[ https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15637806#comment-15637806 ]
Arun Suresh commented on YARN-5836: ----------------------------------- Thanks for raising this [~botong]. Makes sense. I guess the stopContainer call can probably send a new ApplicationEvent.KILL_CONTAINER event which is routed thru the application to ensure the container in question actually belongs to the Application before forwarding the KILL_CONTAINER to the container. [~jianhe], [~vvasudev], [~kasha].. Thoughts ? > NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the > Token and kill containers of other apps at will > ----------------------------------------------------------------------------------------------------------------------------- > > Key: YARN-5836 > URL: https://issues.apache.org/jira/browse/YARN-5836 > Project: Hadoop YARN > Issue Type: Bug > Components: nodemanager > Reporter: Botong Huang > Assignee: Botong Huang > Priority: Minor > Original Estimate: 5h > Remaining Estimate: 5h > > When AM calls NM via stopContainers() in ContainerManagementProtocol, the > NMToken (generated by RM) is passed along via the user ugi. However currently > ContainerManagerImpl is not validating this token correctly, specifically in > authorizeGetAndStopContainerRequest() in ContainerManagerImpl. Basically it > blindly trusts the content in the NMTokenIdentifier without verifying the > password (RM generated signature) in the NMToken, so that malicious AM can > just fake the content in the NMTokenIdentifier and pass it to NMs. Moreover, > currently even for plain text checking, when the appId doesn’t match, all it > does is log it as a warning and continues to kill the container… > For startContainers the NMToken is not checked correctly in authorizeUser() > as well, however the ContainerToken is verified properly by regenerating and > comparing the password in verifyAndGetContainerTokenIdentifier(), so that > malicious AM cannot launch containers at will. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org