[ https://issues.apache.org/jira/browse/YARN-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
lujie updated YARN-10555: ------------------------- Description: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_000001", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2", "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. was: It seems that we miss a security check before getAppAttempts, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] thus we can get the some sensitive information, like logs link. {code:java} curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_000001", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2", "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } } {code} Others api, like getApps and getApp, has security check like "hasAccess(app, hsr)", they would not leak the logs link, see [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] We need add hasAccess(app, hsr) for getAppAttempts. > missing security check before getAppAttempts > --------------------------------------------- > > Key: YARN-10555 > URL: https://issues.apache.org/jira/browse/YARN-10555 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp > Reporter: lujie > Priority: Critical > Labels: security > Attachments: YARN-10555_1.patch > > > It seems that we miss a security check before getAppAttempts, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127] > thus we can get the some sensitive information, like logs link. > {code:java} > curl --negotiate -u : > http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq > { > "appAttempts": { > "appAttempt": [ > { > "id": 1, > "startTime": 1609318411566, > "containerId": "container_1609318368700_0002_01_000001", > "nodeHttpAddress": "hadoop12:8044", > "nodeId": "hadoop12:36831", > "logsLink": > "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2", > "blacklistedNodes": "", > "nodesBlacklistedBySystem": "" > } > ] > } > } > {code} > Others api, like getApps and getApp, has security check like "hasAccess(app, > hsr)", they would not leak the logs link, see > [https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098] > We need add hasAccess(app, hsr) for getAppAttempts. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org