Return-Path: <yarn-issues-return-123557-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 3214A200CF0
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu,  7 Sep 2017 23:36:10 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 2EFFE1609BD; Thu,  7 Sep 2017 21:36:10 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 73FF616098B
	for <archive-asf-public@cust-asf.ponee.io>; Thu,  7 Sep 2017 23:36:09 +0200 (CEST)
Received: (qmail 75374 invoked by uid 500); 7 Sep 2017 21:36:08 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 75363 invoked by uid 99); 7 Sep 2017 21:36:07 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Sep 2017 21:36:07 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7883218CEAB
	for <yarn-issues@hadoop.apache.org>; Thu,  7 Sep 2017 21:36:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.201
X-Spam-Level: 
X-Spam-Status: No, score=-99.201 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100]
	autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id frXvIgUoF9AI for <yarn-issues@hadoop.apache.org>;
	Thu,  7 Sep 2017 21:36:02 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 31ECC61273
	for <yarn-issues@hadoop.apache.org>; Thu,  7 Sep 2017 21:36:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 497E6E0EDB
	for <yarn-issues@hadoop.apache.org>; Thu,  7 Sep 2017 21:36:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 9A00A24167
	for <yarn-issues@hadoop.apache.org>; Thu,  7 Sep 2017 21:36:00 +0000 (UTC)
Date: Thu, 7 Sep 2017 21:36:00 +0000 (UTC)
From: "Aki Tanaka (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12741489.1410790475000.54732.1504820160629@Atlassian.JIRA>
In-Reply-To: <JIRA.12741489.1410790475000@Atlassian.JIRA>
References: <JIRA.12741489.1410790475000@Atlassian.JIRA> <JIRA.12741489.1410790475883@jira-lw-us.apache.org>
Subject: [jira] [Comment Edited] (YARN-2554) Slider AM Web UI is
 inaccessible if HTTPS/SSL is specified as the HTTP policy
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 07 Sep 2017 21:36:10 -0000


    [ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16157544#comment-16157544 ] 

Aki Tanaka edited comment on YARN-2554 at 9/7/17 9:35 PM:
----------------------------------------------------------

I want to raise the issue again since the issue affects other application which runs on YARN. Actually, I see this problem when we run Spark job on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this case, Yarn web proxy cannot connect the Spark context web UI since the web proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed"  error is returned). 

We should add an option to set SSL trust store to Yarn RM web proxy. I added the updated patch, and this patch lets web proxy use an SSL custom trust-store if it is configured in ssl-client.xml
Pull Request: https://github.com/apache/hadoop/pull/271


was (Author: tanakahda):
I want to raise the issue again since the issue affects other application which runs on YARN. Actually, I see this problem when we run Spark job on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this case, Yarn web proxy cannot connect the Spark context web UI since the web proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed"  error is returned). 

We should add an option to set SSL trust store to Yarn RM web proxy. I added the updated patch, and this patch lets web proxy use an SSL custom trust-store if it is configured in ssl-client.xml
Pull Request: https://github.com/apache/hadoop/pull/270

> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -----------------------------------------------------------------------------
>
>                 Key: YARN-2554
>                 URL: https://issues.apache.org/jira/browse/YARN-2554
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: webapp
>    Affects Versions: 2.6.0
>            Reporter: Jonathan Maron
>              Labels: BB2015-05-TBR
>         Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners.  The RM has a web app proxy servlet that acts as a proxy for incoming AM requests.  In order to forward the requests to the AM the proxy servlet makes use of HttpClient.  However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml).   I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM:  Displays an exception such as "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org