[jira] [Updated] (YARN-10555) Missing access check before getAppAttempts

[Akira Ajisaka (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Akira Ajisaka updated YARN-10555:
-
Fix Version/s: 2.10.2

>  Missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Fix For: 3.4.0, 3.3.1, 3.1.5, 2.10.2, 3.2.3
>
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not belong to query 
> user, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  
> Besides, at 
> [https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]
> it seems that we have  a access check in its caller,  so now i pass "true" to 
> AppAttemptInfo in the patch.  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Updated] (YARN-10555) Missing access check before getAppAttempts

[Akira Ajisaka (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Akira Ajisaka updated YARN-10555:
-
Summary:  Missing access check before getAppAttempts  (was:  missing access 
check before getAppAttempts)

>  Missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Fix For: 3.4.0, 3.3.1, 3.1.5, 3.2.3
>
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not belong to query 
> user, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  
> Besides, at 
> [https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]
> it seems that we have  a access check in its caller,  so now i pass "true" to 
> AppAttemptInfo in the patch.  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[Akira Ajisaka (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Akira Ajisaka updated YARN-10555:
-
Fix Version/s: 3.2.3
   3.1.5
   3.3.1

>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Fix For: 3.4.0, 3.3.1, 3.1.5, 3.2.3
>
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not belong to query 
> user, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  
> Besides, at 
> [https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]
> it seems that we have  a access check in its caller,  so now i pass "true" to 
> AppAttemptInfo in the patch.  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we have  a access check in its caller,  so now i pass "true" to 
AppAttemptInfo in the patch.  

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we have  a access check in its caller,  so now i pass "true" to 
AppAttemptInfo.  

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we have  a access check in its caller,  so now i pass "true" to 
AppAttemptInfo.  

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we have  a access check,  so now i pass "true" to AppAttemptInfo. 
 

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we have  a access check,  so now i pass "true" to AppAttemptInfo. 
 

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo.  

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo.  

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo. 

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo. 

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has access check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Other apis, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

Besides, at 
[https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145]

it seems that we also miss a access check, but i do not ttigger it, so now i 
pass "true" to AppAttemptInfo

 

  was:
It seems that we miss a access check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus anyone can get some sensitive information that she/he should not, like 
logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a access check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus anyone can get some sensitive information that she/he should not, like 
logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

  was:
It seems that we miss a access check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a access check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus anyone can get some sensitive information that she/he should not, like 
> logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Description: 
It seems that we miss a access check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
application_1609318368700_0002 belong to user2

user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
  "appAttempts": {
"appAttempt": [
  {
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
  }
]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would hide the logs link if the appid do not belong to query user, 
see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 


>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a access check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not 

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[ASF GitHub Bot (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated YARN-10555:
--
Labels: pull-request-available security  (was: security)

>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: pull-request-available, security
> Attachments: YARN-10555_1.patch
>
>  Time Spent: 10m
>  Remaining Estimate: 0h
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not belong to query 
> user, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

[jira] [Updated] (YARN-10555) missing access check before getAppAttempts

[lujie (Jira)]

 [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-
Summary:  missing access check before getAppAttempts  (was:  missing 
security check before getAppAttempts)

>  missing access check before getAppAttempts
> ---
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
>  Issue Type: Bug
>  Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
>  Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
> "appAttempt": [
>   {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2;,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
>   }
> ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would hide the logs link if the appid do not belong to query 
> user, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org