[
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Botong Huang updated YARN-5836:
-------------------------------
Description:
When AM calls NM via {{ContainerManagementProtocol}}, the NMToken is suppied
for authentication. The RPC server will verify the password of NMToken
(originally generated by RM) so that we know the content of NMTokenIdentifier
is geniune.
Next, for {{stopContainers()}} and {{getContainerStatus()}}, method
{{authorizeGetAndStopContainerRequest()}} is used to verify that the requsted
containers do belong to the AM by comparing them against the AppId in
NMTokenIdentifier. However, right now when the appId doesn't match,
{{authorizeGetAndStopContainerRequest()}} only log a warning message and
continues to kill the container... Overall a malicious AM can kill containers
of other apps running in any node its containers are running.
was:
When AM calls NM via stopContainers() in ContainerManagementProtocol, the
NMToken (generated by RM) is passed along via the user ugi. However currently
ContainerManagerImpl is not validating this token correctly, specifically in
authorizeGetAndStopContainerRequest() in ContainerManagerImpl. Basically it
blindly trusts the content in the NMTokenIdentifier without verifying the
password (RM generated signature) in the NMToken, so that malicious AM can just
fake the content in the NMTokenIdentifier and pass it to NMs. Moreover,
currently even for plain text checking, when the appId doesn’t match, all it
does is log it as a warning and continues to kill the container…
For startContainers the NMToken is not checked correctly in authorizeUser() as
well, however the ContainerToken is verified properly by regenerating and
comparing the password in verifyAndGetContainerTokenIdentifier(), so that
malicious AM cannot launch containers at will.
> NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the
> Token and kill containers of other apps at will
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: YARN-5836
> URL: https://issues.apache.org/jira/browse/YARN-5836
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Reporter: Botong Huang
> Assignee: Botong Huang
> Priority: Minor
> Original Estimate: 5h
> Remaining Estimate: 5h
>
> When AM calls NM via {{ContainerManagementProtocol}}, the NMToken is suppied
> for authentication. The RPC server will verify the password of NMToken
> (originally generated by RM) so that we know the content of NMTokenIdentifier
> is geniune.
> Next, for {{stopContainers()}} and {{getContainerStatus()}}, method
> {{authorizeGetAndStopContainerRequest()}} is used to verify that the requsted
> containers do belong to the AM by comparing them against the AppId in
> NMTokenIdentifier. However, right now when the appId doesn't match,
> {{authorizeGetAndStopContainerRequest()}} only log a warning message and
> continues to kill the container... Overall a malicious AM can kill containers
> of other apps running in any node its containers are running.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
