potiuk commented on pull request #17170: URL: https://github.com/apache/airflow/pull/17170#issuecomment-885169362
Such arbitrary user has to be able to write to certain directories that needs write access, and since it is not advised to allow write access to “other” for security reasons, the OpenShift guidelines introduced the concept of making all such folders have the 0 (root) group id (GID). All the directories that need write access in the Airflow production image have GID set to 0 (and they are writable for the group). We are following that concept and all the directories that need write access follow that. The GID=0 is set as default for the airflow user, so any directories it creates have GID set to 0 by default. The entrypoint sets umask to be 0002 - this means that any directories created by the user have also “group write” access for group 0 - they will be writable by other users with root group. Also whenever any “arbitrary” user creates a folder (for example in a mounted volume), that folder will have a “group write” access and GID=0, so that execution with another, arbitrary user will still continue to work, even if such directory is mounted by another arbitrary user later. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
