hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aki Tanaka (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-8019) RM webproxy uses the client truststore specified in ssl-client.xml
Date Sat, 10 Mar 2018 00:28:00 GMT
Aki Tanaka created YARN-8019:

             Summary: RM webproxy uses the client truststore specified in ssl-client.xml
                 Key: YARN-8019
                 URL: https://issues.apache.org/jira/browse/YARN-8019
             Project: Hadoop YARN
          Issue Type: Bug
          Components: yarn
    Affects Versions: 3.0.0
            Reporter: Aki Tanaka

A Yarn ResourceManager's web proxy launches with Java default SSL certificate. Due to this
behavior, the web proxy failed to validate a backend server's SSL certificate when the backend
server listens with HTTPS using custom SSL certificate. 


For example, Spark launches Spark context web UI with custom SSL certificate when we enable
SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this case, Yarn web
proxy cannot connect the Spark context web UI since the web proxy cannot verify the SSL cert
("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed" error is returned).


We should add an option to set SSL trust store to Yarn RM web proxy. Attached a patch to Yarn
web proxy, and this patch lets web proxy use an SSL custom trust-store if it is configured
in ssl-client.xml

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org

View raw message