[jira] [Resolved] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu resolved YARN-10557. Release Note: YARN-9848 Resolution: Duplicate I think it duplicate with YARN-9848. > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Assignee: zhengchenyu >Priority: Major > Labels: resourcemanager > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store (you know log > aggregation is not stored, so can't remove it), but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Description: In resourceManager log, I found amount of log like below: {code} 2020-12-30 19:18:48,120 INFO org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, but not removing app application_1608912003714_0098 from state store as log aggregation have not finished yet. {code} When I search this, I found the application has already log aggerated. When I debug this, I found the app's logAggregationStatusForAppReport is NOT_START. (Note: In my test cluster, I simulate restart rm occasionally) If the application is finished and log aggerated, but not removed from rm. When rm failover, the new rm will recover from state store (you know log aggregation is not stored, so can't remove it), but logAggregationStatusForAppReport will not be updated. So logAggregationStatusForAppReport keep NOT_START. Then the app will not be removed from statestore. was: In resourceManager log, I found amount of log like below: {code} 2020-12-30 19:18:48,120 INFO org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, but not removing app application_1608912003714_0098 from state store as log aggregation have not finished yet. {code} When I search this, I found the application has already log aggerated. When I debug this, I found the app's logAggregationStatusForAppReport is NOT_START. (Note: In my test cluster, I simulate restart rm occasionally) If the application is finished and log aggerated, but not removed from rm. When rm failover, the new rm will recover from state store, but logAggregationStatusForAppReport will not be updated. So logAggregationStatusForAppReport keep NOT_START. Then the app will not be removed from statestore. > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Assignee: zhengchenyu >Priority: Major > Labels: resourcemanager > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store (you know log > aggregation is not stored, so can't remove it), but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10500) TestDelegationTokenRenewer fails intermittently
[ https://issues.apache.org/jira/browse/YARN-10500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256847#comment-17256847 ] Wei-Chiu Chuang commented on YARN-10500: Failed three times in a roll in this PR's tests. https://github.com/apache/hadoop/pull/2568 But doesn't reproduce in my local tree. Bad luck I guess. > TestDelegationTokenRenewer fails intermittently > --- > > Key: YARN-10500 > URL: https://issues.apache.org/jira/browse/YARN-10500 > Project: Hadoop YARN > Issue Type: Bug > Components: test >Reporter: Akira Ajisaka >Priority: Major > Labels: flaky-test > > TestDelegationTokenRenewer sometimes timeouts. > https://ci-hadoop.apache.org/job/hadoop-qbt-trunk-java8-linux-x86_64/334/artifact/out/patch-unit-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt > {noformat} > [INFO] Running > org.apache.hadoop.yarn.server.resourcemanager.security.TestDelegationTokenRenewer > [ERROR] Tests run: 23, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: > 83.675 s <<< FAILURE! - in > org.apache.hadoop.yarn.server.resourcemanager.security.TestDelegationTokenRenewer > [ERROR] > testTokenThreadTimeout(org.apache.hadoop.yarn.server.resourcemanager.security.TestDelegationTokenRenewer) > Time elapsed: 30.065 s <<< ERROR! > org.junit.runners.model.TestTimedOutException: test timed out after 3 > milliseconds > at java.lang.Thread.sleep(Native Method) > at > org.apache.hadoop.test.GenericTestUtils.waitFor(GenericTestUtils.java:394) > at > org.apache.hadoop.yarn.server.resourcemanager.security.TestDelegationTokenRenewer.testTokenThreadTimeout(TestDelegationTokenRenewer.java:1769) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) > at > org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) > at > org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) > at > org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) > at > org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:298) > at > org.junit.internal.runners.statements.FailOnTimeout$CallableStatement.call(FailOnTimeout.java:292) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.lang.Thread.run(Thread.java:748) > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Component/s: (was: RM) resourcemanager > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Priority: Major > Labels: resourcemanager > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Labels: resourcemanager (was: ) > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: RM >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Priority: Major > Labels: resourcemanager > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Assigned] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu reassigned YARN-10557: -- Assignee: zhengchenyu > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: resourcemanager >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Assignee: zhengchenyu >Priority: Major > Labels: resourcemanager > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Component/s: RM > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug > Components: RM >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Priority: Major > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Fix Version/s: 3.3.1 > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Priority: Major > Fix For: 3.3.1 > > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
zhengchenyu created YARN-10557: -- Summary: Application may be leaked in state store when resourcemanager failover. Key: YARN-10557 URL: https://issues.apache.org/jira/browse/YARN-10557 Project: Hadoop YARN Issue Type: Bug Reporter: zhengchenyu In resourceManager log, I found amount of log like below: {code} 2020-12-30 19:18:48,120 INFO org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, but not removing app application_1608912003714_0098 from state store as log aggregation have not finished yet. {code} When I search this, I found the application has already log aggerated. When I debug this, I found the app's logAggregationStatusForAppReport is NOT_START. (Note: In my test cluster, I simulate restart rm occasionally) If the application is finished and log aggerated, but not removed from rm. When rm failover, the new rm will recover from state store, but logAggregationStatusForAppReport will not be updated. So logAggregationStatusForAppReport keep NOT_START. Then the app will not be removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10557) Application may be leaked in state store when resourcemanager failover.
[ https://issues.apache.org/jira/browse/YARN-10557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] zhengchenyu updated YARN-10557: --- Affects Version/s: 3.2.1 > Application may be leaked in state store when resourcemanager failover. > --- > > Key: YARN-10557 > URL: https://issues.apache.org/jira/browse/YARN-10557 > Project: Hadoop YARN > Issue Type: Bug >Affects Versions: 3.2.1 >Reporter: zhengchenyu >Priority: Major > > In resourceManager log, I found amount of log like below: > {code} > 2020-12-30 19:18:48,120 INFO > org.apache.hadoop.yarn.server.resourcemanager.RMAppManager: Max number of > completed apps kept in state store met: maxCompletedAppsInStateStore = 2000, > but not removing app application_1608912003714_0098 from state store as log > aggregation have not finished yet. > {code} > When I search this, I found the application has already log aggerated. When I > debug this, I found the app's logAggregationStatusForAppReport is NOT_START. > (Note: In my test cluster, I simulate restart rm occasionally) > If the application is finished and log aggerated, but not removed from rm. > When rm failover, the new rm will recover from state store, but > logAggregationStatusForAppReport will not be updated. So > logAggregationStatusForAppReport keep NOT_START. Then the app will not be > removed from statestore. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-10556) Web-app server does not work for Timeline V2
[ https://issues.apache.org/jira/browse/YARN-10556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256674#comment-17256674 ] Li Lu commented on YARN-10556: -- It has been quite a while and I barely remember my fix was for binding conflicts on Yarn WebApps. We used HttpServer2 instead of Yarn WebApp to host the web server. After all these years the codebase may have changed quite a lot. In YARN-3087 the problem is on the conflict between NM and per-node timeline collector. Checking the exception here it looks like it's from timeline reader server? I remember it's a standalone process and a conflict is less likely (I remember the root cause is a static variable). Maybe worth the effort to look into the reader server for more info. cc [~varun_saxena] > Web-app server does not work for Timeline V2 > > > Key: YARN-10556 > URL: https://issues.apache.org/jira/browse/YARN-10556 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineserver >Reporter: Ahmed Hussein >Priority: Major > > {{TestDistributedShell}} for timeline version 2.0 shows the following errors > in the log files, with the below exception. > There is a previous YARN-3087 that added a fix to the same issue before. > There is a need to investigate whether it is a testing issue or it the error > has resurfaced. > {code:bash} > org.apache.hadoop.yarn.webapp.WebAppException: > /v2/timeline/clusters/yarn_cluster/apps/application_1609346161655_0001: > controller for v2 not found > at org.apache.hadoop.yarn.webapp.Router.resolveDefault(Router.java:247) > at org.apache.hadoop.yarn.webapp.Router.resolve(Router.java:155) > at org.apache.hadoop.yarn.webapp.Dispatcher.service(Dispatcher.java:152) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287) > at > com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277) > at > com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182) > at > com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:941) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) > at > com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) > at > com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) > at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.http.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:57) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:644) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.doFilter(DelegationTokenAuthenticationFilter.java:304) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:110) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1702) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at
[jira] [Updated] (YARN-10556) Web-app server does not work for Timeline V2
[ https://issues.apache.org/jira/browse/YARN-10556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ahmed Hussein updated YARN-10556: - Summary: Web-app server does not work for Timeline V2 (was: Web-app server does not work for V2 timeline) > Web-app server does not work for Timeline V2 > > > Key: YARN-10556 > URL: https://issues.apache.org/jira/browse/YARN-10556 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineserver >Reporter: Ahmed Hussein >Priority: Major > > {{TestDistributedShell}} for timeline version 2.0 shows the following errors > in the log files, with the below exception. > There is a previous YARN-3087 that added a fix to the same issue before. > There is a need to investigate whether it is a testing issue or it the error > has resurfaced. > {code:bash} > org.apache.hadoop.yarn.webapp.WebAppException: > /v2/timeline/clusters/yarn_cluster/apps/application_1609346161655_0001: > controller for v2 not found > at org.apache.hadoop.yarn.webapp.Router.resolveDefault(Router.java:247) > at org.apache.hadoop.yarn.webapp.Router.resolve(Router.java:155) > at org.apache.hadoop.yarn.webapp.Dispatcher.service(Dispatcher.java:152) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287) > at > com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277) > at > com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182) > at > com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:941) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) > at > com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) > at > com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) > at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.http.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:57) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:644) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.doFilter(DelegationTokenAuthenticationFilter.java:304) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:110) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1702) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at > org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) > at >
[jira] [Commented] (YARN-10556) Web-app server does not work for V2 timeline
[ https://issues.apache.org/jira/browse/YARN-10556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256623#comment-17256623 ] Ahmed Hussein commented on YARN-10556: -- [~gtcarrera9], [~sjlee0], [~sjlee], [~junping_du] You guys are familiar with this error since you contributed to YARN-3087, Can you please give a quick look into the above errors? > Web-app server does not work for V2 timeline > > > Key: YARN-10556 > URL: https://issues.apache.org/jira/browse/YARN-10556 > Project: Hadoop YARN > Issue Type: Bug > Components: timelineserver >Reporter: Ahmed Hussein >Priority: Major > > {{TestDistributedShell}} for timeline version 2.0 shows the following errors > in the log files, with the below exception. > There is a previous YARN-3087 that added a fix to the same issue before. > There is a need to investigate whether it is a testing issue or it the error > has resurfaced. > {code:bash} > org.apache.hadoop.yarn.webapp.WebAppException: > /v2/timeline/clusters/yarn_cluster/apps/application_1609346161655_0001: > controller for v2 not found > at org.apache.hadoop.yarn.webapp.Router.resolveDefault(Router.java:247) > at org.apache.hadoop.yarn.webapp.Router.resolve(Router.java:155) > at org.apache.hadoop.yarn.webapp.Dispatcher.service(Dispatcher.java:152) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287) > at > com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277) > at > com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182) > at > com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:941) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) > at > com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) > at > com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) > at > com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) > at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) > at > com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) > at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.http.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:57) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:644) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.doFilter(DelegationTokenAuthenticationFilter.java:304) > at > org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:110) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1702) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) > at > org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) > at > org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) > at >
[jira] [Created] (YARN-10556) Web-app server does not work for V2 timeline
Ahmed Hussein created YARN-10556: Summary: Web-app server does not work for V2 timeline Key: YARN-10556 URL: https://issues.apache.org/jira/browse/YARN-10556 Project: Hadoop YARN Issue Type: Bug Components: timelineserver Reporter: Ahmed Hussein {{TestDistributedShell}} for timeline version 2.0 shows the following errors in the log files, with the below exception. There is a previous YARN-3087 that added a fix to the same issue before. There is a need to investigate whether it is a testing issue or it the error has resurfaced. {code:bash} org.apache.hadoop.yarn.webapp.WebAppException: /v2/timeline/clusters/yarn_cluster/apps/application_1609346161655_0001: controller for v2 not found at org.apache.hadoop.yarn.webapp.Router.resolveDefault(Router.java:247) at org.apache.hadoop.yarn.webapp.Router.resolve(Router.java:155) at org.apache.hadoop.yarn.webapp.Dispatcher.service(Dispatcher.java:152) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:941) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130) at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.security.http.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:57) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:644) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationFilter.doFilter(DelegationTokenAuthenticationFilter.java:304) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.lib.StaticUserWebFilter$StaticUserFilter.doFilter(StaticUserWebFilter.java:110) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1702) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at
[jira] [Commented] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256551#comment-17256551 ] Hadoop QA commented on YARN-10555: -- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Logfile || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 50s{color} | {color:blue}{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || || | {color:green}+1{color} | {color:green} dupname {color} | {color:green} 0m 0s{color} | {color:green}{color} | {color:green} No case conflicting files found. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green}{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:red}-1{color} | {color:red} test4tests {color} | {color:red} 0m 0s{color} | {color:red}{color} | {color:red} The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. {color} | || || || || {color:brown} trunk Compile Tests {color} || || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 33m 41s{color} | {color:green}{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 1m 3s{color} | {color:green}{color} | {color:green} trunk passed with JDK Ubuntu-11.0.9.1+1-Ubuntu-0ubuntu1.18.04 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 53s{color} | {color:green}{color} | {color:green} trunk passed with JDK Private Build-1.8.0_275-8u275-b01-0ubuntu1~18.04-b01 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 40s{color} | {color:green}{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 59s{color} | {color:green}{color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 17m 0s{color} | {color:green}{color} | {color:green} branch has no errors when building and testing our client artifacts. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 43s{color} | {color:green}{color} | {color:green} trunk passed with JDK Ubuntu-11.0.9.1+1-Ubuntu-0ubuntu1.18.04 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 37s{color} | {color:green}{color} | {color:green} trunk passed with JDK Private Build-1.8.0_275-8u275-b01-0ubuntu1~18.04-b01 {color} | | {color:blue}0{color} | {color:blue} spotbugs {color} | {color:blue} 1m 53s{color} | {color:blue}{color} | {color:blue} Used deprecated FindBugs config; considering switching to SpotBugs. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 51s{color} | {color:green}{color} | {color:green} trunk passed {color} | || || || || {color:brown} Patch Compile Tests {color} || || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 52s{color} | {color:green}{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 52s{color} | {color:green}{color} | {color:green} the patch passed with JDK Ubuntu-11.0.9.1+1-Ubuntu-0ubuntu1.18.04 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 52s{color} | {color:green}{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 45s{color} | {color:green}{color} | {color:green} the patch passed with JDK Private Build-1.8.0_275-8u275-b01-0ubuntu1~18.04-b01 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 45s{color} | {color:green}{color} | {color:green} the patch passed {color} | | {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange} 0m 32s{color} | {color:orange}https://ci-hadoop.apache.org/job/PreCommit-YARN-Build/420/artifact/out/diff-checkstyle-hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-resourcemanager.txt{color} | {color:orange} hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager: The patch generated 1 new + 19 unchanged - 0 fixed = 20 total (was 19) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m 49s{color} | {color:green}{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green}{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedclient {color} | {color:green} 14m 44s{color} |
[jira] [Commented] (YARN-9879) Allow multiple leaf queues with the same name in CapacityScheduler
[ https://issues.apache.org/jira/browse/YARN-9879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256546#comment-17256546 ] Nie Gus commented on YARN-9879: --- Hi [~shuzirra] , really appreciate this patch, we are using this patch in our branch, it worked quite well, but still we found there are lots of place still using "getQueueName" , and we also see "fullPathQueueNamingPolicy" could change the output of getQueueName to queuePath directly, but the code is set it to final false. Is that for future work ? or something still block the directly replacement between queueName and queuePath, so currently we set it false, should we consider to change it into conf ? <<< private final boolean fullPathQueueNamingPolicy = false; @Override public String getQueueName() { if (fullPathQueueNamingPolicy) { return queuePath; } return queueName; } > Allow multiple leaf queues with the same name in CapacityScheduler > -- > > Key: YARN-9879 > URL: https://issues.apache.org/jira/browse/YARN-9879 > Project: Hadoop YARN > Issue Type: Sub-task >Reporter: Gergely Pollak >Assignee: Gergely Pollak >Priority: Major > Labels: fs2cs > Fix For: 3.3.0 > > Attachments: CSQueue.getQueueUsage.txt, DesignDoc_v1.pdf, > YARN-9879.014.patch, YARN-9879.015.patch, YARN-9879.015.patch, > YARN-9879.POC001.patch, YARN-9879.POC002.patch, YARN-9879.POC003.patch, > YARN-9879.POC004.patch, YARN-9879.POC005.patch, YARN-9879.POC006.patch, > YARN-9879.POC007.patch, YARN-9879.POC008.patch, YARN-9879.POC009.patch, > YARN-9879.POC010.patch, YARN-9879.POC011.patch, YARN-9879.POC012.patch, > YARN-9879.POC013.patch > > > Currently the leaf queue's name must be unique regardless of its position in > the queue hierarchy. > Design doc and first proposal is being made, I'll attach it as soon as it's > done. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} application_1609318368700_0002 belong to user2 user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would hide the logs link if the appid do not belong to one user, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} application_1609318368700_0002 belong to user2 user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > application_1609318368700_0002 belong to user2 > user1@hadoop11$ curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would hide the logs link if the appid do not belong to one user, > see >
[jira] [Comment Edited] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256467#comment-17256467 ] lujie edited comment on YARN-10555 at 12/30/20, 12:00 PM: -- output after patch {code:java} { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": "", "nodeId": "", "logsLink": "", "blacklistedNodes": "" } ] } } {code} was (Author: xiaoheipangzi): after patched, output can be like: { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": "", "nodeId": "", "logsLink": "", "blacklistedNodes": "" } ] } } > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > application_1609318368700_0002 belong to user2 > user1@hadoop11$ curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq # application_1609318368700_0002 belong to user2 { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > user1@hadoop11$ curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > # application_1609318368700_0002 belong to user2 > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see >
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} application_1609318368700_0002 belong to user2 user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq # application_1609318368700_0002 belong to user2 { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > application_1609318368700_0002 belong to user2 > user1@hadoop11$ curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see >
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > user1@hadoop11$ curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail:
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_01", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_01", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;, > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Component/s: webapp > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Labels: security (was: ) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Priority: Critical (was: Major) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Comment Edited] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256467#comment-17256467 ] lujie edited comment on YARN-10555 at 12/30/20, 11:23 AM: -- after patched, output can be like: { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": "", "nodeId": "", "logsLink": "", "blacklistedNodes": "" } ] } } was (Author: xiaoheipangzi): output can be like: { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": "", "nodeId": "", "logsLink": "", "blacklistedNodes": "" } ] } } > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Attachment: (was: YARN-10555_1.patch) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Attachment: YARN-10555_1.patch > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 We need add hasAccess(app, hsr) for getAppAttempts.@ > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 We need add hasAccess(app, hsr) for getAppAttempts.@ was:It seems that we miss a > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 > > We need add hasAccess(app, hsr) for getAppAttempts.@ > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-10555) missing security check before getAppAttempts
lujie created YARN-10555: Summary: missing security check before getAppAttempts Key: YARN-10555 URL: https://issues.apache.org/jira/browse/YARN-10555 Project: Hadoop YARN Issue Type: Bug Reporter: lujie -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Resolved] (YARN-10551) non-admin user can change the log level
[ https://issues.apache.org/jira/browse/YARN-10551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie resolved YARN-10551. -- Resolution: Not A Problem misconfiguration! see https://issues.apache.org/jira/secure/attachment/12832635/HADOOP-13707.001.patch > non-admin user can change the log level > --- > > Key: YARN-10551 > URL: https://issues.apache.org/jira/browse/YARN-10551 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > reproduce: > 1. login as user1 and do > {code:java} > yarn daemonlog -setlevel hadoop11:8088 > org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl DEBUG > {code} > 2. login as user2 and run wordcount > 3. check the log of RM > {code:java} > 2020-12-27 10:54:15,917 DEBUG > org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl: Processing > event for application_1609065586411_0003 of type START > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org