[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would hide the logs link if the appid do not belong to query user,
see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would hide the logs link if the appid do not belong to one user,
see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Assignee: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would hide the logs link if the appid do not belong to query
> user, see
> [https://github.com/apache/hadoop/blob/
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would hide the logs link if the appid do not belong to one user,
see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would hide the logs link if the appid do not belong to one user,
> see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-y
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
# application_1609318368700_0002 belong to user2
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> # application_1609318368700_0002 belong to user2
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
application_1609318368700_0002 belong to user2
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
# application_1609318368700_0002 belong to user2
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> application_1609318368700_0002 belong to user2
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/o
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
user1@hadoop11$ curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> user1@hadoop11$ curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was sent by Atlassian Jira
(v8.3.4
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was sent by Atlassian Jira
(v8
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
curl --negotiate -u :
http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> curl --negotiate -u :
> http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: yarn
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
lujie updated YARN-10555:
-
Description:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
{code:java}
{
"appAttempts": {
"appAttempt": [
{
"id": 1,
"startTime": 1609318411566,
"containerId": "container_1609318368700_0002_01_01",
"nodeHttpAddress": "hadoop12:8044",
"nodeId": "hadoop12:36831",
"logsLink":
"http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
"blacklistedNodes": "",
"nodesBlacklistedBySystem": ""
}
]
}
}
{code}
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
was:
It seems that we miss a security check before getAppAttempts, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
thus we can get the some sensitive information, like logs link.
Others api, like getApps and getApp, has security check like "hasAccess(app,
hsr)", they would not leak the logs link, see
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
We need add hasAccess(app, hsr) for getAppAttempts.
> missing security check before getAppAttempts
> -
>
> Key: YARN-10555
> URL: https://issues.apache.org/jira/browse/YARN-10555
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Reporter: lujie
>Priority: Critical
> Labels: security
> Attachments: YARN-10555_1.patch
>
>
> It seems that we miss a security check before getAppAttempts, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.
> {code:java}
> {
> "appAttempts": {
> "appAttempt": [
> {
> "id": 1,
> "startTime": 1609318411566,
> "containerId": "container_1609318368700_0002_01_01",
> "nodeHttpAddress": "hadoop12:8044",
> "nodeId": "hadoop12:36831",
> "logsLink":
> "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_01/user2";,
> "blacklistedNodes": "",
> "nodesBlacklistedBySystem": ""
> }
> ]
> }
> }
> {code}
> Others api, like getApps and getApp, has security check like "hasAccess(app,
> hsr)", they would not leak the logs link, see
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>
> We need add hasAccess(app, hsr) for getAppAttempts.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Component/s: webapp > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Labels: security (was: ) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Priority: Critical (was: Major) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Critical > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Attachment: (was: YARN-10555_1.patch) > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Attachment: YARN-10555_1.patch > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 We need add hasAccess(app, hsr) for getAppAttempts.@ > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > > We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn] > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 We need add hasAccess(app, hsr) for getAppAttempts.@ was:It seems that we miss a > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098 > > We need add hasAccess(app, hsr) for getAppAttempts.@ > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Updated] (YARN-10555) missing security check before getAppAttempts
[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] lujie updated YARN-10555: - Description: It seems that we miss a > missing security check before getAppAttempts > - > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug >Reporter: lujie >Priority: Major > > It seems that we miss a -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
