You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Bikas Saha (JIRA)" <ji...@apache.org> on 2013/05/31 00:57:20 UTC
[jira] [Commented] (YARN-732) YARN support for container isolation
on Windows
[ https://issues.apache.org/jira/browse/YARN-732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670919#comment-13670919 ]
Bikas Saha commented on YARN-732:
---------------------------------
I like the idea of not using impersonation to achieve isolation. Would you mind sharing something about the approach/design before submitting patches. That would help shed some light and evoke discussion (better than a patch might IMO). Is the plan to continue to use winutils or create a new launcher executable?
> YARN support for container isolation on Windows
> -----------------------------------------------
>
> Key: YARN-732
> URL: https://issues.apache.org/jira/browse/YARN-732
> Project: Hadoop YARN
> Issue Type: New Feature
> Components: nodemanager
> Affects Versions: trunk-win
> Reporter: Kyle Leckie
> Labels: security
> Fix For: trunk-win
>
>
> There is no ContainerExecutor on windows that can launch containers in a manner that creates:
> 1) container isolation
> 2) container execution with reduced rights
> I am working on patches that will add the ability to launch containers in a process with a reduced access token. My current approach does not attempt to run the process as the domain user passed into the launchContainer() call. Instead we run as a local user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira