hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Giovanni Matteo Fumarola (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-1547) Prevent DoS of ApplicationMasterProtocol by putting in limits
Date Mon, 16 May 2016 01:32:13 GMT

    [ https://issues.apache.org/jira/browse/YARN-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15284052#comment-15284052
] 

Giovanni Matteo Fumarola commented on YARN-1547:
------------------------------------------------

[~vinodkv] I just pushed a first prototype version.
Just to get feedback on it.

Some few comments from my side:
1) To prevent DoS attacks, this new class performs 3 checks: on singular request, over the
entire lifetime of the application, and in a short time using a sliding window.
2) The sliding window's code is taken from an other OSS project: Storm. I made some modification
on top of it. I don't know how it works with shared code between OSS Apache projects.
3) Right now, the class is an interceptor for AMRMProxy, as we discussed we should move this
class in a common place to be used by RM - maybe yarn-server-common.
4) I inserted some default values on YarnConfiguration. They are inaccurate. We should get
those data from a real cluster. On top of it, I would like to create a new YarnConfiguration
for DoS values. 
5) In this patch, jUnits are missing. I tested it with some simple UTCs in the same style
of [YARN-4117|https://issues.apache.org/jira/browse/YARN-4117]. As I said before this patch
is just a prototype to get feedback :) in the next versions I will insert real UTCs. 
6) A full complete JavaDocs are missing.
7) When the application passes a limit or gives a wrong values, the interceptor should reject
the call. I inserted couple of TODO because I was not sure what to do: return null; or throw
a YarnException.

> Prevent DoS of ApplicationMasterProtocol by putting in limits
> -------------------------------------------------------------
>
>                 Key: YARN-1547
>                 URL: https://issues.apache.org/jira/browse/YARN-1547
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Vinod Kumar Vavilapalli
>            Assignee: Giovanni Matteo Fumarola
>         Attachments: YARN-1547.pdf, YARN-1547.prototype.v0.patch, YARN-1547.v0.pdf
>
>
> Points of DoS in ApplicationMasterProtocol
>  - Host and trackingURL in RegisterApplicationMasterRequest
>  - Diagnostics, final trackingURL in FinishApplicationMasterRequest
>  - Unlimited number of resourceAsks, containersToBeReleased and resourceBlacklistRequest
in AllocateRequest
>     -- Unbounded number of priorities and/or resourceRequests in each ask.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message