YARN-8963. Add flag to disable interactive shell. Contributed by Eric Yang

This commit is contained in:
Billie Rinaldi 2018-12-14 18:44:36 -08:00
parent aab310978f
commit 42297f7d99
4 changed files with 25 additions and 4 deletions

View File

@ -73,6 +73,7 @@ static const int DEFAULT_MIN_USERID = 1000;
static const char* DEFAULT_BANNED_USERS[] = {"yarn", "mapred", "hdfs", "bin", 0};
static const int DEFAULT_TERMINAL_SUPPORT_ENABLED = 0;
static const int DEFAULT_DOCKER_SUPPORT_ENABLED = 0;
static const int DEFAULT_TC_SUPPORT_ENABLED = 0;
static const int DEFAULT_MOUNT_CGROUP_SUPPORT_ENABLED = 0;
@ -490,6 +491,11 @@ int is_feature_enabled(const char* feature_key, int default_value,
}
}
int is_terminal_support_enabled() {
return is_feature_enabled(TERMINAL_SUPPORT_ENABLED_KEY,
DEFAULT_TERMINAL_SUPPORT_ENABLED, &executor_cfg);
}
int is_docker_support_enabled() {
return is_feature_enabled(DOCKER_SUPPORT_ENABLED_KEY,
DEFAULT_DOCKER_SUPPORT_ENABLED, &executor_cfg)

View File

@ -67,6 +67,7 @@ enum operations {
#define MIN_USERID_KEY "min.user.id"
#define BANNED_USERS_KEY "banned.users"
#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users"
#define TERMINAL_SUPPORT_ENABLED_KEY "feature.terminal.enabled"
#define DOCKER_SUPPORT_ENABLED_KEY "feature.docker.enabled"
#define TC_SUPPORT_ENABLED_KEY "feature.tc.enabled"
#define MOUNT_CGROUP_SUPPORT_ENABLED_KEY "feature.mount-cgroup.enabled"
@ -341,3 +342,8 @@ char* flatten(char **args);
* Remove docker container
*/
int remove_docker_container(char **argv, int argc);
/**
* Check if terminal feature is enabled
*/
int is_terminal_support_enabled();

View File

@ -54,20 +54,26 @@ static void display_usage(FILE *stream) {
if(is_docker_support_enabled()) {
fprintf(stream,
" container-executor --run-docker <command-file>\n"
" container-executor --exec-container <command-file>\n"
" container-executor --remove-docker-container [hierarchy] "
"<container_id>\n"
" container-executor --inspect-docker-container <container_id>\n");
} else {
fprintf(stream,
"[DISABLED] container-executor --run-docker <command-file>\n"
"[DISABLED] container-executor --exec-container <command-file>\n"
"[DISABLED] container-executor --remove-docker-container [hierarchy] "
"<container_id>\n"
"[DISABLED] container-executor --inspect-docker-container "
"<format> ... <container_id>\n");
}
if (is_terminal_support_enabled()) {
fprintf(stream,
" container-executor --exec-container <command-file>\n");
} else {
fprintf(stream,
"[DISABLED] container-executor --exec-container <command-file>\n");
}
fprintf(stream,
" container-executor <user> <yarn-user> <command> <command-args>\n"
" where command and command-args: \n" \
@ -351,7 +357,7 @@ static int validate_arguments(int argc, char **argv , int *operation) {
}
if (strcmp("--exec-container", argv[1]) == 0) {
if(is_docker_support_enabled()) {
if(is_terminal_support_enabled()) {
if (argc != 3) {
display_usage(stdout);
return INVALID_ARGUMENT_NUMBER;
@ -361,7 +367,7 @@ static int validate_arguments(int argc, char **argv , int *operation) {
*operation = EXEC_CONTAINER;
return 0;
} else {
display_feature_disabled_message("docker");
display_feature_disabled_message("feature.terminal.enabled");
return FEATURE_DISABLED;
}
}

View File

@ -59,8 +59,11 @@ yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodema
banned.users=#comma separated list of users who can not run applications
allowed.system.users=#comma separated list of allowed system users
min.user.id=1000#Prevent other super-users
feature.terminal.enabled=1
```
Terminal feature (feature.terminal.enabled) allows restricted shell into secure container via YARN UI2.
###Windows Secure Container Executor (WSCE)
The Windows environment secure container executor is the `WindowsSecureContainerExecutor`. It uses the Windows S4U infrastructure to launch the container as the YARN application user. The WSCE requires the presense of the `hadoopwinutilsvc` service. This services is hosted by `%HADOOP_HOME%\bin\winutils.exe` started with the `service` command line argument. This service offers some privileged operations that require LocalSystem authority so that the NM is not required to run the entire JVM and all the NM code in an elevated context. The NM interacts with the `hadoopwintulsvc` service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in `hadoop.dll`.