Remus Rusanu resolved YARN-2553.
    Resolution: Not a Problem

After further investigation I concluded that there is no way to prevent the 
access_denied on the joc object during the container shutdown. I have moved the 
kill task code inside the hadoopwinutils, running as LocalSystem, with SeDebug 
privilege enabled, and after LocalSystem is explicitly granted 
JOB_OBJECT_ALL_ACCESS on the job, and still get access denied.
I fixed the kill task to return success int his case and commented out the 
issue. The fixed code will be in the next patch of YARN-2198.

> Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM 
> on created containers
> -------------------------------------------------------------------------------------------------
>                 Key: YARN-2553
>                 URL: https://issues.apache.org/jira/browse/YARN-2553
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: nodemanager
>            Reporter: Remus Rusanu
>            Assignee: Remus Rusanu
>              Labels: security, windows, wsce
> In order to open a job handle with JOB_OBJECT_TERMINATE access, the caller 
> must have PROCESS_TERMINATE access on the handle of each process in the job 
> (MSDN 
> http://msdn.microsoft.com/en-us/library/windows/desktop/ms686709(v=vs.85).aspx)
>  .
> hadoopwinutilsvc process should explicitly grant PROCESS_TERMINATE access to 
> NM account on the newly started container process. I hope this gets 
> inherited...

This message was sent by Atlassian JIRA

Reply via email to