From 6c7f192f0fedc9abe83b2758fab3863cdc5e4717 Mon Sep 17 00:00:00 2001 From: Artem Smotrakov Date: Sat, 10 Jul 2021 06:42:31 +0200 Subject: [PATCH] HADOOP-17793. Better token validation (#3189) Signed-off-by: Akira Ajisaka (cherry picked from commit ba325a8ada573291266c4d6447862072fdf88af5) Conflicts: hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java --- .../main/java/org/apache/hadoop/security/token/Token.java | 6 +++--- .../hdfs/security/token/block/BlockTokenSecretManager.java | 3 ++- .../nodemanager/containermanager/ContainerManagerImpl.java | 4 ++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java index 6df62fa7edd..cd12599633e 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java @@ -34,7 +34,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.*; -import java.util.Arrays; +import java.security.MessageDigest; import java.util.Iterator; import java.util.Map; import java.util.ServiceConfigurationError; @@ -419,8 +419,8 @@ public class Token implements Writable { return false; } else { Token r = (Token) right; - return Arrays.equals(identifier, r.identifier) && - Arrays.equals(password, r.password) && + return MessageDigest.isEqual(identifier, r.identifier) && + MessageDigest.isEqual(password, r.password) && kind.equals(r.kind) && service.equals(r.service); } diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java index 9f21baa7f82..47c007f68f5 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java @@ -22,6 +22,7 @@ import com.google.common.base.Charsets; import java.io.ByteArrayInputStream; import java.io.DataInputStream; import java.io.IOException; +import java.security.MessageDigest; import java.security.SecureRandom; import java.util.Arrays; import java.util.EnumSet; @@ -407,7 +408,7 @@ public class BlockTokenSecretManager extends + ", block=" + block + ", access mode=" + mode); } checkAccess(id, userId, block, mode, storageTypes, storageIds); - if (!Arrays.equals(retrievePassword(id), token.getPassword())) { + if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) { throw new InvalidToken("Block token with " + id + " doesn't have the correct token password"); } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java index 17af7ecf71f..05aa33910a3 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java @@ -171,8 +171,8 @@ import java.io.IOException; import java.net.InetSocketAddress; import java.net.URISyntaxException; import java.nio.ByteBuffer; +import java.security.MessageDigest; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.List; @@ -1233,7 +1233,7 @@ public class ContainerManagerImpl extends CompositeService implements containerTokenIdentifier); byte[] tokenPass = token.getPassword().array(); if (password == null || tokenPass == null - || !Arrays.equals(password, tokenPass)) { + || !MessageDigest.isEqual(password, tokenPass)) { throw new InvalidToken( "Invalid container token used for starting container on : " + context.getNodeId().toString());