[
https://issues.apache.org/jira/browse/MAPREDUCE-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13126746#comment-13126746
]
Allen Wittenauer commented on MAPREDUCE-2858:
---------------------------------------------
bq. Please do not discuss specific vulnerabilities here
Too bad. Let's play break the system.
User connects to RM which is redirect to the AM through the proxy. The AM has
an embedded object such as a flash animation or utilizes a trojan image.
(After all, it passes through the white list since it is loaded from my AM).
We write the creds we just gained through our hack to some place in HDFS...
let's say /tmp. Through an Oozie workflow that has a file watch, I push the
cookie/whatever i just gained back to my super secret lair hosting provider.
(So even if you block data in and out of the grid, the workflow manager
requires access out...) Now I can impersonate all of the Yahoo! employees I
want through their cookie auth.
I'm fairly convinced that signing is the only way to go without turning the
knobs so far up that the AM is pretty useless (no images! no embedded objects!
no links off the system! no js at all! ... ) . The cert could actually be
verified by the RM to mark AM as trusted or not trusted.
> MRv2 WebApp Security
> --------------------
>
> Key: MAPREDUCE-2858
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-2858
> Project: Hadoop Map/Reduce
> Issue Type: Sub-task
> Components: applicationmaster, mrv2, security
> Affects Versions: 0.23.0
> Reporter: Luke Lu
> Assignee: Luke Lu
> Priority: Blocker
> Fix For: 0.23.0
>
>
> In MRv2, while the system servers (ResourceManager (RM), NodeManager (NM) and
> NameNode (NN)) run as "trusted"
> system users, the application masters (AM) run as users who submit the
> application. While this offers great flexibility
> to run multiple version of mapreduce frameworks (including their UI) on the
> same Hadoop cluster, it has significant
> implication for the security of webapps (Please do not discuss company
> specific vulnerabilities here).
> Requirements:
> # Secure authentication for AM (for app/job level ACLs).
> # Webapp security should be optional via site configuration.
> # Support existing pluggable single sign on mechanisms.
> # Should not require per app/user configuration for deployment.
> # Should not require special site-wide DNS configuration for deployment.
> This the top jira for webapp security. A design doc/notes of threat-modeling
> and counter measures will be posted on the wiki.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
