[ https://issues.apache.org/jira/browse/YARN-8520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568683#comment-16568683 ]
Shane Kumpf commented on YARN-8520: ----------------------------------- Thanks for the patch [~eyang]! Sorry for the delayed review on this. I think user management is an important topic, so I'm glad to see additional documentation. I've got a few comments: 1) In the "Docker images requirements" section, we call out the requirement that the UID must match between the NM host and image. It would be good to add a link in the "Docker images requirements" section to the "User Management in Docker Container" section to guide the image builder towards the various ways to handle users and groups with containers. 2) SSSD is one option for handing this but there are others. SSSD is not necessarily a requirement for YARN containerization either, which isn't clear here to a novice. I think it would be good to expand on the /etc/passwd and /etc/shadow option (defining users and groups statically in the image) you mention as an alternative to SSSD. nscd and user namespacing could be additional alternatives we list in the future. 3) "YARN Docker container support launches container with uid:gid identity." - I think this is an important item to highlight and could use some more detail. Maybe call out again that it is the uid:gid identity as known by the NodeManager host. Also what uid:gid is used in which security mode would be helpful to those new to YARN that want to try containerization (e.g. In secure mode it is the submitting user, in unsecure mode see [Cgroups and Security|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/NodeManagerCgroups.html]). > Document best practice for user management > ------------------------------------------ > > Key: YARN-8520 > URL: https://issues.apache.org/jira/browse/YARN-8520 > Project: Hadoop YARN > Issue Type: Sub-task > Components: documentation, yarn > Reporter: Eric Yang > Assignee: Eric Yang > Priority: Major > Labels: Docker > Attachments: YARN-8520.001.patch > > > Docker container must have consistent username and groups with host operating > system when external mount points are exposed to docker container. This > prevents malicious or unauthorized impersonation to occur. This task is to > document the best practice to ensure user and group membership are consistent > across docker containers. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org