[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

Mon, 13 Nov 2017 13:11:02 -0800 

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250242#comment-16250242
 ] 

Eric Yang commented on YARN-7430:
---------------------------------

[[email protected]]
{quote}
I'm concerned that we are changing behavior without needing to. The two forms 
of docker run we use don't appear to have the missing primary group issue. Can 
you clarify where you are seeing that form in the code base or how this issue 
occurs?
{quote}

Try this command on existing code base:
{code}
# docker run -it --user 12345 centos:latest id
uid=12345 gid=0(root) groups=0(root)
{code}

User 12345 shouldn't belong to root group, but it has been given root group 
privileges in the container.  There are customers out there that utilized uid 
number as their user account.  Any numeric user is given root group privileges 
automatically.  This shouldn't be happening.

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to