[jira] [Commented] (YARN-7430) User and Group mapping are incorrect in docker container

[Eric Badger (JIRA)]

    [ 
https://issues.apache.org/jira/browse/YARN-7430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16253831#comment-16253831
 ] 

Eric Badger commented on YARN-7430:
-----------------------------------

Hey [~eyang], thanks for the updated explanation.

bq. This JIRA is focusing on a default setting that prevents unintended user to 
gain extra root privileges even in a system that is configured for "simple" or 
"Kerberos" security mode with Linux container executor.
I think this is the most important point. I'm +1 on making this the default 
behavior because of security purposes. Especially since docker work has never 
been documented as anything other than experimental. So this would go along 
with my "secure by default" philosophy. Because of this, we don't need to 
really consider breaking backwards compatibility as I was eluding to earlier. 

However, it might be prudent to file a followup jira that helps solve the 
"arbitrary docker image" problem. Otherwise, users will not be able to supply 
their own arbitrary images with arbitrary users to run on the cluster. This 
could be a mode where containers are run without any bind-mounting, 0 
capabilities, etc. to ensure security. I'm not personally interested in this 
use case, but if it's something that we hope to support, then we should at 
least file the jira. 

> User and Group mapping are incorrect in docker container
> --------------------------------------------------------
>
>                 Key: YARN-7430
>                 URL: https://issues.apache.org/jira/browse/YARN-7430
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: security, yarn
>    Affects Versions: 2.9.0, 3.0.0
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Blocker
>         Attachments: YARN-7430.001.patch, YARN-7430.png
>
>
> In YARN-4266, the recommendation was to use -u [uid]:[gid] numeric values to 
> enforce user and group for the running user.  In YARN-6623, this translated 
> to --user=test --group-add=group1.  The code no longer enforce group 
> correctly for launched process.  
> In addition, the implementation in YARN-6623 requires the user and group 
> information to exist in container to translate username and group to uid/gid. 
>  For users on LDAP, there is no good way to populate container with user and 
> group information. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org