hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MAPREDUCE-4669) MRAM web UI does not work with HTTPS
Date Wed, 25 Jul 2018 22:44:00 GMT

    [ https://issues.apache.org/jira/browse/MAPREDUCE-4669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16556366#comment-16556366

Robert Kanter commented on MAPREDUCE-4669:

See [this comment|https://issues.apache.org/jira/browse/YARN-8448?focusedCommentId=16556364&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16556364]
in YARN-8448 and the design doc in YARN-6586 for more background on the patch.  This patch
(MAPREDUCE-4669.001.patch) contains the MR changes that rely on YARN-8448.001.patch.

Some notes on the patch:
- The {{yarn.app.mapreduce.am.webapp.https.enabled}} property controls if the MR AM should
try to use the Yarn-provided keystore (when set to {{true}}); this will also cause it to provide
an HTTPS tracking URL to the RM.  It defaults to {{false}}.
- The {{yarn.app.mapreduce.am.webapp.https.client.auth}} property controls if the MR AM should
require client authentication (when set to {{true}}).  It defaults to {{false}}.  In this
case, the MR AM is the server and the RM is the client, so this requires that the RM present
its certificate to the AM when it connects to the AM - the AM can then verify this certificate
with the Yarn-provided truststore.

> MRAM web UI does not work with HTTPS
> ------------------------------------
>                 Key: MAPREDUCE-4669
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-4669
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mr-am
>    Affects Versions: 2.0.3-alpha
>            Reporter: Alejandro Abdelnur
>            Assignee: Robert Kanter
>            Priority: Major
>         Attachments: MAPREDUCE-4669.001.patch
> With Kerberos enable, the MRAM runs as the user that submitted the job, thus the MRAM
process cannot read the cluster keystore files to get the certificates to start its HttpServer
using HTTPS.
> We need to decouple the keystore used by RM/NM/NN/DN (which are cluster provided) from
the keystore used by AMs (which ought to be user provided).

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: mapreduce-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-help@hadoop.apache.org

View raw message