YARN-8838. Check that container user is same as websocket user for interactive shell. Contributed by Eric Yang
This commit is contained in:
parent
c74783036d
commit
49824ed260
@ -1105,6 +1105,10 @@ public void shellToContainer(ContainerId containerId,
|
||||
WebSocketClient client = new WebSocketClient();
|
||||
URI uri = URI.create(protocol + host + ":" + port + "/container/" +
|
||||
containerId);
|
||||
if (!UserGroupInformation.isSecurityEnabled()) {
|
||||
uri = URI.create(protocol + host + ":" + port + "/container/" +
|
||||
containerId + "?user.name=" + System.getProperty("user.name"));
|
||||
}
|
||||
try {
|
||||
client.start();
|
||||
// The socket that receives events
|
||||
|
@ -21,6 +21,8 @@
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.nio.charset.Charset;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.apache.hadoop.classification.InterfaceStability;
|
||||
@ -35,6 +37,8 @@
|
||||
import org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage;
|
||||
import org.eclipse.jetty.websocket.api.annotations.WebSocket;
|
||||
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
|
||||
import org.apache.hadoop.security.HadoopKerberosName;
|
||||
import org.apache.hadoop.security.UserGroupInformation;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
@ -92,14 +96,16 @@ public void onText(Session session, String message) throws IOException {
|
||||
|
||||
@OnWebSocketConnect
|
||||
public void onConnect(Session session) {
|
||||
LOG.info(session.getRemoteAddress().getHostString() + " connected!");
|
||||
|
||||
try {
|
||||
URI containerURI = session.getUpgradeRequest().getRequestURI();
|
||||
String[] containerPath = containerURI.getPath().split("/");
|
||||
String cId = containerPath[2];
|
||||
Container container = nmContext.getContainers().get(ContainerId
|
||||
.fromString(cId));
|
||||
if (!checkAuthorization(session, container)) {
|
||||
session.close(1008, "Forbidden");
|
||||
}
|
||||
LOG.info(session.getRemoteAddress().getHostString() + " connected!");
|
||||
LOG.info(
|
||||
"Making interactive connection to running docker container with ID: "
|
||||
+ cId);
|
||||
@ -126,4 +132,37 @@ public void onClose(Session session, int status, String reason) {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if user is authorized to access container.
|
||||
* @param session websocket session
|
||||
* @param container instance of container to access
|
||||
* @return true if user is allowed to access container.
|
||||
* @throws IOException
|
||||
*/
|
||||
protected boolean checkAuthorization(Session session, Container container)
|
||||
throws IOException {
|
||||
boolean authorized = true;
|
||||
String user = "";
|
||||
if (UserGroupInformation.isSecurityEnabled()) {
|
||||
user = new HadoopKerberosName(session.getUpgradeRequest()
|
||||
.getUserPrincipal().getName()).getShortName();
|
||||
} else {
|
||||
Map<String, List<String>> parameters = session.getUpgradeRequest()
|
||||
.getParameterMap();
|
||||
if (parameters.containsKey("user.name")) {
|
||||
List<String> users = parameters.get("user.name");
|
||||
user = users.get(0);
|
||||
}
|
||||
}
|
||||
boolean isAdmin = false;
|
||||
if (nmContext.getApplicationACLsManager().areACLsEnabled()) {
|
||||
UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user);
|
||||
isAdmin = nmContext.getApplicationACLsManager().isAdmin(ugi);
|
||||
}
|
||||
String containerUser = container.getUser();
|
||||
if (!user.equals(containerUser) && !isAdmin) {
|
||||
authorized = false;
|
||||
}
|
||||
return authorized;
|
||||
}
|
||||
}
|
||||
|
@ -27,17 +27,25 @@
|
||||
import org.apache.hadoop.yarn.server.nodemanager.NodeHealthCheckerService;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.NodeManager;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.ResourceView;
|
||||
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
|
||||
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
|
||||
import org.eclipse.jetty.websocket.api.Session;
|
||||
import org.eclipse.jetty.websocket.api.UpgradeRequest;
|
||||
import org.eclipse.jetty.websocket.client.WebSocketClient;
|
||||
import org.junit.After;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import static org.mockito.Mockito.*;
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.Future;
|
||||
|
||||
/**
|
||||
@ -51,6 +59,7 @@ public class TestNMContainerWebSocket {
|
||||
TestNMWebServer.class.getSimpleName());
|
||||
private static File testLogDir = new File("target",
|
||||
TestNMWebServer.class.getSimpleName() + "LogDir");
|
||||
private WebServer server;
|
||||
|
||||
@Before
|
||||
public void setup() {
|
||||
@ -101,7 +110,7 @@ public boolean isPmemCheckEnabled() {
|
||||
healthChecker.init(conf);
|
||||
LocalDirsHandlerService dirsHandler = healthChecker.getDiskHandler();
|
||||
conf.set(YarnConfiguration.NM_WEBAPP_ADDRESS, webAddr);
|
||||
WebServer server = new WebServer(nmContext, resourceView,
|
||||
server = new WebServer(nmContext, resourceView,
|
||||
new ApplicationACLsManager(conf), dirsHandler);
|
||||
try {
|
||||
server.init(conf);
|
||||
@ -141,9 +150,36 @@ public void testWebServerWithServlet() {
|
||||
} finally {
|
||||
try {
|
||||
client.stop();
|
||||
server.close();
|
||||
} catch (Exception e) {
|
||||
LOG.error("Failed to close client", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testContainerShellWebSocket() {
|
||||
Context nm = mock(Context.class);
|
||||
Session session = mock(Session.class);
|
||||
Container container = mock(Container.class);
|
||||
UpgradeRequest request = mock(UpgradeRequest.class);
|
||||
ApplicationACLsManager aclManager = mock(ApplicationACLsManager.class);
|
||||
ContainerShellWebSocket.init(nm);
|
||||
ContainerShellWebSocket ws = new ContainerShellWebSocket();
|
||||
List<String> names = new ArrayList<>();
|
||||
names.add("foobar");
|
||||
Map<String, List<String>> mockParameters = new HashMap<>();
|
||||
mockParameters.put("user.name", names);
|
||||
when(session.getUpgradeRequest()).thenReturn(request);
|
||||
when(request.getParameterMap()).thenReturn(mockParameters);
|
||||
when(container.getUser()).thenReturn("foobar");
|
||||
when(nm.getApplicationACLsManager()).thenReturn(aclManager);
|
||||
when(aclManager.areACLsEnabled()).thenReturn(false);
|
||||
try {
|
||||
boolean authorized = ws.checkAuthorization(session, container);
|
||||
Assert.assertTrue("Not authorized", authorized);
|
||||
} catch (IOException e) {
|
||||
Assert.fail("Should not throw exception.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user