hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8108) RM metrics rest API throws GSSException in kerberized environment
Date Thu, 10 May 2018 16:29:01 GMT

    [ https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470662#comment-16470662
] 

Daryn Sharp commented on YARN-8108:
-----------------------------------

bq. I took a look into the issue and am feeling okay about the conservative fix of making
RMAuthenticationFilter global whenever it is enabled.

While that would "work", isn't it be a regression?  An admin that specifically configured
those filters, perhaps with different principals as Eric previously mentioned, would be quite
surprised to discover that the configuration is now silently ignored.

Per earlier comments, the issue is apparently not present through at least 2.7.5.  Most of
the referenced jiras are up to 5 years old.  We still need to identity which (recent-ish)
jira caused the regression to understand the problem.

> RM metrics rest API throws GSSException in kerberized environment
> -----------------------------------------------------------------
>
>                 Key: YARN-8108
>                 URL: https://issues.apache.org/jira/browse/YARN-8108
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Kshitij Badani
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-8108.001.patch
>
>
> Test is trying to pull up metrics data from SHS after kiniting as 'test_user'
> It is throwing GSSException as follows
> {code:java}
> b2b460b80713|RUNNING: curl --silent -k -X GET -D /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate
-u : http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15 07:15:48,757|INFO|MainThread|machine.py:194
- run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0
> 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 - getMetricsJsonData()|metrics:
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism
level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json. Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
is a replay (34))</pre></p>
> </body>
> </html>
> {code}
> Rootcausing : proxyserver on RM can't be supported for Kerberos enabled cluster because
AuthenticationFilter is applied twice in Hadoop code (once in httpServer2 for RM, and another
instance from AmFilterInitializer for proxy server). This will require code changes to hadoop-yarn-server-web-proxy
project



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org


Mime
View raw message