Skip to content

Remove MONAI user ownership on MAP folders #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 25, 2022
Merged

Remove MONAI user ownership on MAP folders #199

merged 1 commit into from
Jan 25, 2022

Conversation

KavinKrishnan
Copy link
Collaborator

@KavinKrishnan KavinKrishnan commented Nov 10, 2021
edited
Loading

Removing fixed monai user/privilege's on application package image

@KavinKrishnan KavinKrishnan force-pushed the kavink/remove_monai_user branch 2 times, most recently from 867b08b to 222c48f Compare November 10, 2021 21:33
@slbryson slbryson requested review from slbryson and gigony December 8, 2021 22:26
slbryson
slbryson approved these changes Dec 8, 2021
View reviewed changes
Copy link
Collaborator

@slbryson slbryson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed on the approach.

@gigony gigony mentioned this pull request Jan 18, 2022
Open
@gigony
Copy link
Collaborator

gigony commented Jan 18, 2022
edited
Loading

@KavinKrishnan
Could you please sign this commit and update the description of this PR saying the context of this PR?

I wonder to what extent does this PR solves the issue described in #202?

Do we just want to run the container as root with this PR?

@KavinKrishnan KavinKrishnan force-pushed the kavink/remove_monai_user branch from 222c48f to 897d062 Compare January 18, 2022 22:26
@KavinKrishnan
Copy link
Collaborator Author

KavinKrishnan commented Jan 18, 2022
edited
Loading

@KavinKrishnan Could you please sign this commit and update the description of this PR saying the context of this PR?

I wonder to what extent does this PR solves the issue described in #202?

Do we just want to run the container as root with this PR?

Yes, and think it is ok. It seems to be a bigger issue having the packager fix permissions in the image around one user monai.

In a future MR, we could provide a way for the user to decide the user when packaging the image. However in the meantime, allowing them to run the container this way should suffice.

I think the alternative you suggested with gosu and making each user a super user may not be the best practice.

@MMelQin
Copy link
Collaborator

MMelQin commented Jan 18, 2022
edited
Loading

Generally for application security, especially FS access controls, use a group to grant permissions to the resources, and on deployment and at runtime, a specific service account just needs to be in this defined group. The application package does not need to pin down the specific user, which is a deployment/runtime concern.

Application understands the required permission or ACL of the application specific resources (Docker image files etc, and the mapped folder on host), what specific group, and service account, to use is more the deployment platform configuration concern, to ensure the service account has the required permissions to the resources, without being granted elevated privilege.

@KavinKrishnan KavinKrishnan force-pushed the kavink/remove_monai_user branch 2 times, most recently from 791f897 to ad5d3d0 Compare January 20, 2022 19:49
@KavinKrishnan
Remove MONAI user ownership
ad5d3d0 
Signed-off-by: kavink <kavink@nvidia.com>
@whoisj
Copy link

whoisj commented Jan 21, 2022

LGTM :shipit:

gigony
gigony approved these changes Jan 25, 2022
View reviewed changes
Copy link
Collaborator

@gigony gigony left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

With this patch, when running locally, output file would have a root permission that user needs to remove with sudo method.
Let's merge this and follow up on this issue later.

@gigony gigony merged commit 2963db8 into main Jan 25, 2022
@MMelQin
Copy link
Collaborator

MMelQin commented Jan 25, 2022

Merge this PR for now, with the understanding of having #202 to address the account and permission issue.

gigony added a commit that referenced this pull request Jan 26, 2022
@gigony
Use local MONAI App Sdk module when packaging
5a8a327 
The functionaly was removed by #199.
This patch revert it.
@gigony gigony mentioned this pull request Jan 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gigony gigony gigony approved these changes

@slbryson slbryson slbryson approved these changes

@whoisj whoisj whoisj approved these changes

Assignees

@KavinKrishnan KavinKrishnan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@KavinKrishnan @gigony @MMelQin @whoisj @slbryson