[jira] [Updated] (YARN-5836) ContainerManagerImpl not throwing exception when AppId in NMTokenIdentifier does not match containerId to kill. Malicious AM can kill containers of other apps running in any node its containers are running

Tue, 15 Nov 2016 11:56:29 -0800 

     [ 
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Botong Huang updated YARN-5836:
-------------------------------
    Summary: ContainerManagerImpl not throwing exception when AppId in 
NMTokenIdentifier does not match containerId to kill. Malicious AM can kill 
containers of other apps running in any node its containers are running  (was: 
NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the 
Token and kill containers of other apps at will)

> ContainerManagerImpl not throwing exception when AppId in NMTokenIdentifier 
> does not match containerId to kill. Malicious AM can kill containers of other 
> apps running in any node its containers are running
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-5836
>                 URL: https://issues.apache.org/jira/browse/YARN-5836
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Botong Huang
>            Assignee: Botong Huang
>            Priority: Minor
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> When AM calls NM via {{ContainerManagementProtocol}}, the NMToken is suppied 
> for authentication. The RPC server will verify the password of NMToken 
> (originally generated by RM) so that we know the content of NMTokenIdentifier 
> is geniune. 
> Next, for {{stopContainers()}} and {{getContainerStatus()}}, method 
> {{authorizeGetAndStopContainerRequest()}} is used to verify that the requsted 
> containers do belong to the AM by comparing them against the AppId in 
> NMTokenIdentifier. However, right now when the appId doesn't match, 
> {{authorizeGetAndStopContainerRequest()}} only log a warning message and 
> continues to kill the container... Overall a malicious AM can kill containers 
> of other apps running in any node its containers are running. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to