Skip to content

[CELEBORN-2381] Authorize PbApplicationMetaRequest to prevent secret disclosure#3759

Closed
SteNicholas wants to merge 1 commit into
apache:mainfrom
SteNicholas:CELEBORN-2381
Closed

[CELEBORN-2381] Authorize PbApplicationMetaRequest to prevent secret disclosure#3759
SteNicholas wants to merge 1 commit into
apache:mainfrom
SteNicholas:CELEBORN-2381

Conversation

@SteNicholas

Copy link
Copy Markdown
Member

What changes were proposed in this pull request?

Call checkAuth(context, appId) before serving PbApplicationMetaRequest in the Master, consistent with the other application-scoped handlers (RequestSlots, UnregisterShuffle, ApplicationLost).

Workers fetch application meta over the internal channel, where the connection has no per-application client id, so the check is a no-op for them; it only rejects an external application that asks for another application's secret.

Why are the changes needed?

The Master served PbApplicationMetaRequest by returning the requested application's SASL secret without an authorization check. With authentication enabled, a caller on the external application port could read another application's secret and impersonate it.

Does this PR resolve a correctness bug?

  • Yes

Does this PR introduce any user-facing change?

  • Yes

How was this patch tested?

  • New MasterApplicationMetaAuthSuite verifying PbApplicationMetaRequest is authorized against the registered application.
  • New case in MasterSuite verifying a caller requesting another application's secret is rejected.

…disclosure

The Master served PbApplicationMetaRequest by returning the requested
application's SASL secret without an authorization check, unlike the
other application-scoped handlers (RequestSlots, UnregisterShuffle,
ApplicationLost). With authentication enabled, a caller on the external
application port could read another application's secret and impersonate
it.

Call checkAuth(context, appId) before serving the request, consistent
with the sibling handlers. Workers fetch application meta over the
internal channel, where the connection has no per-application client id,
so the check is a no-op for them.

@zaynt4606 zaynt4606 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SteNicholas SteNicholas requested a review from Kalvin2077 July 14, 2026 12:38
@RexXiong RexXiong closed this in 50c18eb Jul 14, 2026
@RexXiong

Copy link
Copy Markdown
Contributor

Merge to main(v0.7.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants