[
https://issues.apache.org/jira/browse/YARN-7221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16348882#comment-16348882
]
Eric Badger commented on YARN-7221:
-----------------------------------
bq. I'll just point out that In many organization the Hadoop administrators are
not the same group that has access to manage sudo rules. Enforcing this will
make it very challenging and time consuming to use this feature in some
clusters.
This is certainly true and it could/would be a pain to set this up if the
relevant users were not already in the sudoers list. However, from the opposite
perspective, it would also be bad for users to be granted sudo access when the
administrators did not grant that privilege to them. This is 100% a
conversation about usability vs. security in my mind. I tend to lean in the
direction of secure by default with options to relax those constraints to
increase usability. It's ugly, but an idea could be to have different
configurable mechanisms to check for privileged users. One could be the sudo
check and a different one could be a container-executor.cfg privileged user
list check. I'm not sure if I would even support this, but it's an idea of how
to make both of these scenarios work.
> Add security check for privileged docker container
> --------------------------------------------------
>
> Key: YARN-7221
> URL: https://issues.apache.org/jira/browse/YARN-7221
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-7221.001.patch, YARN-7221.002.patch
>
>
> When a docker is running with privileges, majority of the use case is to have
> some program running with root then drop privileges to another user. i.e.
> httpd to start with privileged and bind to port 80, then drop privileges to
> www user.
> # We should add security check for submitting users, to verify they have
> "sudo" access to run privileged container.
> # We should remove --user=uid:gid for privileged containers.
>
> Docker can be launched with --privileged=true, and --user=uid:gid flag. With
> this parameter combinations, user will not have access to become root user.
> All docker exec command will be drop to uid:gid user to run instead of
> granting privileges. User can gain root privileges if container file system
> contains files that give user extra power, but this type of image is
> considered as dangerous. Non-privileged user can launch container with
> special bits to acquire same level of root power. Hence, we lose control of
> which image should be run with --privileges, and who have sudo rights to use
> privileged container images. As the result, we should check for sudo access
> then decide to parameterize --privileged=true OR --user=uid:gid. This will
> avoid leading developer down the wrong path.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
