big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HADOOP-17793. Better token validation (#3189)

Browse Source 
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit ba325a8ada)
This commit is contained in:
Artem Smotrakov 2021-07-10 06:42:31 +02:00 committed by Akira Ajisaka
parent 6cc9549499
commit c18ad9a007
3 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
View File

@ -32,7 +32,7 @@
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import java.io.*; import java.io.*;
import java.util.Arrays; import java.security.MessageDigest;
import java.util.Iterator; import java.util.Iterator;
import java.util.Map; import java.util.Map;
import java.util.ServiceConfigurationError; import java.util.ServiceConfigurationError;
@ -391,8 +391,8 @@ public boolean equals(Object right) {
return false; return false;
} else { } else {
Token<T> r = (Token<T>) right; Token<T> r = (Token<T>) right;
return Arrays.equals(identifier, r.identifier) && return MessageDigest.isEqual(identifier, r.identifier) &&
Arrays.equals(password, r.password) && MessageDigest.isEqual(password, r.password) &&
kind.equals(r.kind) && kind.equals(r.kind) &&
service.equals(r.service); service.equals(r.service);
} }

5
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
View File

@ -22,6 +22,7 @@
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.DataInputStream; import java.io.DataInputStream;
import java.io.IOException; import java.io.IOException;
import java.security.MessageDigest;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.util.Arrays; import java.util.Arrays;
import java.util.EnumSet; import java.util.EnumSet;
@ -407,7 +408,7 @@ public void checkAccess(Token<BlockTokenIdentifier> token, String userId,
+ ", block=" + block + ", access mode=" + mode); + ", block=" + block + ", access mode=" + mode);
} }
checkAccess(id, userId, block, mode, storageTypes, storageIds); checkAccess(id, userId, block, mode, storageTypes, storageIds);
if (!Arrays.equals(retrievePassword(id), token.getPassword())) { if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
throw new InvalidToken("Block token with " + id throw new InvalidToken("Block token with " + id
+ " doesn't have the correct token password"); + " doesn't have the correct token password");
} }
@ -427,7 +428,7 @@ public void checkAccess(Token<BlockTokenIdentifier> token, String userId,
+ ", block=" + block + ", access mode=" + mode); + ", block=" + block + ", access mode=" + mode);
} }
checkAccess(id, userId, block, mode); checkAccess(id, userId, block, mode);
if (!Arrays.equals(retrievePassword(id), token.getPassword())) { if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
throw new InvalidToken("Block token with " + id throw new InvalidToken("Block token with " + id
+ " doesn't have the correct token password"); + " doesn't have the correct token password");
} }

4
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
View File

@ -174,8 +174,8 @@
import java.net.InetSocketAddress; import java.net.InetSocketAddress;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
@ -1231,7 +1231,7 @@ protected ContainerTokenIdentifier verifyAndGetContainerTokenIdentifier(
containerTokenIdentifier); containerTokenIdentifier);
byte[] tokenPass = token.getPassword().array(); byte[] tokenPass = token.getPassword().array();
if (password == null || tokenPass == null if (password == null || tokenPass == null
|| !Arrays.equals(password, tokenPass)) { || !MessageDigest.isEqual(password, tokenPass)) {
throw new InvalidToken( throw new InvalidToken(
"Invalid container token used for starting container on : " "Invalid container token used for starting container on : "
+ context.getNodeId().toString()); + context.getNodeId().toString());