[
https://issues.apache.org/jira/browse/SPARK-57889?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Toth resolved SPARK-57889.
--------------------------------
Fix Version/s: 4.1.3
3.5.9
4.0.4
4.2.1
4.3.0
Resolution: Fixed
Issue resolved by pull request 56970
[https://github.com/apache/spark/pull/56970]
> Authorize StreamRequest consistently with ChunkFetchRequest in the transport
> layer
> ----------------------------------------------------------------------------------
>
> Key: SPARK-57889
> URL: https://issues.apache.org/jira/browse/SPARK-57889
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 5.0.0
> Reporter: Peter Toth
> Assignee: Peter Toth
> Priority: Major
> Labels: pull-request-available
> Fix For: 4.1.3, 3.5.9, 4.0.4, 4.2.1, 4.3.0
>
>
> The transport layer serves both ChunkFetchRequest and StreamRequest from the
> same StreamManager. ChunkFetchRequestHandler calls
> streamManager.checkAuthorization to enforce per-application ownership
> (clientId == appId), but TransportRequestHandler.processStreamRequest calls
> openStream directly with no such check. Because
> OneForOneStreamManager.openStream addresses the same registered streams by
> their string id ("streamId_chunkIndex"), a StreamRequest can read a stream
> that the ChunkFetchRequest path would have authorized.
> Fix: call streamManager.checkAuthorization in processStreamRequest before
> openStream, mirroring ChunkFetchRequestHandler. Add a
> checkAuthorization(TransportClient, String) overload to StreamManager (no-op
> default), overridden in OneForOneStreamManager to parse the string id and
> delegate to the existing checkAuthorization(TransportClient, long). Like the
> existing ChunkFetchRequest check, this enforces only for authenticated
> clients (non-null client id); behavior is unchanged when authentication is
> disabled.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]