Security Considerations for the PACC
This section describes key considerations for using Docker containers with secure and non-secure clusters.
Secure Clusters
Docker containers, like other virtualization technologies, allow client access from user identities that are not controlled by central IT. As a result, these technologies can be problematic when used with clusters that are not secure (where trust is based on trusting the client). Therefore, HPE suggests that you use secure clusters with PACCs.
PACCs, and applications built from them, are launched with a ticket that contains the
application's identity from the perspective of the cluster. On secure clusters, the user
identity, user ID (UID
), and group ID (GID
) are specified
in the ticket and passed to the file system for cluster communication. The ticket ensures
that operations, such as authorization and auditing, are performed as the authenticated
user. A different ticket should be created for each container that is launched. The user’s
identity should be the identity of the user who accesses data.
All access from Docker containers to the cluster requires a
ticket be present inside the container. Users or
administrators should generate a ticket for each container
prior to launch, and pass the ticket into the container at runtime. The ticket must be generated for the user that your applications access the
cluster as. You should create a container user with the same
MAPR_CONTAINER_USER
, MAPR_CONTAINER_GROUP
,
MAPR_CONTAINER_GID
, and MAPR_CONTAINER_UID
runtime
environment variables.
Always use service or user tickets, not impersonation tickets. The ticket type and lifetime
should consider the lifetime of the application being deployed. Use of impersonation tickets
may allow rogue applications running in containers to impersonate arbitrary users (including
root
or mapr
) and gain access to any data in the
cluster.
The ticket file location in the container is set with the
MAPR_TICKETFILE_LOCATION
environment variable, which is set at runtime
for the user specified in MAPR_CONTAINER_USER
. The ticket file must always
be stored in /tmp
. For example: /tmp/mapr_ticket
.
In case of loss or breach, you can revoke tickets.
Non-Secure Clusters
mapr
or root
users.
MAPR_CONTAINER_USER
andMAPR_CONTAINER_UID
specify:- The default user invoked when starting the container
- The user that the user application inside the container will run as
MAPR_CONTAINER_GID
represents theGID
that the application inside the Docker container will run asMAPR_CONTAINER_GROUP
represents the group that the application inside the Docker container will run as
Related Information
For more information related to security topics discussed in this section, see:
- Managing Secure Clusters —secure cluster details
- Managing Users and Groups — Data Fabric user roles
- Using the docker run Command —Docker container variable details
- Tickets
- Managing Tickets—using tickets
- maprlogin —originating tickets
- Generating a HPE Ezmeral Data Fabric User Ticket —generating tickets
- How Tickets Work —revoking a user’s existing valid tickets