hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Botong Huang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-5836) NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the Token and kill containers of other apps at will
Date Wed, 09 Nov 2016 14:35:59 GMT

    [ https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651110#comment-15651110
] 

Botong Huang commented on YARN-5836:
------------------------------------

It is theoretical so far. I am in the process of verifying it. I will update here when I get
some results, thanks! 

> NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the Token and
kill containers of other apps at will
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-5836
>                 URL: https://issues.apache.org/jira/browse/YARN-5836
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Botong Huang
>            Assignee: Botong Huang
>            Priority: Minor
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> When AM calls NM via stopContainers() in ContainerManagementProtocol, the NMToken (generated
by RM) is passed along via the user ugi. However currently ContainerManagerImpl is not validating
this token correctly, specifically in authorizeGetAndStopContainerRequest() in ContainerManagerImpl.
Basically it blindly trusts the content in the NMTokenIdentifier without verifying the password
(RM generated signature) in the NMToken, so that malicious AM can just fake the content in
the NMTokenIdentifier and pass it to NMs. Moreover, currently even for plain text checking,
when the appId doesn’t match, all it does is log it as a warning and continues to kill the
container…
> For startContainers the NMToken is not checked correctly in authorizeUser() as well,
however the ContainerToken is verified properly by regenerating and comparing the password
in verifyAndGetContainerTokenIdentifier(), so that malicious AM cannot launch containers at
will. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message