Skip to content

STORM-4057 - Validate user with the id cmd #3640

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 13, 2024
Merged

STORM-4057 - Validate user with the id cmd #3640

merged 1 commit into from
Jun 13, 2024

Conversation

steveclark72
Copy link
Contributor

What is the purpose of the change

Validate the user associated with the id command for scenarios where the user running Storm in a container is not listed in the /etc/passwd file when a Worker process is to be terminated, e.g. with a custom securityContext in Kubernetes:

  securityContext:
    runAsUser: 1000620005
    fsGroup: 1000620005
    supplementalGroups: [ 64000 ]

Without this change the Supervisor container itself dies rather than terminating the Worker process.

How was the change tested

I have tested the change locally running a Kubernetes cluster with this fix in place. The Worker process is successfully terminated and the Supervisor container does not die.

@rzo1 rzo1 requested a review from jnioche June 7, 2024 17:21
@rzo1 rzo1 changed the title Validate user with the id cmd STORM-4057 - Validate user with the id cmd Jun 7, 2024
bipinprasad
bipinprasad reviewed Jun 8, 2024
View reviewed changes
storm-server/src/main/java/org/apache/storm/utils/ServerUtils.java
LOG.debug("CMD: '{}' returned exit code of {}", String.join(" ", cmdArgs), exitCode);
cmdArgs.remove(user);
}
}
}
LOG.debug("CMD: {}", String.join(" ", cmdArgs));
ProcessBuilder pb = new ProcessBuilder(cmdArgs);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still need this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so, yes. The first call is actually a test, if the user actually exist on the system (otherwise the parsing of the 2nd call would fail).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first call is a test. Whilst this code isn't optimal in terms of the number of OS calls being made, it keeps disruption to the current implementation to a minimum.

@jnioche jnioche merged commit bd9c38a into apache:master Jun 13, 2024
18 checks passed
@jnioche
Copy link
Contributor

jnioche commented Jun 13, 2024

thanks @steveclark72

@jnioche jnioche assigned jnioche and unassigned jnioche Jun 13, 2024
@jnioche jnioche added the bug label Jun 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rzo1 rzo1 rzo1 approved these changes

@jnioche jnioche jnioche approved these changes

@bipinprasad bipinprasad bipinprasad approved these changes

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@steveclark72 @jnioche @bipinprasad @rzo1