hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kumar Vavilapalli (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
Date Sun, 21 Sep 2014 00:09:34 GMT

    [ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14142253#comment-14142253
] 

Vinod Kumar Vavilapalli commented on YARN-2554:
-----------------------------------------------

Sorry, for jumping in late.

You could fix the webapp proxy in theory. But the set up to make AM web UIs accept Https is
impractical. AMs can launch on any machine in a cluster. They can be run by different users.
Enabling SSL through distribution of keys per application, per user across the cluster is
not a great solution. This is the reason why chose to not fix it and thus not enable the same
for MapReduce.

The better solution is either
 - to keep the status quo (AM webUIs don't enable SSL) or
 - to get rid of AM UIs altogether and move to a client-side UI on top of Timeline server
(YARN-1530) - it has its own limitations though.

> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -----------------------------------------------------------------------------
>
>                 Key: YARN-2554
>                 URL: https://issues.apache.org/jira/browse/YARN-2554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>    Affects Versions: 2.6.0
>            Reporter: Jonathan Maron
>         Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL
listeners.  The RM has a web app proxy servlet that acts as a proxy for incoming AM requests.
 In order to forward the requests to the AM the proxy servlet makes use of HttpClient.  However,
the HttpClient utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is not configured
to access/load the client truststore specified in ssl-client.xml).   I imagine SSLFactory.createSSLSocketFactory()
could be utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM:  Displays an exception such as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target"



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message