[jira] [Commented] (YARN-5836) NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the Token and kill containers of other apps at will

Fri, 04 Nov 2016 14:49:43 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-5836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15637806#comment-15637806
 ] 

Arun Suresh commented on YARN-5836:
-----------------------------------

Thanks for raising this [~botong].

Makes sense. I guess the stopContainer call can probably send a new 
ApplicationEvent.KILL_CONTAINER event which is routed thru the application to 
ensure the container in question actually belongs to the Application before 
forwarding the KILL_CONTAINER to the container.

[~jianhe], [~vvasudev], [~kasha].. Thoughts ?

> NMToken passwd not checked in ContainerManagerImpl, malicious AM can fake the 
> Token and kill containers of other apps at will
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: YARN-5836
>                 URL: https://issues.apache.org/jira/browse/YARN-5836
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: nodemanager
>            Reporter: Botong Huang
>            Assignee: Botong Huang
>            Priority: Minor
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> When AM calls NM via stopContainers() in ContainerManagementProtocol, the 
> NMToken (generated by RM) is passed along via the user ugi. However currently 
> ContainerManagerImpl is not validating this token correctly, specifically in 
> authorizeGetAndStopContainerRequest() in ContainerManagerImpl. Basically it 
> blindly trusts the content in the NMTokenIdentifier without verifying the 
> password (RM generated signature) in the NMToken, so that malicious AM can 
> just fake the content in the NMTokenIdentifier and pass it to NMs. Moreover, 
> currently even for plain text checking, when the appId doesn’t match, all it 
> does is log it as a warning and continues to kill the container…
> For startContainers the NMToken is not checked correctly in authorizeUser() 
> as well, however the ContainerToken is verified properly by regenerating and 
> comparing the password in verifyAndGetContainerTokenIdentifier(), so that 
> malicious AM cannot launch containers at will. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to