hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8108) RM metrics rest API throws GSSException in kerberized environment
Date Thu, 10 May 2018 17:37:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470814#comment-16470814

Eric Yang commented on YARN-8108:

[~daryn] This issue doesn't present in Hadoop 2.7.5, does not mean it was done properly. 
It is not possible to configure different HTTP principal for RM and Proxy Server on the same
host/port, and it was only half working.  This is because Hadoop only have yarn.resourcemanager.webapp.spnego-keytab-file
and yarn.resourcemanager.webapp.spnego-principal setting to define HTTP principal to use on
RM server.  It does not have yarn.web-proxy.webapp.spnego-keytab-file and yarn.web-proxy.webapp.spnego-principal
settings to make differentiation.  Even if those settings are defined, they are not being
used.  Further analysis on Hadoop 2.7.5, /proxy URL is not secured by any HTTP principal when
running in RM embedded mode.

> RM metrics rest API throws GSSException in kerberized environment
> -----------------------------------------------------------------
>                 Key: YARN-8108
>                 URL: https://issues.apache.org/jira/browse/YARN-8108
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Kshitij Badani
>            Assignee: Eric Yang
>            Priority: Major
>         Attachments: YARN-8108.001.patch
> Test is trying to pull up metrics data from SHS after kiniting as 'test_user'
> It is throwing GSSException as follows
> {code:java}
> b2b460b80713|RUNNING: curl --silent -k -X GET -D /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate
-u : http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15 07:15:48,757|INFO|MainThread|machine.py:194
- run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0
> 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 - getMetricsJsonData()|metrics:
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism
level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json. Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: Request
is a replay (34))</pre></p>
> </body>
> </html>
> {code}
> Rootcausing : proxyserver on RM can't be supported for Kerberos enabled cluster because
AuthenticationFilter is applied twice in Hadoop code (once in httpServer2 for RM, and another
instance from AmFilterInitializer for proxy server). This will require code changes to hadoop-yarn-server-web-proxy

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message