YARN-1137. Add support whitelist for system users to Yarn container-executor.c. (rvs via tucu)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1523587 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
c4ea83c642
commit
89c7ee9245
@ -929,6 +929,8 @@ KVNO Timestamp Principal
|
||||
*-------------------------+-------------------------+------------------------+
|
||||
| <<<banned.users>>> | hfds,yarn,mapred,bin | Banned users. |
|
||||
*-------------------------+-------------------------+------------------------+
|
||||
| <<<allowed.system.users>>> | foo,bar | Allowed system users. |
|
||||
*-------------------------+-------------------------+------------------------+
|
||||
| <<<min.user.id>>> | 1000 | Prevent other super-users. |
|
||||
*-------------------------+-------------------------+------------------------+
|
||||
|
||||
|
@ -98,6 +98,9 @@ Release 2.1.1-beta - UNRELEASED
|
||||
completions in addition to application events. (Alejandro Abdelnur via
|
||||
vinodkv)
|
||||
|
||||
YARN-1137. Add support whitelist for system users to Yarn
|
||||
container-executor.c. (rvs via tucu)
|
||||
|
||||
OPTIMIZATIONS
|
||||
|
||||
BUG FIXES
|
||||
|
@ -1,3 +1,4 @@
|
||||
yarn.nodemanager.linux-container-executor.group=#configured value of yarn.nodemanager.linux-container-executor.group
|
||||
banned.users=#comma separated list of users who can not run applications
|
||||
min.user.id=1000#Prevent other super-users
|
||||
allowed.system.users=##comma separated list of system users who CAN run applications
|
||||
|
@ -30,6 +30,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
#include <sys/stat.h>
|
||||
#include <sys/mount.h>
|
||||
|
||||
@ -492,6 +493,21 @@ static struct passwd* get_user_info(const char* user) {
|
||||
return result;
|
||||
}
|
||||
|
||||
int is_whitelisted(const char *user) {
|
||||
char **whitelist = get_values(ALLOWED_SYSTEM_USERS_KEY);
|
||||
char **users = whitelist;
|
||||
if (whitelist != NULL) {
|
||||
for(; *users; ++users) {
|
||||
if (strncmp(*users, user, LOGIN_NAME_MAX) == 0) {
|
||||
free_values(whitelist);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
free_values(whitelist);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Is the user a real user account?
|
||||
* Checks:
|
||||
@ -526,9 +542,9 @@ struct passwd* check_user(const char *user) {
|
||||
fflush(LOGFILE);
|
||||
return NULL;
|
||||
}
|
||||
if (user_info->pw_uid < min_uid) {
|
||||
fprintf(LOGFILE, "Requested user %s has id %d, which is below the "
|
||||
"minimum allowed %d\n", user, user_info->pw_uid, min_uid);
|
||||
if (user_info->pw_uid < min_uid && !is_whitelisted(user)) {
|
||||
fprintf(LOGFILE, "Requested user %s is not whitelisted and has id %d,"
|
||||
"which is below the minimum allowed %d\n", user, user_info->pw_uid, min_uid);
|
||||
fflush(LOGFILE);
|
||||
free(user_info);
|
||||
return NULL;
|
||||
|
@ -65,6 +65,7 @@ enum errorcodes {
|
||||
#define CREDENTIALS_FILENAME "container_tokens"
|
||||
#define MIN_USERID_KEY "min.user.id"
|
||||
#define BANNED_USERS_KEY "banned.users"
|
||||
#define ALLOWED_SYSTEM_USERS_KEY "allowed.system.users"
|
||||
#define TMP_DIR "tmp"
|
||||
|
||||
extern struct passwd *user_detail;
|
||||
|
@ -99,6 +99,7 @@ int write_config_file(char *file_name) {
|
||||
}
|
||||
fprintf(file, "banned.users=bannedUser\n");
|
||||
fprintf(file, "min.user.id=500\n");
|
||||
fprintf(file, "allowed.system.users=allowedUser,bin\n");
|
||||
fclose(file);
|
||||
return 0;
|
||||
}
|
||||
@ -195,6 +196,10 @@ void test_check_user() {
|
||||
printf("FAIL: failed check for system user root\n");
|
||||
exit(1);
|
||||
}
|
||||
if (check_user("bin") == NULL) {
|
||||
printf("FAIL: failed check for whitelisted system user bin\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
void test_resolve_config_path() {
|
||||
|
Loading…
x
Reference in New Issue
Block a user