[jira] [Updated] (YARN-10555) missing security check before getAppAttempts

Wed, 30 Dec 2020 02:09:04 -0800 


     [ 
https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

lujie updated YARN-10555:
-------------------------
    Description: 
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  

Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would not leak the logs link, see 

[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]

 

We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn]

 

  was:
It seems that we miss a security check before getAppAttempts, see 
[https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]

thus we can get the some sensitive information, like logs link.  

Others api, like getApps and getApp, has security check  like "hasAccess(app, 
hsr)", they would not leak the logs link, see 

https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098

 

We need add hasAccess(app, hsr) for getAppAttempts.@

 


>  missing security check before getAppAttempts
> ---------------------------------------------
>
>                 Key: YARN-10555
>                 URL: https://issues.apache.org/jira/browse/YARN-10555
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: lujie
>            Priority: Major
>
> It seems that we miss a security check before getAppAttempts, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127]
> thus we can get the some sensitive information, like logs link.  
> Others api, like getApps and getApp, has security check  like "hasAccess(app, 
> hsr)", they would not leak the logs link, see 
> [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098]
>  
> We need add hasAccess(app, hsr) for getAppAttempts. @[~ayushtkn]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to