Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-2198

Remove the need to run NodeManager as privileged account for Windows Secure Container Executor

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.6.0
    • None
    • Reviewed

    Description

      YARN-1972 introduces a Secure Windows Container Executor. However this executor requires the process launching the container to be LocalSystem or a member of the a local Administrators group. Since the process in question is the NodeManager, the requirement translates to the entire NM to run as a privileged account, a very large surface area to review and protect.

      This proposal is to move the privileged operations into a dedicated NT service. The NM can run as a low privilege account and communicate with the privileged NT service when it needs to launch a container. This would reduce the surface exposed to the high privileges.

      There has to exist a secure, authenticated and authorized channel of communication between the NM and the privileged NT service. Possible alternatives are a new TCP endpoint, Java RPC etc. My proposal though would be to use Windows LPC (Local Procedure Calls), which is a Windows platform specific inter-process communication channel that satisfies all requirements and is easy to deploy. The privileged NT service would register and listen on an LPC port (NtCreatePort, NtListenPort). The NM would use JNI to interop with libwinutils which would host the LPC client code. The client would connect to the LPC port (NtConnectPort) and send a message requesting a container launch (NtRequestWaitReplyPort). LPC provides authentication and the privileged NT service can use authorization API (AuthZ) to validate the caller.

      Attachments

        1. .YARN-2198.delta.10.patch
          253 kB
          Remus Rusanu
        2. YARN-2198.1.patch
          101 kB
          Remus Rusanu
        3. YARN-2198.11.patch
          259 kB
          Remus Rusanu
        4. YARN-2198.12.patch
          259 kB
          Remus Rusanu
        5. YARN-2198.13.patch
          260 kB
          Remus Rusanu
        6. YARN-2198.14.patch
          260 kB
          Remus Rusanu
        7. YARN-2198.15.patch
          262 kB
          Remus Rusanu
        8. YARN-2198.16.patch
          262 kB
          Remus Rusanu
        9. YARN-2198.2.patch
          102 kB
          Remus Rusanu
        10. YARN-2198.3.patch
          149 kB
          Remus Rusanu
        11. YARN-2198.delta.4.patch
          235 kB
          Remus Rusanu
        12. YARN-2198.delta.5.patch
          216 kB
          Remus Rusanu
        13. YARN-2198.delta.6.patch
          219 kB
          Remus Rusanu
        14. YARN-2198.delta.7.patch
          230 kB
          Remus Rusanu
        15. YARN-2198.separation.patch
          295 kB
          Remus Rusanu
        16. YARN-2198.trunk.10.patch
          275 kB
          Remus Rusanu
        17. YARN-2198.trunk.4.patch
          240 kB
          Remus Rusanu
        18. YARN-2198.trunk.5.patch
          240 kB
          Remus Rusanu
        19. YARN-2198.trunk.6.patch
          241 kB
          Remus Rusanu
        20. YARN-2198.trunk.8.patch
          222 kB
          Remus Rusanu
        21. YARN-2198.trunk.9.patch
          222 kB
          Remus Rusanu

        Issue Links

        breaks

        Bug - A problem which impairs or prevents the functions of the product. YARN-2803 MR distributed cache not working correctly on Windows after NodeManager privileged account changes.

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-11639 Clean up Windows native code compilation warnings related to Windows Secure Container Executor.

        • Major - Major loss of function.
        • Closed

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-11280 TestWinUtils#testChmod fails after removal of NO_PROPAGATE_INHERIT_ACE.

        • Trivial - Cosmetic problem like misspelt words or misaligned text.
        • Closed
        is part of

        New Feature - A new feature of the product, which has yet to be developed. YARN-732 YARN support for container isolation on Windows

        • Major - Major loss of function.
        • Open
        is required by

        Sub-task - The sub-task of the issue YARN-2391 Windows Secure Container Executor helper service should assign launched process to the NM job

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved

        Improvement - An improvement or enhancement to an existing feature or task. HADOOP-11080 Convert Windows native build in hadoop-common to use CMake.

        • Major - Major loss of function.
        • Open

        Improvement - An improvement or enhancement to an existing feature or task. YARN-2687 WindowsSecureContainerExecutor hadoopwinutilsvc is difficult to troubleshoot

        • Major - Major loss of function.
        • Open

        Test - A new unit, integration or system test. YARN-2636 Windows Secure Container Executor: add unit tests for WSCE

        • Critical - Crashes, loss of data, severe memory leak.
        • Open
        relates to

        Sub-task - The sub-task of the issue YARN-1972 Implement secure Windows Container Executor

        • Major - Major loss of function.
        • Closed

        Improvement - An improvement or enhancement to an existing feature or task. HDFS-6699 Secure Windows DFS read when client co-located on nodes with data (short-circuit reads)

        • Major - Major loss of function.
        • Open

        Task - A task that needs to be done. YARN-2357 Port Windows Secure Container Executor YARN-1063, YARN-1972, YARN-2198 changes to branch-2

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed
        requires

        Sub-task - The sub-task of the issue YARN-1972 Implement secure Windows Container Executor

        • Major - Major loss of function.
        • Closed
        1.
        		 Add file handling features to the Windows Secure Container Executor LRPC service Sub-task Resolved Remus Rusanu Actions
        2.
        		 document the wsce-site.xml keys in hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm Sub-task Resolved Remus Rusanu Actions
        3.
        		 Fix WSCE folder/file/classpathJar permission/order when running as non-admin Sub-task Resolved Remus Rusanu Actions
        4.
        		 The elevated WSCE LRPC should grant access to the jon to the namenode Sub-task Resolved Remus Rusanu Actions
        5.
        		 Windows Secure Container Executor helper service should assign launched process to the NM job Sub-task Resolved Remus Rusanu Actions
        6.
        		 Windows Secure Cotnainer Executor: Add checks to validate that the wsce-site.xml is write restricted to Administrators only Sub-task Resolved Remus Rusanu Actions
        7.
        		 Windows Secure Container Executor: the privileged file operations of hadoopwinutilsvc should be constrained to localdirs only Sub-task Resolved Remus Rusanu Actions
        8.
        		 Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM on created containers Sub-task Resolved Remus Rusanu Actions
        9.
        		 Windows Secure Container Executor: grant job query privileges to the container user Sub-task Resolved Remus Rusanu Actions
        10.
        		 Windows Secure Container Executor: use elevated file system operations to cleanup the containers Sub-task Resolved Remus Rusanu Actions
        11.
        		 Windows Secure Container Executor: classpath in the job classpath-jar is referencing NM nmPrivate files Sub-task Resolved Remus Rusanu Actions
        12.
        		 Windows Secure Container Executor: containerLaunch environment does not get transferred to the container process Sub-task Resolved Remus Rusanu Actions

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rusanu Remus Rusanu
            rusanu Remus Rusanu
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment