[ https://issues.apache.org/jira/browse/YARN-2553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Remus Rusanu resolved YARN-2553. -------------------------------- Resolution: Not a Problem After further investigation I concluded that there is no way to prevent the access_denied on the joc object during the container shutdown. I have moved the kill task code inside the hadoopwinutils, running as LocalSystem, with SeDebug privilege enabled, and after LocalSystem is explicitly granted JOB_OBJECT_ALL_ACCESS on the job, and still get access denied. I fixed the kill task to return success int his case and commented out the issue. The fixed code will be in the next patch of YARN-2198. > Windows Secure Container Executor: assign PROCESS_TERMINATE privilege to NM > on created containers > ------------------------------------------------------------------------------------------------- > > Key: YARN-2553 > URL: https://issues.apache.org/jira/browse/YARN-2553 > Project: Hadoop YARN > Issue Type: Sub-task > Components: nodemanager > Reporter: Remus Rusanu > Assignee: Remus Rusanu > Labels: security, windows, wsce > > In order to open a job handle with JOB_OBJECT_TERMINATE access, the caller > must have PROCESS_TERMINATE access on the handle of each process in the job > (MSDN > http://msdn.microsoft.com/en-us/library/windows/desktop/ms686709(v=vs.85).aspx) > . > hadoopwinutilsvc process should explicitly grant PROCESS_TERMINATE access to > NM account on the newly started container process. I hope this gets > inherited... -- This message was sent by Atlassian JIRA (v6.3.4#6332)