[jira] [Commented] (YARN-5836) NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the Token and kill containers of other apps at will

Wed, 09 Nov 2016 06:37:09 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15651110#comment-15651110
 ] 

Botong Huang commented on YARN-5836:
------------------------------------

It is theoretical so far. I am in the process of verifying it. I will update 
here when I get some results, thanks! 

> NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the 
> Token and kill containers of other apps at will
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-5836
>                 URL: https://issues.apache.org/jira/browse/YARN-5836
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Botong Huang
>            Assignee: Botong Huang
>            Priority: Minor
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> When AM calls NM via stopContainers() in ContainerManagementProtocol, the 
> NMToken (generated by RM) is passed along via the user ugi. However currently 
> ContainerManagerImpl is not validating this token correctly, specifically in 
> authorizeGetAndStopContainerRequest() in ContainerManagerImpl. Basically it 
> blindly trusts the content in the NMTokenIdentifier without verifying the 
> password (RM generated signature) in the NMToken, so that malicious AM can 
> just fake the content in the NMTokenIdentifier and pass it to NMs. Moreover, 
> currently even for plain text checking, when the appId doesn’t match, all it 
> does is log it as a warning and continues to kill the container…
> For startContainers the NMToken is not checked correctly in authorizeUser() 
> as well, however the ContainerToken is verified properly by regenerating and 
> comparing the password in verifyAndGetContainerTokenIdentifier(), so that 
> malicious AM cannot launch containers at will. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to