YARN-9117. Add a check for insecure setup for container terminal. Contributed by Eric Yang
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a6e9d27c Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a6e9d27c Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a6e9d27c Branch: refs/heads/HDFS-12943 Commit: a6e9d27c2957fc9ffeb019963995792692aa27df Parents: 12c139d Author: Billie Rinaldi <bil...@apache.org> Authored: Tue Dec 18 12:49:10 2018 -0800 Committer: Billie Rinaldi <bil...@apache.org> Committed: Tue Dec 18 12:49:10 2018 -0800 ---------------------------------------------------------------------- .../nodemanager/webapp/ContainerShellWebSocket.java | 15 +++++++++++++++ .../src/main/resources/TERMINAL/terminal.template | 3 +++ 2 files changed, 18 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/a6e9d27c/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java index ade1211..138f9e0 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java @@ -28,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ShellContainerCommand; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.nodemanager.Context; import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; @@ -115,6 +116,10 @@ public class ContainerShellWebSocket { session.close(1008, "Forbidden"); return; } + if (checkInsecureSetup()) { + session.close(1003, "Nonsecure mode is unsupported."); + return; + } LOG.info(session.getRemoteAddress().getHostString() + " connected!"); LOG.info( "Making interactive connection to running docker container with ID: " @@ -180,4 +185,14 @@ public class ContainerShellWebSocket { } return authorized; } + + private boolean checkInsecureSetup() { + boolean kerberos = UserGroupInformation.isSecurityEnabled(); + boolean limitUsers = nmContext.getConf() + .getBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, true); + if (kerberos) { + return false; + } + return limitUsers; + } } http://git-wip-us.apache.org/repos/asf/hadoop/blob/a6e9d27c/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template index 4bff794..db32a27 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template @@ -104,6 +104,9 @@ case 1001: term.write('Remote Connection going away.'); break; + case 1003: + term.write('Nonsecure mode is unsupported.'); + break; } }); term.open(container); --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org