Marcelo Vanzin created SPARK-10004:
--------------------------------------
Summary: Shuffle service should make sure applications are allowed
to read shuffle data
Key: SPARK-10004
URL: https://issues.apache.org/jira/browse/SPARK-10004
Project: Spark
Issue Type: Bug
Components: Shuffle
Affects Versions: 1.4.1, 1.3.1, 1.5.0
Reporter: Marcelo Vanzin
Priority: Critical
The shuffle service currently performs authentication of clients; but once a
client is authenticated, it blindly trusts the client to send proper requests.
A malicious client could send a {{OpenBlocks}} message to open another
application's shuffle data, and the shuffle service will just do it. This can
be used to work around the fact that the app cannot go directly to the other
app's files in the local filesystem (due to permissions), while the shuffle
service can.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
