Remus Rusanu commented on YARN-1972:

Some responses in the mean-while, before I finish the design doc:

> What are the requirements on the NodeManager user?
It must be a member of local administrators group or LocalSystem. That means 
the equivalent of *nix 'root'. This is a requirement derived from the need to 
 which documents that "the caller must be an administrator or the LocalSystem 
account. It is not sufficient for the caller to merely impersonate the 
administrator or LocalSystem account.". All in all a very high privilege 
required for NM. We are considering a future iteration in which we extract the 
privileged operations into a dedicated NT service (=daemon) and bestow the high 
privileges only to this service.

> You are launching so many commands for every container - to chown files, to 
> copy files etc.
We'll measure. the obvious problem, imho, is the many process spawns implied in 
chmod/chown/simlink, which are all implemented via winutils. I believe that 
these should be addresses by moving these operations into NativeIO and invoke 
them via JNI, avoiding the process creation cost (significant on Windows). I 
don't think that moving the localization into native code would result in much 
benefit over a proper Java implementation.

> Localizer already does createUserLocalDirs 
I didn't notice this. I've seen the DCE do this, I assumed it need to be done. 
As the Localizer would run as the task user, then letting the Localizer create 
this dirs removes the need to chown them after creation, they will be created 
'as needed' out-of-the-box. A double win :) 

> skips things like the setting niceness 
We sure can add niceness to WCE as well, the OS supports it. I opted not to as 
it can be added later as an incremental approach (trying to keep this patch 
manageable size).

>  Why cannot we simply use the localizerId?
I was getting duplicate errors because of task retries. For sure in my 
experiments (2.2 based) the localizerId was no unique enough.

> Implement secure Windows Container Executor
> -------------------------------------------
>                 Key: YARN-1972
>                 URL: https://issues.apache.org/jira/browse/YARN-1972
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: nodemanager
>            Reporter: Remus Rusanu
>            Assignee: Remus Rusanu
>              Labels: security, windows
>         Attachments: YARN-1972.1.patch
> This work item represents the Java side changes required to implement a 
> secure windows container executor, based on the YARN-1063 changes on 
> native/winutils side. 
> Necessary changes include leveraging the winutils task createas to launch the 
> container process as the required user and a secure localizer (launch 
> localization as a separate process running as the container user).

This message was sent by Atlassian JIRA

Reply via email to