You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Jason Lowe (JIRA)" <ji...@apache.org> on 2017/05/25 22:43:04 UTC

[jira] [Commented] (YARN-6650) ContainerTokenIdentifier is re-encoded during token verification

    [ https://issues.apache.org/jira/browse/YARN-6650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16025503#comment-16025503 ] 

Jason Lowe commented on YARN-6650:
----------------------------------

The decode then re-encode issue is not really specific to ContainerTokenIdentifier.  Any token that is re-encoded in such a way where unknown fields are either omitted or not guaranteed to be serialized in the same order as done by the token creator could be problematic for upgrade scenarios.

> ContainerTokenIdentifier is re-encoded during token verification
> ----------------------------------------------------------------
>
>                 Key: YARN-6650
>                 URL: https://issues.apache.org/jira/browse/YARN-6650
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0
>            Reporter: Jason Lowe
>
> A ContainerTokenIdentifier is serialized into bytes and signed by the RM secret key.  When the NM needs to verify the identifier, it is decoding the bytes into a ContainerTokenIdentifier to get the key ID then re-encoding the identifier into a byte buffer to hash it with the key.  This is fine as long as the RM and NM both agree how a ContainerTokenIdentifier should be serialized into bytes.
> However when the versions of the RM and NM are different and fields were added to the identifier between those versions then the NM may end up re-serializing the fields in a different order than the RM did, especially when there were gaps in the protocol field IDs that were filled in between the versions. If the fields are reordered during the re-encoding then the bytes will not match the original stream that was signed and the token verification will fail.
> The original token identifier bytes received via RPC need to be used by the verification process, not the bytes generated by re-encoding the identifier.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org