Access control and LDAP
Hyurt opened this issue · comments
Hi there,
We have a Presto Cluster plugged with a LDAP for authentication and as read in this issue we can successfully query Presto.
The presto master has some control access rules that we've set up for few catalogues
Problem is the authentication used by the user is only used to access to the HTTPS endpoint and then the user can send any username and bypass the control access rules.
Here is an example:
access-control.properties
access-control.name=file
security.config-file=etc/rules.json
etc/rules.json
{
"catalogs": [
{
"user": "user_a",
"catalog": "(mysql|system)",
"allow": true
},
{
"catalog": "hive",
"allow": true
},
{
"catalog": "system",
"allow": false
}
]
}
According to this configuration user_b shouldn't be able to access to the catalog system
However, with this script he can impersonate user_a and spoof access control
library(RPresto)
library(dplyr)
library(dbplyr)
library(httr)
set_config(config(ssl_verifypeer=0L))
set_config(authenticate("user_b", "password_user_b"))
con <- dbConnect(
RPresto::Presto(),
host='https://coordinator-node',
port=8446,
user="user_a",
schema='public',
catalog='system'
)
I can't find out if I can reinforce access-control policy to avoid that kind of problems or not, if if we should do something else ?
This can be controlled now. Check https://prestodb.github.io/docs/current/security/built-in-system-access-control.html - look for Principal Rules. For example, the following rule could prevent a random user impersonation.
"principals": [
{
"principal": "([^/]+)(/.*)?@.*",
"principal_to_user": "$1",
"allow": true
},
{
"principal": "(.*)",
"principal_to_user": "$1",
"allow": true
}
]
@Hyurt is @sajjoseph 's suggestion satisfactory? If so, could you close the issue?
Yes sorry, I hadn't the opportunity to upgrade Presto and test this out, but from what I can read from the documentation it seems ok.
I'll reopen it if I face the problem when upgrading.
Thanks