Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-10555

Missing access check before getAppAttempts

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      It seems that we miss a security check before getAppAttempts, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127

      thus we can get the some sensitive information, like logs link.  

      application_1609318368700_0002 belong to user2
      
      user1@hadoop11$ curl --negotiate -u  : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq
      {
        "appAttempts": {
          "appAttempt": [
            {
              "id": 1,
              "startTime": 1609318411566,
              "containerId": "container_1609318368700_0002_01_000001",
              "nodeHttpAddress": "hadoop12:8044",
              "nodeId": "hadoop12:36831",
              "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2",
              "blacklistedNodes": "",
              "nodesBlacklistedBySystem": ""
            }
          ]
        }
      }
      
      

      Other apis, like getApps and getApp, has access check  like "hasAccess(app, hsr)", they would hide the logs link if the appid do not belong to query user, see 

      https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1098

       We need add hasAccess(app, hsr) for getAppAttempts.

       

      Besides, at https://github.com/apache/hadoop/blob/580a6a75a3e3d3b7918edeffd6e93fc211166884/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMAppBlock.java#L145

      it seems that we have  a access check in its caller,  so now i pass "true" to AppAttemptInfo in the patch.  

       

      Attachments

        1. YARN-10555_1.patch
          4 kB
          lujie

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            xiaoheipangzi lujie
            xiaoheipangzi lujie
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 2h 20m
                2h 20m

                Slack

                  Issue deployment