big-data/hadoop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

YARN-9117. Add a check for insecure setup for container terminal. Contributed by Eric Yang

Browse Source
This commit is contained in:
Billie Rinaldi 2018-12-18 12:49:10 -08:00
parent 12c139d7de
commit a6e9d27c29
2 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java
View File

@ -28,6 +28,7 @@
import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.ShellContainerCommand; import org.apache.hadoop.yarn.api.records.ShellContainerCommand;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.nodemanager.Context; import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor; import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
@ -115,6 +116,10 @@ public void onConnect(Session session) {
session.close(1008, "Forbidden"); session.close(1008, "Forbidden");
return; return;
} }
if (checkInsecureSetup()) {
session.close(1003, "Nonsecure mode is unsupported.");
return;
}
LOG.info(session.getRemoteAddress().getHostString() + " connected!"); LOG.info(session.getRemoteAddress().getHostString() + " connected!");
LOG.info( LOG.info(
"Making interactive connection to running docker container with ID: " "Making interactive connection to running docker container with ID: "
@ -180,4 +185,14 @@ protected boolean checkAuthorization(Session session, Container container)
} }
return authorized; return authorized;
} }
private boolean checkInsecureSetup() {
boolean kerberos = UserGroupInformation.isSecurityEnabled();
boolean limitUsers = nmContext.getConf()
.getBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, true);
if (kerberos) {
return false;
}
return limitUsers;
}
} }

3
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template
View File

@ -104,6 +104,9 @@
case 1001: case 1001:
term.write('Remote Connection going away.'); term.write('Remote Connection going away.');
break; break;
case 1003:
term.write('Nonsecure mode is unsupported.');
break;
} }
}); });
term.open(container); term.open(container);