diff --git hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm index 1f9688a..50ff345 100644 --- hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm +++ hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/apt/SecureContainer.apt.vm @@ -83,11 +83,15 @@ min.user.id=1000#Prevent other super-users +---+ - ** Windows Secure Container Executor + ** Windows Secure Container Executor (WSCE) The Windows environment secure container executor is the <<>>. It uses the Windows S4U infrastructure to launch the container as the - YARN application user. + YARN application user. The WSCE requires the presense of the <<>> service. This services + is hosted by <<<%HADOOP_HOME%\bin\winutils.exe>>> started with the <<>> command line argument. This + service offers some privileged operations that require LocalSystem authority so that the NM is not required + to run the entire JVM and all the NM code in an elevated context. The NM interacts with the <<>> + service by means of Local RPC (LRPC) via calls JNI to the RCP client hosted in <<>>. *** Configuration @@ -102,12 +106,38 @@ min.user.id=1000#Prevent other super-users yarn.nodemanager.windows-secure-container-executor.group - hadoop + yarn +---+ + *** wsce-site.xml + + The hadoopwinutilsvc uses <<<%HADOOP_HOME%\etc\hadoop\wsce_site.xml to configure access to the privileged operations. - The NodeManager must run as a member of the local <<>> group or as - <<>>. It is not enough for the NodeManager to simply impersonate such an user. ++---+ + + yarn.nodemanager.windows-secure-container-executor.impersonate.allowed + HadoopUsers + + + + yarn.nodemanager.windows-secure-container-executor.impersonate.denied + HadoopServices,Administrators + + + + yarn.nodemanager.windows-secure-container-executor.allowed + nodemanager + ++---+ + + <<>> should contain the name of the service account running the + nodemanager. This user will be allowed to access the hadoopwintuilsvc functions. + + <<>> should contain the users that are allowed to create + containers in the cluster. These users will be allowed to be impersonated by hadoopwinutilsvc. + + <<>> should contain users that are explictly forbiden from + creating containers. hadoopwinutilsvc will refuse to impersonate these users. *** Useful Links