hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haibo Chen (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-6586) YARN to facilitate HTTPS in AM web server
Date Thu, 11 May 2017 23:41:04 GMT
Haibo Chen created YARN-6586:

             Summary: YARN to facilitate HTTPS in AM web server
                 Key: YARN-6586
                 URL: https://issues.apache.org/jira/browse/YARN-6586
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: yarn
    Affects Versions: 3.0.0-alpha2
            Reporter: Haibo Chen
            Assignee: Haibo Chen

MR AM today does not support HTTPS in its web server, so the traffic between RMWebproxy and
MR AM is in clear text.

MR cannot easily achieve this mainly because MR AMs are untrusted by YARN. A potential solution
purely within MR, similar to what Spark has implemented, is to allow users, when they enable
HTTPS in MR job, to provide their own keystore file, and then the file is uploaded to distributed
cache and localized for MR AM container. The configuration users need to do is complex.

More importantly, in typical deployments, however, web browsers go through RMWebProxy to indirectly
access MR AM web server. In order to support MR AM HTTPs, RMWebProxy therefore needs to trust
the user-provided keystore, which is problematic.  

Alternatively, we can add an endpoint in NM web server that acts as a proxy between AM web
server and RMWebProxy. RMWebproxy, when configured to do so, will send requests in HTTPS to
the NM on which the AM is running, and the NM then can communicate with the local AM web server
in HTTP.   This adds one hop between RMWebproxy and AM, but both MR and Spark can use such

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org

View raw message