[ https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kyle Leckie updated YARN-732: ----------------------------- Description: There is no ContainerExecutor on windows that can launch containers in a manner that creates: 1) container isolation 2) container execution with reduced rights I am working on patches that will add the ability to launch containers in a process with a reduced access token. Update: After examining several approaches I have settled on launching the task as a domain user. I have attached the current winutils diff which is a work in progress. Work remaining: - Create isolated desktop for task processes. - Set integrity of spawned processed to low. was: There is no ContainerExecutor on windows that can launch containers in a manner that creates: 1) container isolation 2) container execution with reduced rights I am working on patches that will add the ability to launch containers in a process with a reduced access token. Update: After examining several approaches I have settled on launching the task as a domain user. I have attached the current winutils patch which is a work in progress. > YARN support for container isolation on Windows > ----------------------------------------------- > > Key: YARN-732 > URL: https://issues.apache.org/jira/browse/YARN-732 > Project: Hadoop YARN > Issue Type: New Feature > Components: nodemanager > Affects Versions: trunk-win > Reporter: Kyle Leckie > Labels: security > Fix For: trunk-win > > > There is no ContainerExecutor on windows that can launch containers in a > manner that creates: > 1) container isolation > 2) container execution with reduced rights > I am working on patches that will add the ability to launch containers in a > process with a reduced access token. > Update: After examining several approaches I have settled on launching the > task as a domain user. I have attached the current winutils diff which is a > work in progress. > Work remaining: > - Create isolated desktop for task processes. > - Set integrity of spawned processed to low. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira