Aki Tanaka created YARN-8019:
--------------------------------
Summary: RM webproxy uses the client truststore specified in
ssl-client.xml
Key: YARN-8019
URL: https://issues.apache.org/jira/browse/YARN-8019
Project: Hadoop YARN
Issue Type: Bug
Components: yarn
Affects Versions: 3.0.0
Reporter: Aki Tanaka
A Yarn ResourceManager's web proxy launches with Java default SSL certificate.
Due to this behavior, the web proxy failed to validate a backend server's SSL
certificate when the backend server listens with HTTPS using custom SSL
certificate.
For example, Spark launches Spark context web UI with custom SSL certificate
when we enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore"
properties. In this case, Yarn web proxy cannot connect the Spark context web
UI since the web proxy cannot verify the SSL cert
("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. Attached a
patch to Yarn web proxy, and this patch lets web proxy use an SSL custom
trust-store if it is configured in ssl-client.xml
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
