[
https://issues.apache.org/jira/browse/HDDS-1712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16889399#comment-16889399
]
Eric Yang commented on HDDS-1712:
---------------------------------
[~anu] {quote}Case in point when you told me that Ozone is full of findbugs
issues and checkstyle issues. When I asked you to compare with Hadoop you ran
away, because like this it was blatantly false.{quote}
With regard to findbug issues, Hadoop does not require Findbugs jar file on the
classpath at runtime. Most of Hadoop findbugs exclusion were to deal with
Object serialization generated with protobuf codegen. The bugs flagged
manually because of codegen and unfortunate compatibility reasons with keep up
FSImage mutations. They are only used as last resort. Ozone uses annotation
to suppress findbugs rather quickly and the bugs are not at the same level that
is hard to solve in Hadoop. The usage is very different. Why having Findbugs
on the classpath is not good? Findbugs depends on older XML parser, which has
CVE vulnerabilities. If we don't need the jar file in the class, please remove
it from runtime. It is hard to identify how people would misuse
vulnerabilities when a collections of them are hidden in the software. Due
diligence would help to keep security bugs down. I offered the patches, and
Marton said it's good to fix them. Whether you accept or reject the patches is
your choice. If you allow sudo in the container, you will only end up with
more code that does remote root download and execution at runtime. This makes
Ozone more unpredictable and dangerous. It will be hard to clean up later.
> Remove sudo access from Ozone docker image
> ------------------------------------------
>
> Key: HDDS-1712
> URL: https://issues.apache.org/jira/browse/HDDS-1712
> Project: Hadoop Distributed Data Store
> Issue Type: Bug
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: pull-request-available
> Attachments: HDDS-1712.001.hadoop-docker-ozone.patch,
> HDDS-1712.001.patch, HDDS-1712.002.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ozone docker image is given unlimited sudo access to hadoop user. This poses
> a security risk where host level user uid 1000 can attach a debugger to the
> container process to obtain root access.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
