[jira] [Created] (YARN-5836) NMToken passwd not checked in ContainerManagerImpl, so that malicious AM can fake the Token and kill containers of other apps at will

[Botong Huang (JIRA)]

Botong Huang created YARN-5836:
----------------------------------

             Summary: NMToken passwd not checked in ContainerManagerImpl, so 
that malicious AM can fake the Token and kill containers of other apps at will
                 Key: YARN-5836
                 URL: https://issues.apache.org/jira/browse/YARN-5836
             Project: Hadoop YARN
          Issue Type: Bug
          Components: nodemanager
            Reporter: Botong Huang
            Assignee: Botong Huang
            Priority: Minor


When AM calls NM via stopContainers in ContainerManagementProtocol, the NMToken 
(generated by RM) is passed along via the user ugi. However currently 
ContainerManagerImpl is not validating this token correctly, specifically in 
authorizeGetAndStopContainerRequest in ContainerManagerImpl. Basically it 
blindly trusts the content in the NMTokenIdentifier without verifying the 
password (RM generated signature) in the NMToken, so that malicious AM can just 
fake the content in the NMTokenIdentifier and pass it to NMs. Moreover, 
currently even for plain text checking, when the appId doesn’t match, all it 
does is log it as a warning and continues to kill the container…

For startContainers the NMToken is not checked correctly in authorizeUser as 
well, however the ContainerToken is verified properly by regenerating and 
comparing the password in verifyAndGetContainerTokenIdentifier, so that 
malicious AM cannot launch containers at will. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org