[ https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16244970#comment-16244970 ]
Eric Yang commented on YARN-7430: --------------------------------- [~ebadger] They are two separate problems. A lot of conversation here belongs to YARN-7446. This issue is to tackle the problem that we have a implicit privilege escalation security hole in the default shipped configuration when the following condition is met: # Privileged container is enabled. # Deploy docker container with user mapping to a different uid:gid than host OS, or using a numeric username to launch app. # Data output from container is written with as someone else or root group. In summary, to prevent privileges escalation, we should always pass in primary group to improve security. > User and Group mapping are incorrect in docker container > -------------------------------------------------------- > > Key: YARN-7430 > URL: https://issues.apache.org/jira/browse/YARN-7430 > Project: Hadoop YARN > Issue Type: Sub-task > Components: security, yarn > Affects Versions: 2.9.0, 3.0.0 > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Blocker > Attachments: YARN-7430.001.patch > > > In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to > enforce user and group for the running user. In YARN-6623, this translated > to --user=test --group-add=group1. The code no longer enforce group > correctly for launched process. > In addition, the implementation in YARN-6623 requires the user and group > information to exist in container to translate username and group to uid/gid. > For users on LDAP, there is no good way to populate container with user and > group information. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org