[jira] [Comment Edited] (YARN-10555) missing security check before getAppAttempts

2020-12-30 Thread lujie (Jira) 


[ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256467#comment-17256467
 ] 

lujie edited comment on YARN-10555 at 12/30/20, 12:00 PM:
--

output after patch
{code:java}

{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609326143645,
"containerId": "",
"nodeHttpAddress": "",
"nodeId": "",
"logsLink": "",
"blacklistedNodes": ""
  }
]
  }
}
{code}


was (Author: xiaoheipangzi):
after patched, output can be like:

{
 "appAttempts": {
 "appAttempt": [

{ "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": 
"", "nodeId": "", "logsLink": "", "blacklistedNodes": "" }

]
 }
 }

>  missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Priority: Critical
>  Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would not leak the logs link, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (YARN-10555) missing security check before getAppAttempts

2020-12-30 Thread lujie (Jira) 


[ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17256467#comment-17256467
 ] 

lujie edited comment on YARN-10555 at 12/30/20, 11:23 AM:
--

after patched, output can be like:

{
 "appAttempts": {
 "appAttempt": [

{ "id": 1, "startTime": 1609326143645, "containerId": "", "nodeHttpAddress": 
"", "nodeId": "", "logsLink": "", "blacklistedNodes": "" }

]
 }
 }


was (Author: xiaoheipangzi):
output can be like:

{
 "appAttempts": {
 "appAttempt": [
 {
 "id": 1,
 "startTime": 1609326143645,
 "containerId": "",
 "nodeHttpAddress": "",
 "nodeId": "",
 "logsLink": "",
 "blacklistedNodes": ""
 }
 ]
 }
}

>  missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>Reporter: lujie
>Priority: Major
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would not leak the logs link, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  
> We need add hasAccess(app, hsr) for getAppAttempts.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org