[jira] [Commented] (MAPREDUCE-4669) MRAM web UI does not work with HTTPS

Wed, 25 Jul 2018 15:44:22 -0700 


    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-4669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16556366#comment-16556366
 ] 

Robert Kanter commented on MAPREDUCE-4669:
------------------------------------------

See [this 
comment|https://issues.apache.org/jira/browse/YARN-8448?focusedCommentId=16556364&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16556364]
 in YARN-8448 and the design doc in YARN-6586 for more background on the patch. 
 This patch (MAPREDUCE-4669.001.patch) contains the MR changes that rely on 
YARN-8448.001.patch.

Some notes on the patch:
- The {{yarn.app.mapreduce.am.webapp.https.enabled}} property controls if the 
MR AM should try to use the Yarn-provided keystore (when set to {{true}}); this 
will also cause it to provide an HTTPS tracking URL to the RM.  It defaults to 
{{false}}.
- The {{yarn.app.mapreduce.am.webapp.https.client.auth}} property controls if 
the MR AM should require client authentication (when set to {{true}}).  It 
defaults to {{false}}.  In this case, the MR AM is the server and the RM is the 
client, so this requires that the RM present its certificate to the AM when it 
connects to the AM - the AM can then verify this certificate with the 
Yarn-provided truststore.

> MRAM web UI does not work with HTTPS
> ------------------------------------
>
>                 Key: MAPREDUCE-4669
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-4669
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: mr-am
>    Affects Versions: 2.0.3-alpha
>            Reporter: Alejandro Abdelnur
>            Assignee: Robert Kanter
>            Priority: Major
>         Attachments: MAPREDUCE-4669.001.patch
>
>
> With Kerberos enable, the MRAM runs as the user that submitted the job, thus 
> the MRAM process cannot read the cluster keystore files to get the 
> certificates to start its HttpServer using HTTPS.
> We need to decouple the keystore used by RM/NM/NN/DN (which are cluster 
> provided) from the keystore used by AMs (which ought to be user provided).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to