hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
Date Thu, 07 Sep 2017 20:00:03 GMT

    [ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157543#comment-16157543

ASF GitHub Bot commented on YARN-2554:

GitHub user thideeeee opened a pull request:


    YARN-2554. RM webproxy uses the client truststore specified in ssl-client.xml

    I want to raise the issue again since the issue affects other application which runs on
YARN. Actually, I see this problem when we run Spark app on Yarn.
    Spark launches Spark context web UI with custom SSL certificate when we enable SSL with
"spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this case, Yarn web proxy cannot
connect the Spark context web UI since the web proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed"  error is returned).
    We should add an option to set SSL trust store to Yarn RM web proxy. I added an updated
patch, and this patch lets web proxy use an SSL custom trust-store if it is configured in

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/thideeeee/hadoop YARN-2554

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #270
commit 90744cf7393b520c009e4709619e73310f093654
Author: Aki Tanaka <tanakah@amazon.com>
Date:   2017-09-07T19:53:29Z

    YARN-2554. RM webproxy uses the client truststore specified in ssl-client.xml


> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -----------------------------------------------------------------------------
>                 Key: YARN-2554
>                 URL: https://issues.apache.org/jira/browse/YARN-2554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>    Affects Versions: 2.6.0
>            Reporter: Jonathan Maron
>              Labels: BB2015-05-TBR
>         Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch
> If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL
listeners.  The RM has a web app proxy servlet that acts as a proxy for incoming AM requests.
 In order to forward the requests to the AM the proxy servlet makes use of HttpClient.  However,
the HttpClient utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is not configured
to access/load the client truststore specified in ssl-client.xml).   I imagine SSLFactory.createSSLSocketFactory()
could be utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM:  Displays an exception such as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target"

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message