[
https://issues.apache.org/jira/browse/MAPREDUCE-4669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16556366#comment-16556366
]
Robert Kanter edited comment on MAPREDUCE-4669 at 7/25/18 10:44 PM:
--------------------------------------------------------------------
See this comment in YARN-8448 and the design doc in YARN-6586 for more
background on the patch. This patch (MAPREDUCE-4669.001.patch) contains the MR
changes that rely on YARN-8448.001.patch.
Some notes on the patch:
- The {{yarn.app.mapreduce.am.webapp.https.enabled}} property controls if the
MR AM should try to use the Yarn-provided keystore (when set to {{true}}); this
will also cause it to provide an HTTPS tracking URL to the RM. It defaults to
{{false}}.
- The {{yarn.app.mapreduce.am.webapp.https.client.auth}} property controls if
the MR AM should require client authentication (when set to {{true}}). It
defaults to {{false}}. In this case, the MR AM is the server and the RM is the
client, so this requires that the RM present its certificate to the AM when it
connects to the AM - the AM can then verify this certificate with the
Yarn-provided truststore.
- It won't compile without the YARN-8448 patch.
was (Author: rkanter):
See [this
comment|https://issues.apache.org/jira/browse/YARN-8448?focusedCommentId=16556364&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16556364]
in YARN-8448 and the design doc in YARN-6586 for more background on the patch.
This patch (MAPREDUCE-4669.001.patch) contains the MR changes that rely on
YARN-8448.001.patch.
Some notes on the patch:
- The {{yarn.app.mapreduce.am.webapp.https.enabled}} property controls if the
MR AM should try to use the Yarn-provided keystore (when set to {{true}}); this
will also cause it to provide an HTTPS tracking URL to the RM. It defaults to
{{false}}.
- The {{yarn.app.mapreduce.am.webapp.https.client.auth}} property controls if
the MR AM should require client authentication (when set to {{true}}). It
defaults to {{false}}. In this case, the MR AM is the server and the RM is the
client, so this requires that the RM present its certificate to the AM when it
connects to the AM - the AM can then verify this certificate with the
Yarn-provided truststore.
> MRAM web UI does not work with HTTPS
> ------------------------------------
>
> Key: MAPREDUCE-4669
> URL: https://issues.apache.org/jira/browse/MAPREDUCE-4669
> Project: Hadoop Map/Reduce
> Issue Type: Bug
> Components: mr-am
> Affects Versions: 2.0.3-alpha
> Reporter: Alejandro Abdelnur
> Assignee: Robert Kanter
> Priority: Major
> Attachments: MAPREDUCE-4669.001.patch
>
>
> With Kerberos enable, the MRAM runs as the user that submitted the job, thus
> the MRAM process cannot read the cluster keystore files to get the
> certificates to start its HttpServer using HTTPS.
> We need to decouple the keystore used by RM/NM/NN/DN (which are cluster
> provided) from the keystore used by AMs (which ought to be user provided).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: mapreduce-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: mapreduce-issues-h...@hadoop.apache.org
