HADOOP-17793. Better token validation (#3189)

Signed-off-by: Akira Ajisaka <aajisaka@apache.org> (cherry picked from commit ba325a8ada) Conflicts: hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
2021-07-10 06:42:31 +02:00 · 2021-07-10 06:42:31 +02:00 · 9241470dfd
parent cef04b40b6
commit 9241470dfd
3 changed files with 8 additions and 8 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java
@ -31,7 +31,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.*;
-import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.Map;
 import java.util.ServiceLoader;
 import java.util.UUID;
@ -368,8 +368,8 @@ public class Token<T extends TokenIdentifier> implements Writable {
      return false;
    } else {
      Token<T> r = (Token<T>) right;
-      return Arrays.equals(identifier, r.identifier) &&
+      return MessageDigest.isEqual(identifier, r.identifier) &&
-             Arrays.equals(password, r.password) &&
+             MessageDigest.isEqual(password, r.password) &&
             kind.equals(r.kind) &&
             service.equals(r.service);
    }
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.java
@ -22,8 +22,8 @@ import com.google.common.base.Charsets;
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
 import java.io.IOException;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.Iterator;
@ -326,8 +326,8 @@ public class BlockTokenSecretManager extends
              + ", block=" + block + ", access mode=" + mode);
    }
    checkAccess(id, userId, block, mode);
-    if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
+    if (!MessageDigest.isEqual(retrievePassword(id), token.getPassword())) {
-      throw new InvalidToken("Block token with " + id.toString()
+      throw new InvalidToken("Block token with " + id
          + " doesn't have the correct token password");
    }
  }
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/containermanager/ContainerManagerImpl.java
@ -170,8 +170,8 @@ import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.security.MessageDigest;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.EnumSet;
 import java.util.HashMap;
@ -1196,7 +1196,7 @@ public class ContainerManagerImpl extends CompositeService implements
            containerTokenIdentifier);
    byte[] tokenPass = token.getPassword().array();
    if (password == null || tokenPass == null
-        || !Arrays.equals(password, tokenPass)) {
+        || !MessageDigest.isEqual(password, tokenPass)) {
      throw new InvalidToken(
        "Invalid container token used for starting container on : "
            + context.getNodeId().toString());