Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-5836

Malicious AM can kill containers of other apps running in any node its containers are running

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha2
    • Component/s: nodemanager
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      When AM calls NM via ContainerManagementProtocol, the NMToken is suppied for authentication. The RPC server will verify the password of NMToken (originally generated by RM) so that we know the content of NMTokenIdentifier is geniune.

      Next, for stopContainers() and getContainerStatus(), method authorizeGetAndStopContainerRequest() is used to verify that the requsted containers do belong to the AM by comparing them against the AppId in NMTokenIdentifier. However, right now when the appId doesn't match, authorizeGetAndStopContainerRequest() only log a warning message and continues to kill the container... Overall a malicious AM can kill containers of other apps running in any node its containers are running.

        Attachments

        1. YARN-5836.v1.patch
          10 kB
          Botong Huang
        2. YARN-5836.v2.patch
          11 kB
          Botong Huang

          Activity

            People

            • Assignee:
              botong Botong Huang
              Reporter:
              botong Botong Huang
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 5h
                5h
                Remaining:
                Remaining Estimate - 5h
                5h
                Logged:
                Time Spent - Not Specified
                Not Specified