[ https://issues.apache.org/jira/browse/GEARPUMP-355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16207079#comment-16207079 ]
ASF GitHub Bot commented on GEARPUMP-355: ----------------------------------------- Github user titikakatoo commented on the issue: https://github.com/apache/incubator-gearpump/pull/231 Hi @huafengw, I haven't set the cluster up myself. It is one of our corporate CDH 5.11.1 Hadoop cluster shared across multiple departments, secured by Kerberos/Reverse Proxy/SSL. It is a 10 node cluster located in the company's data center and protected by a corporate firewall (Security Layer 4) and accessible only via application/edge servers with sufficient firewall rules to access cluster services. The above cluster was set up by our corporate CI department in cooperation with Cloudera and it is mostly leaned on standard Cloudera 5 security guidelines, nothing special in this respect. The **YarnClient/Gear** commands are all executed from one of our edge nodes, by an appropriate Kerberos principal. > AppMasterResolver fails to run against a kerberized Hadoop cluster > ------------------------------------------------------------------ > > Key: GEARPUMP-355 > URL: https://issues.apache.org/jira/browse/GEARPUMP-355 > Project: Apache Gearpump > Issue Type: Bug > Components: security, yarn > Affects Versions: 0.8.4 > Reporter: Timea Magyar > Fix For: 0.8.4 > > > When trying to launch a Gearpump cluster in a kerberized Hadoop/Yarn > environment, after the Application Master address has been resolved as a > prerequisite, the YarnAppMaster (responsible for starting GearPump masters, > workers, UI servers as Yarn containers) address (actor reference) must be > obtained via Kerberos/Spnego. (Kerberos over http) > The current implementation for this resides in the AppMasterResolver class > and is using an apache http client (version 3.x) for establishing a > connection to the Application Master and obtain the above YarnAppMaster actor > reference. Since the apache http client does not support the negotiate > authentication scheme in version 3.x (required for a connection over > kerberos/spnego) this step will always fail in a kerberized Yarn/Hadoop > cluster set-up. > I tested this in a secured/kerberized CDH 5.7.5 environment. I would like to > provide a patch for this by adapting the SPNEGO-enabled Hadoop web > connection code from WebHDFS. -- This message was sent by Atlassian JIRA (v6.4.14#64029)