[jira] [Commented] (GEARPUMP-355) AppMasterResolver fails to run against a kerberized Hadoop cluster

Mon, 16 Oct 2017 23:28:08 -0700 

    [ 
https://issues.apache.org/jira/browse/GEARPUMP-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16207079#comment-16207079
 ] 

ASF GitHub Bot commented on GEARPUMP-355:
-----------------------------------------

Github user titikakatoo commented on the issue:

    https://github.com/apache/incubator-gearpump/pull/231
  
    Hi @huafengw, I haven't set the cluster up myself. It is one of our 
corporate CDH 5.11.1 Hadoop cluster shared across multiple departments, secured 
by Kerberos/Reverse Proxy/SSL. It is a 10 node cluster located in the company's 
data center and protected by a corporate firewall (Security Layer 4) and 
accessible only via application/edge servers with sufficient firewall rules to 
access cluster services.
    The above cluster was set up by our corporate CI department in cooperation 
with Cloudera and it is mostly leaned on standard Cloudera 5 security 
guidelines, nothing special in this respect. 
    The **YarnClient/Gear** commands are all executed from one of our edge 
nodes, by an appropriate Kerberos principal.


> AppMasterResolver fails to run against a kerberized Hadoop cluster
> ------------------------------------------------------------------
>
>                 Key: GEARPUMP-355
>                 URL: https://issues.apache.org/jira/browse/GEARPUMP-355
>             Project: Apache Gearpump
>          Issue Type: Bug
>          Components: security, yarn
>    Affects Versions: 0.8.4
>            Reporter: Timea Magyar
>             Fix For: 0.8.4
>
>
> When trying to launch a Gearpump cluster in a kerberized Hadoop/Yarn 
> environment, after the Application Master address has been resolved as a 
> prerequisite, the YarnAppMaster (responsible for starting GearPump masters, 
> workers, UI servers as Yarn containers) address (actor reference) must be 
> obtained via Kerberos/Spnego. (Kerberos over http)
> The current implementation for this resides in the AppMasterResolver class 
> and is using an apache http client (version 3.x) for establishing a 
> connection to the Application Master and obtain the above YarnAppMaster actor 
> reference. Since the apache http client does not support the negotiate 
> authentication scheme in version 3.x (required for a connection over 
> kerberos/spnego) this step will always fail in a kerberized Yarn/Hadoop 
> cluster set-up.
> I tested this in a secured/kerberized CDH 5.7.5 environment.  I would like to 
> provide a patch for this  by adapting the SPNEGO-enabled Hadoop web 
> connection code from WebHDFS.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to