commit ccbd17830e4a5b1a1a47962bbd66c4888d40ef24 Author: Eric Yang Date: Mon Oct 29 18:28:48 2018 -0400 YARN-8838. Added security check for interactive shell login. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java index 4d74a14..32d652a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java @@ -30,11 +30,14 @@ import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.nodemanager.executor.ContainerExecContext; import org.eclipse.jetty.websocket.api.Session; +import org.eclipse.jetty.websocket.api.WebSocketException; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketConnect; import org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage; import org.eclipse.jetty.websocket.api.annotations.WebSocket; import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair; +import org.apache.hadoop.security.HadoopKerberosName; +import org.apache.hadoop.security.UserGroupInformation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -93,13 +96,25 @@ public void onText(Session session, String message) throws IOException { @OnWebSocketConnect public void onConnect(Session session) { LOG.info(session.getRemoteAddress().getHostString() + " connected!"); - try { URI containerURI = session.getUpgradeRequest().getRequestURI(); String[] containerPath = containerURI.getPath().split("/"); String cId = containerPath[2]; Container container = nmContext.getContainers().get(ContainerId .fromString(cId)); + if (UserGroupInformation.isSecurityEnabled()) { + String user = new HadoopKerberosName(session.getUpgradeRequest() + .getUserPrincipal().getName()).getShortName(); + boolean isAdmin = false; + if (nmContext.getApplicationACLsManager().areACLsEnabled()) { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); + isAdmin = nmContext.getApplicationACLsManager().isAdmin(ugi); + } + String containerUser = container.getUser(); + if (!user.equals(containerUser) && !isAdmin) { + session.close(1008, "Forbidden"); + } + } LOG.info( "Making interactive connection to running docker container with ID: " + cId);