[
https://issues.apache.org/jira/browse/YARN-8520?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16568683#comment-16568683
]
Shane Kumpf commented on YARN-8520:
-----------------------------------
Thanks for the patch [~eyang]! Sorry for the delayed review on this. I think
user management is an important topic, so I'm glad to see additional
documentation. I've got a few comments:
1) In the "Docker images requirements" section, we call out the requirement
that the UID must match between the NM host and image. It would be good to add
a link in the "Docker images requirements" section to the "User Management in
Docker Container" section to guide the image builder towards the various ways
to handle users and groups with containers.
2) SSSD is one option for handing this but there are others. SSSD is not
necessarily a requirement for YARN containerization either, which isn't clear
here to a novice. I think it would be good to expand on the /etc/passwd and
/etc/shadow option (defining users and groups statically in the image) you
mention as an alternative to SSSD. nscd and user namespacing could be
additional alternatives we list in the future.
3) "YARN Docker container support launches container with uid:gid identity." -
I think this is an important item to highlight and could use some more detail.
Maybe call out again that it is the uid:gid identity as known by the
NodeManager host. Also what uid:gid is used in which security mode would be
helpful to those new to YARN that want to try containerization (e.g. In secure
mode it is the submitting user, in unsecure mode see [Cgroups and
Security|https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/NodeManagerCgroups.html]).
> Document best practice for user management
> ------------------------------------------
>
> Key: YARN-8520
> URL: https://issues.apache.org/jira/browse/YARN-8520
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: documentation, yarn
> Reporter: Eric Yang
> Assignee: Eric Yang
> Priority: Major
> Labels: Docker
> Attachments: YARN-8520.001.patch
>
>
> Docker container must have consistent username and groups with host operating
> system when external mount points are exposed to docker container. This
> prevents malicious or unauthorized impersonation to occur. This task is to
> document the best practice to ensure user and group membership are consistent
> across docker containers.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
