[ https://issues.apache.org/jira/browse/YARN-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14012407#comment-14012407 ]
Remus Rusanu commented on YARN-1972: ------------------------------------ Some responses in the mean-while, before I finish the design doc: > What are the requirements on the NodeManager user? It must be a member of local administrators group or LocalSystem. That means the equivalent of *nix 'root'. This is a requirement derived from the need to call [`LoadUserProfile()`](http://msdn.microsoft.com/en-us/library/windows/desktop/bb762281(v=vs.85).aspx) which documents that "the caller must be an administrator or the LocalSystem account. It is not sufficient for the caller to merely impersonate the administrator or LocalSystem account.". All in all a very high privilege required for NM. We are considering a future iteration in which we extract the privileged operations into a dedicated NT service (=daemon) and bestow the high privileges only to this service. > You are launching so many commands for every container - to chown files, to > copy files etc. We'll measure. the obvious problem, imho, is the many process spawns implied in chmod/chown/simlink, which are all implemented via winutils. I believe that these should be addresses by moving these operations into NativeIO and invoke them via JNI, avoiding the process creation cost (significant on Windows). I don't think that moving the localization into native code would result in much benefit over a proper Java implementation. > Localizer already does createUserLocalDirs I didn't notice this. I've seen the DCE do this, I assumed it need to be done. As the Localizer would run as the task user, then letting the Localizer create this dirs removes the need to chown them after creation, they will be created 'as needed' out-of-the-box. A double win :) > skips things like the setting niceness We sure can add niceness to WCE as well, the OS supports it. I opted not to as it can be added later as an incremental approach (trying to keep this patch manageable size). > Why cannot we simply use the localizerId? I was getting duplicate errors because of task retries. For sure in my experiments (2.2 based) the localizerId was no unique enough. > Implement secure Windows Container Executor > ------------------------------------------- > > Key: YARN-1972 > URL: https://issues.apache.org/jira/browse/YARN-1972 > Project: Hadoop YARN > Issue Type: Improvement > Components: nodemanager > Reporter: Remus Rusanu > Assignee: Remus Rusanu > Labels: security, windows > Attachments: YARN-1972.1.patch > > > This work item represents the Java side changes required to implement a > secure windows container executor, based on the YARN-1063 changes on > native/winutils side. > Necessary changes include leveraging the winutils task createas to launch the > container process as the required user and a secure localizer (launch > localization as a separate process running as the container user). -- This message was sent by Atlassian JIRA (v6.2#6252)