[
https://issues.apache.org/jira/browse/KNOX-3257?focusedWorklogId=1006380&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1006380
]
ASF GitHub Bot logged work on KNOX-3257:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/26 14:17
Start Date: 20/Feb/26 14:17
Worklog Time Spent: 10m
Work Description: smolnar82 commented on PR #1151:
URL: https://github.com/apache/knox/pull/1151#issuecomment-3935111993
The use of a fixed GID and group-based access makes sense for
Helm/Kubernetes compatibility.
However, granting `g+rwx` on all directories under `home/knox` may be
broader than necessary.
Since the JIRA mentions keystore updates specifically, would it be safer to
restrict write permissions to the directories that actually need mutation
(e.g., `data/security/keystores`, possibly `conf`)?
This would better follow the principle of least privilege while preserving
the intended functionality.
Issue Time Tracking
-------------------
Worklog Id: (was: 1006380)
Time Spent: 0.5h (was: 20m)
> Update knox image creatation so that we do not need escalated privileges in
> helm install
> ------------------------------------------------------------------------------------------
>
> Key: KNOX-3257
> URL: https://issues.apache.org/jira/browse/KNOX-3257
> Project: Apache Knox
> Issue Type: Bug
> Components: docker
> Reporter: Sandeep More
> Assignee: Sandeep More
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently knox docker images are created such that only knox user has access
> to it's fil;es and directories. There are times when helm operations want to
> update the keystore, to add certs specifically, such operations need root
> privileges in helm (or use the exact knox UID which cannot be determined by
> helm container init). The proposed solution is to create a group "knox" with
> a specific GID and have all the knox specific dirs owned by this group.
> Then in helm we use that GID to perform operations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)