hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (YARN-7430) User and Group mapping are incorrect in docker container
Date Tue, 14 Nov 2017 17:41:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16251805#comment-16251805
] 

Eric Yang edited comment on YARN-7430 at 11/14/17 5:40 PM:
-----------------------------------------------------------

[~ebadger] IT infrastructure keeps the entire company's user credential consistent through
the usage of LDAP/AD servers with uniformed uid:gid to ensure there is no security inconsistency.
 From that point of view, it is important to keep uid:gid uniformed.  In the docker world,
if someone runs a Ubuntu image on a RedHat Host OS cluster, all system default accounts inside
Ubuntu image have different uid:gid numbers.  Typical reaction from system admin is to secure
the container by configuring LDAP/sssd in the container, or ban docker container to mount
external file system all together.

If someone is allowing jobs in the mix uid:gid environment without taking the effort to manage
user uid/gid, they are inherently running insecured environment.  I don't think anyone would
support their system being insecure for the sake of backward compatibility.


was (Author: eyang):
[~ebadger] IT infrastructure keeps the entire company's user credential consistent through
the usage of LDAP/AD servers with uniformed uid:gid to ensure there is no security inconsistency.
 From that point of view, it is important to keep uid:gid uniformed.  In the docker world,
if someone runs a Ubuntu image on a RedHat Host OS cluster, all system default accounts inside
Ubuntu image have different uid:gid numbers.  Typical reaction from system admin is to secure
the container by configuring LDAP/sssd in the container, or ban docker container to mount
external file system all together.

If someone is allowing jobs in the mix uid:gid environment without taking the effort to manage
user uid/gid, they are inherently running on a insecured environment.  I don't think anyone
would support their system being insecure for the sake of backward compatibility.

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch, YARN-7430.png
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to enforce
user and group for the running user.  In YARN-6623, this translated to --user=test --group-add=group1.
 The code no longer enforce group correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group information
to exist in container to translate username and group to uid/gid.  For users on LDAP, there
is no good way to populate container with user and group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message