[jira] [Commented] (YARN-8972) [Router] Add support to prevent DoS attack over ApplicationSubmissionContext size

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/YARN-8972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690697#comment-17690697
 ] 

ASF GitHub Bot commented on YARN-8972:
--------------------------------------

slfan1989 commented on code in PR #5382:
URL: https://github.com/apache/hadoop/pull/5382#discussion_r1110636193


##########
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-router/src/main/java/org/apache/hadoop/yarn/server/router/RouterServerUtil.java:
##########
@@ -624,4 +636,109 @@ public static ReservationDefinition 
convertReservationDefinition(
 
     return definition;
   }
+
+  /**
+   * Checks if the ApplicationSubmissionContext submitted with the application
+   * is valid.
+   *
+   * Current checks:
+   * - if its size is within limits.
+   *
+   * @param appContext the app context to check.
+   * @throws IOException if an IO error occurred.
+   * @throws YarnException yarn exception.
+   */
+  @Public
+  @Unstable
+  public static void 
checkAppSubmissionContext(ApplicationSubmissionContextPBImpl appContext,
+      Configuration conf) throws IOException, YarnException {
+    // Prevents DoS over the ApplicationClientProtocol by checking the context
+    // the application was submitted with for any excessively large fields.
+    long maxAscSize = 
conf.getLong(YarnConfiguration.ROUTER_ASC_INTERCEPTOR_MAX_SIZE,
+        YarnConfiguration.DEFAULT_ROUTER_ASC_INTERCEPTOR_MAX_SIZE);
+    if (appContext != null) {
+      int size = appContext.getProto().getSerializedSize();
+      if (size >= maxAscSize) {
+        logContainerLaunchContext(appContext);
+        String errMsg = "The size of the ApplicationSubmissionContext of the 
application " +
+            appContext.getApplicationId() + " is above the limit. Size= " + 
size;
+        throw new YarnException(errMsg);
+      }
+    }
+  }
+
+  /**
+   * Private helper for checkAppSubmissionContext that logs the fields in the
+   * context for debugging.
+   *
+   * @param appContext the app context.
+   * @throws IOException if an IO error occurred.
+   */
+  @Private
+  @Unstable
+  private static void 
logContainerLaunchContext(ApplicationSubmissionContextPBImpl appContext)
+      throws IOException {
+    if (appContext != null && appContext.getAMContainerSpec() != null) {

Review Comment:
   Thanks for your suggestion, I will modify the code.





> [Router] Add support to prevent DoS attack over ApplicationSubmissionContext 
> size
> ---------------------------------------------------------------------------------
>
>                 Key: YARN-8972
>                 URL: https://issues.apache.org/jira/browse/YARN-8972
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Giovanni Matteo Fumarola
>            Assignee: Shilun Fan
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: YARN-8972.v1.patch, YARN-8972.v2.patch, 
> YARN-8972.v3.patch, YARN-8972.v4.patch, YARN-8972.v5.patch
>
>
> This jira tracks the effort to add a new interceptor in the Router to prevent 
> user to submit applications with oversized ASC.
> This avoid YARN cluster to failover.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org