You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-dev@hadoop.apache.org by "Botong Huang (JIRA)" <ji...@apache.org> on 2016/11/04 15:48:58 UTC
[jira] [Created] (YARN-5836) NMToken passwd not checked in
ContainerManagerImpl, so that malicious AM can fake the Token and kill
containers of other apps at will
Botong Huang created YARN-5836:
----------------------------------
Summary: NMToken passwd not checked in ContainerManagerImpl, so that malicious AM can fake the Token and kill containers of other apps at will
Key: YARN-5836
URL: https://issues.apache.org/jira/browse/YARN-5836
Project: Hadoop YARN
Issue Type: Bug
Components: nodemanager
Reporter: Botong Huang
Assignee: Botong Huang
Priority: Minor
When AM calls NM via stopContainers in ContainerManagementProtocol, the NMToken (generated by RM) is passed along via the user ugi. However currently ContainerManagerImpl is not validating this token correctly, specifically in authorizeGetAndStopContainerRequest in ContainerManagerImpl. Basically it blindly trusts the content in the NMTokenIdentifier without verifying the password (RM generated signature) in the NMToken, so that malicious AM can just fake the content in the NMTokenIdentifier and pass it to NMs. Moreover, currently even for plain text checking, when the appId doesn’t match, all it does is log it as a warning and continues to kill the container…
For startContainers the NMToken is not checked correctly in authorizeUser as well, however the ContainerToken is verified properly by regenerating and comparing the password in verifyAndGetContainerTokenIdentifier, so that malicious AM cannot launch containers at will.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org