commit 8a22bd4faa75c9dc146a60df0a199994b8bbb670 Author: Eric Yang Date: Mon Oct 29 18:28:48 2018 -0400 YARN-8838. Added security check for interactive shell login. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java index 36ae005..4a47cca 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java @@ -1037,6 +1037,10 @@ public void shellToContainer(ContainerId containerId, WebSocketClient client = new WebSocketClient(); URI uri = URI.create(protocol + host + ":" + port + "/container/" + containerId); + if (!UserGroupInformation.isSecurityEnabled()) { + uri = URI.create(protocol + host + ":" + port + "/container/" + + containerId + "?user.name=" + System.getProperty("user.name")); + } try { client.start(); // The socket that receives events diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java index 4d74a14..4a4ec15 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java @@ -35,6 +35,8 @@ import org.eclipse.jetty.websocket.api.annotations.OnWebSocketMessage; import org.eclipse.jetty.websocket.api.annotations.WebSocket; import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair; +import org.apache.hadoop.security.HadoopKerberosName; +import org.apache.hadoop.security.UserGroupInformation; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -92,14 +94,16 @@ public void onText(Session session, String message) throws IOException { @OnWebSocketConnect public void onConnect(Session session) { - LOG.info(session.getRemoteAddress().getHostString() + " connected!"); - try { URI containerURI = session.getUpgradeRequest().getRequestURI(); String[] containerPath = containerURI.getPath().split("/"); String cId = containerPath[2]; Container container = nmContext.getContainers().get(ContainerId .fromString(cId)); + if (!checkAuthorization(session, container)) { + session.close(1008, "Forbidden"); + } + LOG.info(session.getRemoteAddress().getHostString() + " connected!"); LOG.info( "Making interactive connection to running docker container with ID: " + cId); @@ -126,4 +130,29 @@ public void onClose(Session session, int status, String reason) { } } + /** + * Check if user is authorized to access container. + * @param session websocket session + * @param container instance of container to access + * @return true if user is allowed to access container. + * @throws IOException + */ + protected boolean checkAuthorization(Session session, Container container) + throws IOException { + boolean authorized = true; + if (UserGroupInformation.isSecurityEnabled()) { + String user = new HadoopKerberosName(session.getUpgradeRequest() + .getUserPrincipal().getName()).getShortName(); + boolean isAdmin = false; + if (nmContext.getApplicationACLsManager().areACLsEnabled()) { + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user); + isAdmin = nmContext.getApplicationACLsManager().isAdmin(ugi); + } + String containerUser = container.getUser(); + if (!user.equals(containerUser) && !isAdmin) { + authorized = false; + } + } + return authorized; + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMContainerWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMContainerWebSocket.java index 50042f0..c0c5c3d 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMContainerWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/test/java/org/apache/hadoop/yarn/server/nodemanager/webapp/TestNMContainerWebSocket.java @@ -27,16 +27,19 @@ import org.apache.hadoop.yarn.server.nodemanager.NodeHealthCheckerService; import org.apache.hadoop.yarn.server.nodemanager.NodeManager; import org.apache.hadoop.yarn.server.nodemanager.ResourceView; +import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; import org.apache.hadoop.yarn.server.security.ApplicationACLsManager; import org.eclipse.jetty.websocket.api.Session; import org.eclipse.jetty.websocket.client.WebSocketClient; import org.junit.After; +import org.junit.Assert; import org.junit.Before; import org.junit.Test; import org.slf4j.Logger; import org.slf4j.LoggerFactory; - +import static org.mockito.Mockito.*; import java.io.File; +import java.io.IOException; import java.net.URI; import java.util.concurrent.Future; @@ -51,6 +54,7 @@ TestNMWebServer.class.getSimpleName()); private static File testLogDir = new File("target", TestNMWebServer.class.getSimpleName() + "LogDir"); + private WebServer server; @Before public void setup() { @@ -101,7 +105,7 @@ public boolean isPmemCheckEnabled() { healthChecker.init(conf); LocalDirsHandlerService dirsHandler = healthChecker.getDiskHandler(); conf.set(YarnConfiguration.NM_WEBAPP_ADDRESS, webAddr); - WebServer server = new WebServer(nmContext, resourceView, + server = new WebServer(nmContext, resourceView, new ApplicationACLsManager(conf), dirsHandler); try { server.init(conf); @@ -141,9 +145,25 @@ public void testWebServerWithServlet() { } finally { try { client.stop(); + server.close(); } catch (Exception e) { LOG.error("Failed to close client", e); } } } + + @Test + public void testContainerShellWebSocket() { + Context nm = mock(Context.class); + Session session = mock(Session.class); + Container container = mock(Container.class); + ContainerShellWebSocket.init(nm); + ContainerShellWebSocket ws = new ContainerShellWebSocket(); + try { + boolean authorized = ws.checkAuthorization(session, container); + Assert.assertTrue("Not authorized", authorized); + } catch (IOException e) { + Assert.fail("Should not throw exception."); + } + } }