YARN-9117. Add a check for insecure setup for container terminal. Contributed by Eric Yang

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java

@@ -28,6 +28,7 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ShellContainerCommand;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.nodemanager.Context;
 import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
@@ -115,6 +116,10 @@ public void onConnect(Session session) {
         session.close(1008, "Forbidden");
         return;
       }
+      if (checkInsecureSetup()) {
+        session.close(1003, "Nonsecure mode is unsupported.");
+        return;
+      }
       LOG.info(session.getRemoteAddress().getHostString() + " connected!");
       LOG.info(
           "Making interactive connection to running docker container with ID: "
@@ -180,4 +185,14 @@ protected boolean checkAuthorization(Session session, Container container)
     }
     return authorized;
   }
+
+  private boolean checkInsecureSetup() {
+    boolean kerberos = UserGroupInformation.isSecurityEnabled();
+    boolean limitUsers = nmContext.getConf()
+        .getBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, true);
+    if (kerberos) {
+      return false;
+    }
+    return limitUsers;
+  }
 }

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template

@@ -104,6 +104,9 @@
             case 1001:
               term.write('Remote Connection going away.');
               break;
+            case 1003:
+              term.write('Nonsecure mode is unsupported.');
+              break;
           }
         });
         term.open(container);