[
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15672091#comment-15672091
]
Botong Huang commented on YARN-5836:
------------------------------------
Great, thanks [~jlowe], [~asuresh] and [~subru]!
> Malicious AM can kill containers of other apps running in any node its
> containers are running
> ---------------------------------------------------------------------------------------------
>
> Key: YARN-5836
> URL: https://issues.apache.org/jira/browse/YARN-5836
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager
> Reporter: Botong Huang
> Assignee: Botong Huang
> Priority: Minor
> Fix For: 2.8.0, 3.0.0-alpha2
>
> Attachments: YARN-5836.v1.patch, YARN-5836.v2.patch
>
> Original Estimate: 5h
> Remaining Estimate: 5h
>
> When AM calls NM via {{ContainerManagementProtocol}}, the NMToken is suppied
> for authentication. The RPC server will verify the password of NMToken
> (originally generated by RM) so that we know the content of NMTokenIdentifier
> is geniune.
> Next, for {{stopContainers()}} and {{getContainerStatus()}}, method
> {{authorizeGetAndStopContainerRequest()}} is used to verify that the requsted
> containers do belong to the AM by comparing them against the AppId in
> NMTokenIdentifier. However, right now when the appId doesn't match,
> {{authorizeGetAndStopContainerRequest()}} only log a warning message and
> continues to kill the container... Overall a malicious AM can kill containers
> of other apps running in any node its containers are running.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
