[
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15644391#comment-15644391
]
Jason Lowe commented on YARN-5836:
----------------------------------
As I understand it, the NM token should be getting verified by the SASL server
as part of the RPC connection, since ContainerManagerImpl sets up the RPC
server with the NM token secret manager. That's why we wouldn't see any
explicit checking of the NM token, as it should be implicitly done as part of
connecting to the NM. The container token needs to be verified separately
since that's not associated directly with an RPC server like the NM token.
bq. even for plain text checking, when the appId doesn’t match, all it does is
log it as a warning and continues to kill the container
That sounds like a bug to me, authorizeGetAndStopContainerRequest isn't
throwing an exception like it should.
> NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the
> Token and kill containers of other apps at will
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: YARN-5836
> URL: https://issues.apache.org/jira/browse/YARN-5836
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Reporter: Botong Huang
> Assignee: Botong Huang
> Priority: Minor
> Original Estimate: 5h
> Remaining Estimate: 5h
>
> When AM calls NM via stopContainers() in ContainerManagementProtocol, the
> NMToken (generated by RM) is passed along via the user ugi. However currently
> ContainerManagerImpl is not validating this token correctly, specifically in
> authorizeGetAndStopContainerRequest() in ContainerManagerImpl. Basically it
> blindly trusts the content in the NMTokenIdentifier without verifying the
> password (RM generated signature) in the NMToken, so that malicious AM can
> just fake the content in the NMTokenIdentifier and pass it to NMs. Moreover,
> currently even for plain text checking, when the appId doesn’t match, all it
> does is log it as a warning and continues to kill the container…
> For startContainers the NMToken is not checked correctly in authorizeUser()
> as well, however the ContainerToken is verified properly by regenerating and
> comparing the password in verifyAndGetContainerTokenIdentifier(), so that
> malicious AM cannot launch containers at will.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
