[
https://issues.apache.org/jira/browse/YARN-11937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bence Kosztolnik resolved YARN-11937.
-------------------------------------
Resolution: Won't Fix
I am closing the issue regarding this can be an attack vector:
Lets say Bob creates a YARN app and start to run it on the cluster.
Bob users has the right privileges so the app is kinda safe.
Alice the YARN admin checks Bob's applications AM UI.
Than Alice jwt may leak to Bob who can impersonate Alice.
> Forward hadoop-jwt with YARN proxy
> ----------------------------------
>
> Key: YARN-11937
> URL: https://issues.apache.org/jira/browse/YARN-11937
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> YARN web proxy not forwards hadoop-jwt token.
> So if we
> - have a YARN application (lets say spark)
> - and we check the RM UI2 via KNOX proxy
> - and we click the +ApplicationMaster+ link on the application page of the
> spark app
> The browser will be forwarded to the SparkAM ui
> for example: /gateway/cdp-proxy/yarnuiv2/proxy/application_1771935206205_0001/
> KNOX wont receive the hadoop-jwt cookie, so will ask user to login.
> Instead of this if we can pass the jwt cookie for the KNOX so the user can
> see the AM UI after login state, and wont need to login again.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
