[jira] [Updated] (YARN-10555) missing security check before getAppAttempts

Wed, 30 Dec 2020 03:59:04 -0800 


     [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-------------------------
    Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
user1@hadoop11$ curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq

{
  "appAttempts": {
    "appAttempt": [
      {
        "id": 1,
        "startTime": 1609318411566,
        "containerId": "container_1609318368700_0002_01_000001",
        "nodeHttpAddress": "hadoop12:8044",
        "nodeId": "hadoop12:36831",
        "logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
        "blacklistedNodes": "",
        "nodesBlacklistedBySystem": ""
      }
    ]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would not leak the logs link, see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  
{code:java}
curl --negotiate -u  : 
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq

{
  "appAttempts": {
    "appAttempt": [
      {
        "id": 1,
        "startTime": 1609318411566,
        "containerId": "container_1609318368700_0002_01_000001",
        "nodeHttpAddress": "hadoop12:8044",
        "nodeId": "hadoop12:36831",
        "logsLink": 
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
        "blacklistedNodes": "",
        "nodesBlacklistedBySystem": ""
      }
    ]
  }
}

{code}
Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would not leak the logs link, see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 We need add hasAccess(app, hsr) for getAppAttempts.

 


>  missing security check before getAppAttempts
> ---------------------------------------------
>
>                 Key: YARN-10555
>                 URL: https://issues.apache.org/jira/browse/YARN-10555
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>            Reporter: lujie
>            Priority: Critical
>              Labels: security
>         Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> {code:java}
> user1@hadoop11$ curl --negotiate -u  : 
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
>   "appAttempts": {
>     "appAttempt": [
>       {
>         "id": 1,
>         "startTime": 1609318411566,
>         "containerId": "container_1609318368700_0002_01_000001",
>         "nodeHttpAddress": "hadoop12:8044",
>         "nodeId": "hadoop12:36831",
>         "logsLink": 
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
>         "blacklistedNodes": "",
>         "nodesBlacklistedBySystem": ""
>       }
>     ]
>   }
> }
> {code}
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would not leak the logs link, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  We need add hasAccess(app, hsr) for getAppAttempts.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to