Aki Tanaka created YARN-8019: -------------------------------- Summary: RM webproxy uses the client truststore specified in ssl-client.xml Key: YARN-8019 URL: https://issues.apache.org/jira/browse/YARN-8019 Project: Hadoop YARN Issue Type: Bug Components: yarn Affects Versions: 3.0.0 Reporter: Aki Tanaka
A Yarn ResourceManager's web proxy launches with Java default SSL certificate. Due to this behavior, the web proxy failed to validate a backend server's SSL certificate when the backend server listens with HTTPS using custom SSL certificate. For example, Spark launches Spark context web UI with custom SSL certificate when we enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this case, Yarn web proxy cannot connect the Spark context web UI since the web proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed" error is returned). We should add an option to set SSL trust store to Yarn RM web proxy. Attached a patch to Yarn web proxy, and this patch lets web proxy use an SSL custom trust-store if it is configured in ssl-client.xml -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org