big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

YARN-7590. Improve container-executor validation check. Contributed by Eric Yang.

Browse Source
This commit is contained in:
Miklos Szegedi 2018-01-11 09:40:09 -08:00
parent 2e0a451a8d
commit bc285da107
3 changed files with 82 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.c
View File

@ -517,9 +517,31 @@ char *get_app_directory(const char * nm_root, const char *user,
* Get the user directory of a particular user * Get the user directory of a particular user
*/ */
char *get_user_directory(const char *nm_root, const char *user) { char *get_user_directory(const char *nm_root, const char *user) {
int result = check_nm_local_dir(nm_uid, nm_root);
if (result != 0) {
return NULL;
}
return concatenate(USER_DIR_PATTERN, "user_dir_path", 2, nm_root, user); return concatenate(USER_DIR_PATTERN, "user_dir_path", 2, nm_root, user);
} }
/**
* Check node manager local dir permission.
*/
int check_nm_local_dir(uid_t caller_uid, const char *nm_root) {
struct stat info;
errno = 0;
int err = stat(nm_root, &info);
if (err < 0) {
fprintf(LOGFILE, "Error checking file stats for %s %d %s.\n", nm_root, err, strerror(errno));
return 1;
}
if (caller_uid != info.st_uid) {
fprintf(LOGFILE, "Permission mismatch for %s for caller uid: %d, owner uid: %d.\n", nm_root, caller_uid, info.st_uid);
return 1;
}
return 0;
}
/** /**
* Get the container directory for the given container_id * Get the container directory for the given container_id
*/ */
@ -666,6 +688,11 @@ static int create_container_directories(const char* user, const char *app_id,
for(local_dir_ptr = local_dir; *local_dir_ptr != NULL; ++local_dir_ptr) { for(local_dir_ptr = local_dir; *local_dir_ptr != NULL; ++local_dir_ptr) {
char *container_dir = get_container_work_directory(*local_dir_ptr, user, app_id, char *container_dir = get_container_work_directory(*local_dir_ptr, user, app_id,
container_id); container_id);
int check = check_nm_local_dir(nm_uid, *local_dir_ptr);
if (check != 0) {
free(container_dir);
continue;
}
if (container_dir == NULL) { if (container_dir == NULL) {
return OUT_OF_MEMORY; return OUT_OF_MEMORY;
} }
@ -692,6 +719,14 @@ static int create_container_directories(const char* user, const char *app_id,
char* const* log_dir_ptr; char* const* log_dir_ptr;
for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) { for(log_dir_ptr = log_dir; *log_dir_ptr != NULL; ++log_dir_ptr) {
char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name); char *container_log_dir = get_app_log_directory(*log_dir_ptr, combined_name);
int check = check_nm_local_dir(nm_uid, *log_dir_ptr);
if (check != 0) {
container_log_dir = NULL;
}
if (strstr(container_log_dir, "..") != 0) {
fprintf(LOGFILE, "Unsupported container log directory path detected.\n");
container_log_dir = NULL;
}
if (container_log_dir == NULL) { if (container_log_dir == NULL) {
free(combined_name); free(combined_name);
return OUT_OF_MEMORY; return OUT_OF_MEMORY;
@ -1032,6 +1067,10 @@ int create_log_dirs(const char *app_id, char * const * log_dirs) {
char *any_one_app_log_dir = NULL; char *any_one_app_log_dir = NULL;
for(log_root=log_dirs; *log_root != NULL; ++log_root) { for(log_root=log_dirs; *log_root != NULL; ++log_root) {
char *app_log_dir = get_app_log_directory(*log_root, app_id); char *app_log_dir = get_app_log_directory(*log_root, app_id);
int result = check_nm_local_dir(nm_uid, *log_root);
if (result != 0) {
app_log_dir = NULL;
}
if (app_log_dir == NULL) { if (app_log_dir == NULL) {
// try the next one // try the next one
} else if (create_directory_for_user(app_log_dir) != 0) { } else if (create_directory_for_user(app_log_dir) != 0) {
@ -2213,4 +2252,4 @@ int traffic_control_read_stats(char *command_file) {
*/ */
struct configuration* get_cfg() { struct configuration* get_cfg() {
return &CFG; return &CFG;
} }

5
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/impl/container-executor.h
View File

@ -178,6 +178,11 @@ char *get_user_directory(const char *nm_root, const char *user);
char *get_app_directory(const char * nm_root, const char *user, char *get_app_directory(const char * nm_root, const char *user,
const char *app_id); const char *app_id);
/**
* Check node manager local dir permission.
*/
int check_nm_local_dir(uid_t caller_uid, const char *nm_root);
char *get_container_work_directory(const char *nm_root, const char *user, char *get_container_work_directory(const char *nm_root, const char *user,
const char *app_id, const char *container_id); const char *app_id, const char *container_id);

45
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/native/container-executor/test/test-container-executor.c
View File

@ -37,6 +37,7 @@ static char* username = NULL;
static char* yarn_username = NULL; static char* yarn_username = NULL;
static char** local_dirs = NULL; static char** local_dirs = NULL;
static char** log_dirs = NULL; static char** log_dirs = NULL;
static uid_t nm_uid = -1;
/** /**
* Run the command using the effective user id. * Run the command using the effective user id.
@ -152,8 +153,8 @@ void check_pid_file(const char* pid_file, pid_t mypid) {
} }
void test_get_user_directory() { void test_get_user_directory() {
char *user_dir = get_user_directory(TMPDIR, "user"); char *user_dir = get_user_directory(TEST_ROOT, "user");
char *expected = TMPDIR "/usercache/user"; char *expected = TEST_ROOT "/usercache/user";
if (strcmp(user_dir, expected) != 0) { if (strcmp(user_dir, expected) != 0) {
printf("test_get_user_directory expected %s got %s\n", expected, user_dir); printf("test_get_user_directory expected %s got %s\n", expected, user_dir);
exit(1); exit(1);
@ -161,9 +162,32 @@ void test_get_user_directory() {
free(user_dir); free(user_dir);
} }
void test_check_nm_local_dir() {
// check filesystem is same as running user.
int expected = 0;
char *local_path = TEST_ROOT "target";
char *root_path = "/";
if (mkdirs(local_path, 0700) != 0) {
printf("FAIL: unble to create node manager local directory: %s\n", local_path);
exit(1);
}
int actual = check_nm_local_dir(nm_uid, local_path);
if (expected != actual) {
printf("test_nm_local_dir expected %d got %d\n", expected, actual);
exit(1);
}
// check filesystem is different from running user.
expected = 1;
actual = check_nm_local_dir(nm_uid, root_path);
if (expected != actual && nm_uid != 0) {
printf("test_nm_local_dir expected %d got %d\n", expected, actual);
exit(1);
}
}
void test_get_app_directory() { void test_get_app_directory() {
char *expected = TMPDIR "/usercache/user/appcache/app_200906101234_0001"; char *expected = TEST_ROOT "/usercache/user/appcache/app_200906101234_0001";
char *app_dir = (char *) get_app_directory(TMPDIR, "user", char *app_dir = (char *) get_app_directory(TEST_ROOT, "user",
"app_200906101234_0001"); "app_200906101234_0001");
if (strcmp(app_dir, expected) != 0) { if (strcmp(app_dir, expected) != 0) {
printf("test_get_app_directory expected %s got %s\n", expected, app_dir); printf("test_get_app_directory expected %s got %s\n", expected, app_dir);
@ -173,9 +197,9 @@ void test_get_app_directory() {
} }
void test_get_container_directory() { void test_get_container_directory() {
char *container_dir = get_container_work_directory(TMPDIR, "owen", "app_1", char *container_dir = get_container_work_directory(TEST_ROOT, "owen", "app_1",
"container_1"); "container_1");
char *expected = TMPDIR"/usercache/owen/appcache/app_1/container_1"; char *expected = TEST_ROOT "/usercache/owen/appcache/app_1/container_1";
if (strcmp(container_dir, expected) != 0) { if (strcmp(container_dir, expected) != 0) {
printf("Fail get_container_work_directory got %s expected %s\n", printf("Fail get_container_work_directory got %s expected %s\n",
container_dir, expected); container_dir, expected);
@ -185,9 +209,9 @@ void test_get_container_directory() {
} }
void test_get_container_launcher_file() { void test_get_container_launcher_file() {
char *expected_file = (TMPDIR"/usercache/user/appcache/app_200906101234_0001" char *expected_file = (TEST_ROOT "/usercache/user/appcache/app_200906101234_0001"
"/launch_container.sh"); "/launch_container.sh");
char *app_dir = get_app_directory(TMPDIR, "user", char *app_dir = get_app_directory(TEST_ROOT, "user",
"app_200906101234_0001"); "app_200906101234_0001");
char *container_file = get_container_launcher_file(app_dir); char *container_file = get_container_launcher_file(app_dir);
if (strcmp(container_file, expected_file) != 0) { if (strcmp(container_file, expected_file) != 0) {
@ -1182,6 +1206,8 @@ int main(int argc, char **argv) {
LOGFILE = stdout; LOGFILE = stdout;
ERRORFILE = stderr; ERRORFILE = stderr;
nm_uid = getuid();
printf("Attempting to clean up from any previous runs\n"); printf("Attempting to clean up from any previous runs\n");
// clean up any junk from previous run // clean up any junk from previous run
if (system("chmod -R u=rwx " TEST_ROOT "; rm -fr " TEST_ROOT)) { if (system("chmod -R u=rwx " TEST_ROOT "; rm -fr " TEST_ROOT)) {
@ -1232,6 +1258,9 @@ int main(int argc, char **argv) {
printf("\nTesting get_user_directory()\n"); printf("\nTesting get_user_directory()\n");
test_get_user_directory(); test_get_user_directory();
printf("\nTesting check_nm_local_dir()\n");
test_check_nm_local_dir();
printf("\nTesting get_app_directory()\n"); printf("\nTesting get_app_directory()\n");
test_get_app_directory(); test_get_app_directory();