hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remus Rusanu (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (YARN-2553) Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM on created containers
Date Fri, 19 Sep 2014 12:48:34 GMT

     [ https://issues.apache.org/jira/browse/YARN-2553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Remus Rusanu resolved YARN-2553.
--------------------------------
    Resolution: Not a Problem

After further investigation I concluded that there is no way to prevent the access_denied
on the joc object during the container shutdown. I have moved the kill task code inside the
hadoopwinutils, running as LocalSystem, with SeDebug privilege enabled, and after LocalSystem
is explicitly granted JOB_OBJECT_ALL_ACCESS on the job, and still get access denied.
I fixed the kill task to return success int his case and commented out the issue. The fixed
code will be in the next patch of YARN-2198.

> Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM on created
containers
> -------------------------------------------------------------------------------------------------
>
>                 Key: YARN-2553
>                 URL: https://issues.apache.org/jira/browse/YARN-2553
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Remus Rusanu
>            Assignee: Remus Rusanu
>              Labels: security, windows, wsce
>
> In order to open a job handle with JOB_OBJECT_TERMINATE access, the caller must have
PROCESS_TERMINATE access on the handle of each process in the job (MSDN http://msdn.microsoft.com/en-us/library/windows/desktop/ms686709(v=vs.85).aspx)
.
> hadoopwinutilsvc process should explicitly grant PROCESS_TERMINATE access to NM account
on the newly started container process. I hope this gets inherited...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message