1.0
>            Reporter: Chao
>            Assignee: Chao
>             Fix For: 1.2.0
>
>         Attachments: HIVE-9934.1.patch, HIVE-9934.2.patch, HIVE-9934.3.patch, 
> HIVE-9934.3.patch
>
>
> Vulnerability in LdapAuthenticationProviderImpl enables HiveServer2 client to 
> degrade the authentication mechanism to "none", allowing authentication 
> without password.
> See: http://docs.oracle.com/javase/jndi/tutorial/ldap/security/simple.html
> “If you supply an empty string, an empty byte/char array, or null to the 
> Context.SECURITY_CREDENTIALS environment property, then the authentication 
> mechanism will be "none". This is because the LDAP requires the password to 
> be nonempty for simple authentication. The protocol automatically converts 
> the authentication to "none" if a password is not supplied.”
>  
> Since the LdapAuthenticationProviderImpl.Authenticate method is relying on a 
> NamingException being thrown during creation of initial context, it does not 
> fail when the context result is an “unauthenticated” positive response from 
> the LDAP server. The end result is, one can authenticate with HiveServer2 
> using the LdapAuthenticationProviderImpl with only a user name and an empty 
> password.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)