commit 07ff7620db675174d013df368827fd4608bde754 Author: Eric Yang Date: Mon Oct 29 18:28:48 2018 -0400 YARN-8838. Added security check for interactive shell login. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java index 3b0639b..1423c38 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java @@ -30,6 +30,7 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerExecContext; import org.eclipse.jetty.websocket.api.Session; +import org.eclipse.jetty.websocket.api.WebSocketException; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketConnect; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage; @@ -95,11 +96,19 @@ public void onConnect(Session session) { LOG.info(session.getRemoteAddress().getHostString() + " connected!"); try { + String user = session.getUpgradeRequest().getUserPrincipal().getName(); + if (user.contains("/")) { + user = user.split("/")[0]; + } URI containerURI = session.getUpgradeRequest().getRequestURI(); String[] containerPath = containerURI.getPath().split("/"); String cId = containerPath[2]; Container container = nmContext.getContainers().get(ContainerId .fromString(cId)); + String containerUser = container.getUser(); + if (!user.equals(containerUser)) { + session.close(1008, "Forbidden"); + } LOG.info( "Making interactive connection to running docker container with ID: " + cId);