[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-------------------------
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_000001",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would hide the logs link if the appid do not belong to one user,
see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_000001",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> ---------------------------------------------
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
> Reporter: lujie
> Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_000001",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would hide the logs link if the appid do not belong to one user,
> see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
