From a6e9d27c2957fc9ffeb019963995792692aa27df Mon Sep 17 00:00:00 2001
From: Billie Rinaldi <billie@apache.org>
Date: Tue, 18 Dec 2018 12:49:10 -0800
Subject: [PATCH] YARN-9117. Add a check for insecure setup for container
 terminal. Contributed by Eric Yang

---
 .../webapp/ContainerShellWebSocket.java           | 15 +++++++++++++++
 .../src/main/resources/TERMINAL/terminal.template |  3 +++
 2 files changed, 18 insertions(+)

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java
index ade1211e7b..138f9e0b02 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java
@@ -28,6 +28,7 @@
 import org.apache.hadoop.classification.InterfaceStability;
 import org.apache.hadoop.yarn.api.records.ContainerId;
 import org.apache.hadoop.yarn.api.records.ShellContainerCommand;
+import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.server.nodemanager.Context;
 import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
 import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
@@ -115,6 +116,10 @@ public void onConnect(Session session) {
         session.close(1008, "Forbidden");
         return;
       }
+      if (checkInsecureSetup()) {
+        session.close(1003, "Nonsecure mode is unsupported.");
+        return;
+      }
       LOG.info(session.getRemoteAddress().getHostString() + " connected!");
       LOG.info(
           "Making interactive connection to running docker container with ID: "
@@ -180,4 +185,14 @@ protected boolean checkAuthorization(Session session, Container container)
     }
     return authorized;
   }
+
+  private boolean checkInsecureSetup() {
+    boolean kerberos = UserGroupInformation.isSecurityEnabled();
+    boolean limitUsers = nmContext.getConf()
+        .getBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, true);
+    if (kerberos) {
+      return false;
+    }
+    return limitUsers;
+  }
 }
diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template
index 4bff794403..db32a27a21 100644
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template
@@ -104,6 +104,9 @@
             case 1001:
               term.write('Remote Connection going away.');
               break;
+            case 1003:
+              term.write('Nonsecure mode is unsupported.');
+              break;
           }
         });
         term.open(container);