[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16237891#comment-16237891
]
Eric Yang commented on YARN-7430:
---------------------------------
[~vvasudev] Sorry, raise this as a blocker. Anyone can become root user
without setting primary effective group, when privileged container is enabled
using YARN-6623 code logic.
Without explicitly set effective group, the run command is similar to this:
{code}
[root@eyang-1 bin]# docker run -it --user 501 --group-add 502 centos:latest bash
bash-4.2$ id
uid=501 gid=0(root) groups=0(root),502
bash-4.2$ exit
{code}
With effective group set, then run command looks like this:
{code}
[root@eyang-1 bin]# docker run -it --user 501:502 centos:latest bash
bash-4.2$ id
uid=501 gid=502 groups=502
bash-4.2$ exit
{code}
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Varun Vasudev
> Priority: Blocker
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
