[
https://issues.apache.org/jira/browse/YARN-2553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Remus Rusanu resolved YARN-2553.
--------------------------------
Resolution: Not a Problem
After further investigation I concluded that there is no way to prevent the
access_denied on the joc object during the container shutdown. I have moved the
kill task code inside the hadoopwinutils, running as LocalSystem, with SeDebug
privilege enabled, and after LocalSystem is explicitly granted
JOB_OBJECT_ALL_ACCESS on the job, and still get access denied.
I fixed the kill task to return success int his case and commented out the
issue. The fixed code will be in the next patch of YARN-2198.
> Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM
> on created containers
> -------------------------------------------------------------------------------------------------
>
> Key: YARN-2553
> URL: https://issues.apache.org/jira/browse/YARN-2553
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: nodemanager
> Reporter: Remus Rusanu
> Assignee: Remus Rusanu
> Labels: security, windows, wsce
>
> In order to open a job handle with JOB_OBJECT_TERMINATE access, the caller
> must have PROCESS_TERMINATE access on the handle of each process in the job
> (MSDN
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms686709(v=vs.85).aspx)
> .
> hadoopwinutilsvc process should explicitly grant PROCESS_TERMINATE access to
> NM account on the newly started container process. I hope this gets
> inherited...
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
