Details
Critical Description
It seems that we miss a security check before getAppAttempts, see https://github.com/apache/hadoop/blob/513f1995adc9b73f9c7f4c7beb89725b51b313ac/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/webapp/RMWebServices.java#L1127
thus we can get the some sensitive information, like logs link.
application_1609318368700_0002 belong to user2 user1@hadoop11$ curl --negotiate -u : http://hadoop11:8088/ws/v1/cluster/apps/application_1609318368700_0002/appattempts/|jq { "appAttempts": { "appAttempt": [ { "id": 1, "startTime": 1609318411566, "containerId": "container_1609318368700_0002_01_000001", "nodeHttpAddress": "hadoop12:8044", "nodeId": "hadoop12:36831", "logsLink": "http://hadoop12:8044/node/containerlogs/container_1609318368700_0002_01_000001/user2", "blacklistedNodes": "", "nodesBlacklistedBySystem": "" } ] } }
Other apis, like getApps and getApp, has access check like "hasAccess(app, hsr)", they would hide the logs link if the appid do not belong to query user, see
We need add hasAccess(app, hsr) for getAppAttempts.
it seems that we have a access check in its caller, so now i pass "true" to AppAttemptInfo in the patch.
Attachments
Attachments
Issue Links
- links to
