Remus Rusanu created YARN-2198:

             Summary: Remove the need to run NodeManager as privileged account 
for Windows Secure Container Executor
                 Key: YARN-2198
             Project: Hadoop YARN
          Issue Type: Improvement
            Reporter: Remus Rusanu
            Assignee: Remus Rusanu

YARN-1972 introduces a Secure Windows Container Executor. However this executor 
requires a the process launching the container to be LocalSystem or a member of 
the a local Administrators group. Since the process in question is the 
NodeManager, the requirement translates to the entire NM to run as a privileged 
account, a very large surface area to review and protect.

This proposal is to move the privileged operations into a dedicated NT service. 
The NM can run as a low privilege account and communicate with the privileged 
NT service when it needs to launch a container. This would reduce the surface 
exposed to the high privileges. 

There has to exist a secure, authenticated and authorized channel of 
communication between the NM and the privileged NT service. Possible 
alternatives are a new TCP endpoint, Java RPC etc. My proposal though would be 
to use Windows LPC (Local Procedure Calls), which is a Windows platform 
specific inter-process communication channel that satisfies all requirements 
and is easy to deploy. The privileged NT service would register and listen on 
an LPC port (NtCreatePort, NtListenPort). The NM would use JNI to interop with 
libwinutils which would host the LPC client code. The client would connect to 
the LPC port (NtConnectPort) and send a message requesting a container launch 
(NtRequestWaitReplyPort). LPC provides authentication and the privileged NT 
service can use authorization API (AuthZ) to validate the caller.

This message was sent by Atlassian JIRA

Reply via email to