[jira] [Commented] (YARN-6650) ContainerTokenIdentifier is re-encoded during token verification

Thu, 25 May 2017 15:43:23 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-6650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16025503#comment-16025503
 ] 

Jason Lowe commented on YARN-6650:
----------------------------------

The decode then re-encode issue is not really specific to 
ContainerTokenIdentifier.  Any token that is re-encoded in such a way where 
unknown fields are either omitted or not guaranteed to be serialized in the 
same order as done by the token creator could be problematic for upgrade 
scenarios.

> ContainerTokenIdentifier is re-encoded during token verification
> ----------------------------------------------------------------
>
>                 Key: YARN-6650
>                 URL: https://issues.apache.org/jira/browse/YARN-6650
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.8.0
>            Reporter: Jason Lowe
>
> A ContainerTokenIdentifier is serialized into bytes and signed by the RM 
> secret key.  When the NM needs to verify the identifier, it is decoding the 
> bytes into a ContainerTokenIdentifier to get the key ID then re-encoding the 
> identifier into a byte buffer to hash it with the key.  This is fine as long 
> as the RM and NM both agree how a ContainerTokenIdentifier should be 
> serialized into bytes.
> However when the versions of the RM and NM are different and fields were 
> added to the identifier between those versions then the NM may end up 
> re-serializing the fields in a different order than the RM did, especially 
> when there were gaps in the protocol field IDs that were filled in between 
> the versions. If the fields are reordered during the re-encoding then the 
> bytes will not match the original stream that was signed and the token 
> verification will fail.
> The original token identifier bytes received via RPC need to be used by the 
> verification process, not the bytes generated by re-encoding the identifier.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to