commit 0b236718a66a2b10fbc0d77fc31f9c32c9c7a928 Author: Eric Yang Date: Thu Dec 13 20:09:21 2018 -0500 YARN-9117. Add a check for insecure setup for container terminal. Contributed by Eric Yang diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java index 7202ab9..4f265d8 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/webapp/ContainerShellWebSocket.java @@ -28,6 +28,7 @@ import org.apache.hadoop.classification.InterfaceStability; import org.apache.hadoop.yarn.api.records.ContainerId; import org.apache.hadoop.yarn.api.records.ShellContainerCommand; +import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.server.nodemanager.Context; import org.apache.hadoop.yarn.server.nodemanager.ContainerExecutor; import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container; @@ -115,6 +116,10 @@ public void onConnect(Session session) { session.close(1008, "Forbidden"); return; } + if (checkInsecureSetup()) { + session.close(1003, "Nonsecure mode is unsupported."); + return; + } LOG.info(session.getRemoteAddress().getHostString() + " connected!"); LOG.info( "Making interactive connection to running docker container with ID: " @@ -180,4 +185,14 @@ protected boolean checkAuthorization(Session session, Container container) } return authorized; } + + private boolean checkInsecureSetup() { + boolean kerberos = UserGroupInformation.isSecurityEnabled(); + boolean limitUsers = nmContext.getConf() + .getBoolean(YarnConfiguration.NM_NONSECURE_MODE_LIMIT_USERS, true); + if (kerberos) { + return false; + } + return limitUsers; + } } diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template index 4bff794..db32a27 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/resources/TERMINAL/terminal.template @@ -104,6 +104,9 @@ case 1001: term.write('Remote Connection going away.'); break; + case 1003: + term.write('Nonsecure mode is unsupported.'); + break; } }); term.open(container);