[
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16251805#comment-16251805
]
Eric Yang edited comment on YARN-7430 at 11/14/17 5:40 PM:
-----------------------------------------------------------
[~ebadger] IT infrastructure keeps the entire company's user credential
consistent through the usage of LDAP/AD servers with uniformed uid:gid to
ensure there is no security inconsistency. From that point of view, it is
important to keep uid:gid uniformed. In the docker world, if someone runs a
Ubuntu image on a RedHat Host OS cluster, all system default accounts inside
Ubuntu image have different uid:gid numbers. Typical reaction from system
admin is to secure the container by configuring LDAP/sssd in the container, or
ban docker container to mount external file system all together.
If someone is allowing jobs in the mix uid:gid environment without taking the
effort to manage user uid/gid, they are inherently running insecured
environment. I don't think anyone would support their system being insecure
for the sake of backward compatibility.
was (Author: eyang):
[~ebadger] IT infrastructure keeps the entire company's user credential
consistent through the usage of LDAP/AD servers with uniformed uid:gid to
ensure there is no security inconsistency. From that point of view, it is
important to keep uid:gid uniformed. In the docker world, if someone runs a
Ubuntu image on a RedHat Host OS cluster, all system default accounts inside
Ubuntu image have different uid:gid numbers. Typical reaction from system
admin is to secure the container by configuring LDAP/sssd in the container, or
ban docker container to mount external file system all together.
If someone is allowing jobs in the mix uid:gid environment without taking the
effort to manage user uid/gid, they are inherently running on a insecured
environment. I don't think anyone would support their system being insecure
for the sake of backward compatibility.
> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
> Key: YARN-7430
> URL: https://issues.apache.org/jira/browse/YARN-7430
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: security, yarn
> Affects Versions: 2.9.0, 3.0.0
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Blocker
> Attachments: YARN-7430.001.patch, YARN-7430.png
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to
> enforce user and group for the running user. In YARN-6623, this translated
> to --user=test --group-add=group1. The code no longer enforce group
> correctly for launched process.
> In addition, the implementation in YARN-6623 requires the user and group
> information to exist in container to translate username and group to uid/gid.
> For users on LDAP, there is no good way to populate container with user and
> group information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
