[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16393962#comment-16393962
]
genericqa commented on YARN-2554:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m
0s{color} | {color:blue} Docker mode activated. {color} |
| {color:red}-1{color} | {color:red} patch {color} | {color:red} 0m 6s{color}
| {color:red} YARN-2554 does not apply to trunk. Rebase required? Wrong Branch?
See https://wiki.apache.org/hadoop/HowToContribute for help. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Issue | YARN-2554 |
| JIRA Patch URL |
https://issues.apache.org/jira/secure/attachment/12670251/YARN-2554.3.patch |
| Console output |
https://builds.apache.org/job/PreCommit-YARN-Build/19944/console |
| Powered by | Apache Yetus 0.8.0-SNAPSHOT http://yetus.apache.org |
This message was automatically generated.
> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -
>
> Key: YARN-2554
> URL: https://issues.apache.org/jira/browse/YARN-2554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Affects Versions: 2.6.0
>Reporter: Jonathan Maron
>Priority: Major
> Labels: BB2015-05-TBR
> Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
> YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are
> initialized with SSL listeners. The RM has a web app proxy servlet that acts
> as a proxy for incoming AM requests. In order to forward the requests to the
> AM the proxy servlet makes use of HttpClient. However, the HttpClient
> utilized is not initialized correctly with the necessary certs to allow for
> successful one way SSL invocations to the other nodes in the cluster (it is
> not configured to access/load the client truststore specified in
> ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
> utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target"
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16393866#comment-16393866 ] ASF GitHub Bot commented on YARN-2554: -- Github user thide closed the pull request at: https://github.com/apache/hadoop/pull/271 > Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy > - > > Key: YARN-2554 > URL: https://issues.apache.org/jira/browse/YARN-2554 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Affects Versions: 2.6.0 >Reporter: Jonathan Maron >Priority: Major > Labels: BB2015-05-TBR > Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, > YARN-2554.3.patch > > > If the HTTP policy to enable HTTPS is specified, the RM and AM are > initialized with SSL listeners. The RM has a web app proxy servlet that acts > as a proxy for incoming AM requests. In order to forward the requests to the > AM the proxy servlet makes use of HttpClient. However, the HttpClient > utilized is not initialized correctly with the necessary certs to allow for > successful one way SSL invocations to the other nodes in the cluster (it is > not configured to access/load the client truststore specified in > ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be > utilized to create an instance that can be assigned to the HttpClient. > The symptoms of this issue are: > AM: Displays "unknown_certificate" exception > RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target" -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16393864#comment-16393864 ] Aki Tanaka commented on YARN-2554: -- Created YARN-8019 for visibility. > Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy > - > > Key: YARN-2554 > URL: https://issues.apache.org/jira/browse/YARN-2554 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Affects Versions: 2.6.0 >Reporter: Jonathan Maron >Priority: Major > Labels: BB2015-05-TBR > Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, > YARN-2554.3.patch > > > If the HTTP policy to enable HTTPS is specified, the RM and AM are > initialized with SSL listeners. The RM has a web app proxy servlet that acts > as a proxy for incoming AM requests. In order to forward the requests to the > AM the proxy servlet makes use of HttpClient. However, the HttpClient > utilized is not initialized correctly with the necessary certs to allow for > successful one way SSL invocations to the other nodes in the cluster (it is > not configured to access/load the client truststore specified in > ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be > utilized to create an instance that can be assigned to the HttpClient. > The symptoms of this issue are: > AM: Displays "unknown_certificate" exception > RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target" -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16196249#comment-16196249 ] Aki Tanaka commented on YARN-2554: -- Ping, this issue has been open for entirely too long. Can someone please give me some comments on this? > Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy > - > > Key: YARN-2554 > URL: https://issues.apache.org/jira/browse/YARN-2554 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Affects Versions: 2.6.0 >Reporter: Jonathan Maron > Labels: BB2015-05-TBR > Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, > YARN-2554.3.patch > > > If the HTTP policy to enable HTTPS is specified, the RM and AM are > initialized with SSL listeners. The RM has a web app proxy servlet that acts > as a proxy for incoming AM requests. In order to forward the requests to the > AM the proxy servlet makes use of HttpClient. However, the HttpClient > utilized is not initialized correctly with the necessary certs to allow for > successful one way SSL invocations to the other nodes in the cluster (it is > not configured to access/load the client truststore specified in > ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be > utilized to create an instance that can be assigned to the HttpClient. > The symptoms of this issue are: > AM: Displays "unknown_certificate" exception > RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target" -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157781#comment-16157781
]
ASF GitHub Bot commented on YARN-2554:
--
GitHub user thide opened a pull request:
https://github.com/apache/hadoop/pull/271
YARN-2554. RM webproxy uses the client truststore specified in
ssl-client.xml
I want to raise the issue again since the issue affects other application
which runs on YARN. Actually, I see this problem when we run Spark app on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we
enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In
this case, Yarn web proxy cannot connect the Spark context web UI since the web
proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. I
added an updated patch, and this patch lets web proxy use an SSL custom
trust-store if it is configured in ssl-client.xml
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/thide/hadoop YARN-2554
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/hadoop/pull/271.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #271
commit 092298dc6883d9c9211af9599cad8fa4cffe517b
Author: Aki Tanaka
Date: 2017-09-07T21:31:27Z
YARN-2554. RM webproxy uses the client truststore specified in
ssl-client.xml
> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -
>
> Key: YARN-2554
> URL: https://issues.apache.org/jira/browse/YARN-2554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Affects Versions: 2.6.0
>Reporter: Jonathan Maron
> Labels: BB2015-05-TBR
> Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
> YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are
> initialized with SSL listeners. The RM has a web app proxy servlet that acts
> as a proxy for incoming AM requests. In order to forward the requests to the
> AM the proxy servlet makes use of HttpClient. However, the HttpClient
> utilized is not initialized correctly with the necessary certs to allow for
> successful one way SSL invocations to the other nodes in the cluster (it is
> not configured to access/load the client truststore specified in
> ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
> utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1615#comment-1615 ] ASF GitHub Bot commented on YARN-2554: -- Github user asfgit closed the pull request at: https://github.com/apache/hadoop/pull/270 > Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy > - > > Key: YARN-2554 > URL: https://issues.apache.org/jira/browse/YARN-2554 > Project: Hadoop YARN > Issue Type: Bug > Components: webapp >Affects Versions: 2.6.0 >Reporter: Jonathan Maron > Labels: BB2015-05-TBR > Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, > YARN-2554.3.patch > > > If the HTTP policy to enable HTTPS is specified, the RM and AM are > initialized with SSL listeners. The RM has a web app proxy servlet that acts > as a proxy for incoming AM requests. In order to forward the requests to the > AM the proxy servlet makes use of HttpClient. However, the HttpClient > utilized is not initialized correctly with the necessary certs to allow for > successful one way SSL invocations to the other nodes in the cluster (it is > not configured to access/load the client truststore specified in > ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be > utilized to create an instance that can be assigned to the HttpClient. > The symptoms of this issue are: > AM: Displays "unknown_certificate" exception > RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target" -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157574#comment-16157574
]
Hadoop QA commented on YARN-2554:
-
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m
20s{color} | {color:blue} Docker mode activated. {color} |
|| || || || {color:brown} Prechecks {color} ||
| {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m
0s{color} | {color:green} The patch does not contain any @author tags. {color} |
| {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m
0s{color} | {color:green} The patch appears to include 3 new or modified test
files. {color} |
|| || || || {color:brown} trunk Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 13m
3s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
18s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m
13s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
19s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 0m
23s{color} | {color:green} trunk passed {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
14s{color} | {color:green} trunk passed {color} |
|| || || || {color:brown} Patch Compile Tests {color} ||
| {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m
16s{color} | {color:green} the patch passed {color} |
| {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m
14s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} javac {color} | {color:red} 0m 14s{color}
| {color:red}
hadoop-yarn-project_hadoop-yarn_hadoop-yarn-server_hadoop-yarn-server-web-proxy
generated 1 new + 0 unchanged - 10 fixed = 1 total (was 10) {color} |
| {color:orange}-0{color} | {color:orange} checkstyle {color} | {color:orange}
0m 10s{color} | {color:orange}
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy:
The patch generated 24 new + 49 unchanged - 4 fixed = 73 total (was 53)
{color} |
| {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 0m
16s{color} | {color:green} the patch passed {color} |
| {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m
0s{color} | {color:red} The patch has 5 line(s) that end in whitespace. Use git
apply --whitespace=fix <>. Refer https://git-scm.com/docs/git-apply
{color} |
| {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m
1s{color} | {color:green} The patch has no ill-formed XML file. {color} |
| {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m
30s{color} | {color:red}
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy
generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) {color} |
| {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m
11s{color} | {color:green} the patch passed {color} |
|| || || || {color:brown} Other Tests {color} ||
| {color:red}-1{color} | {color:red} unit {color} | {color:red} 0m 26s{color}
| {color:red} hadoop-yarn-server-web-proxy in the patch failed. {color} |
| {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m
14s{color} | {color:green} The patch does not generate ASF License warnings.
{color} |
| {color:black}{color} | {color:black} {color} | {color:black} 19m 10s{color} |
{color:black} {color} |
\\
\\
|| Reason || Tests ||
| FindBugs |
module:hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy
|
| | Class org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet defines
non-transient non-serializable instance field httpClientBuilder In
WebAppProxyServlet.java:instance field httpClientBuilder In
WebAppProxyServlet.java |
| Failed junit tests |
hadoop.yarn.server.webproxy.TestWebAppProxyServletWithSSL |
\\
\\
|| Subsystem || Report/Notes ||
| Docker | Image:yetus/hadoop:71bbb86 |
| JIRA Issue | YARN-2554 |
| GITHUB PR | https://github.com/apache/hadoop/pull/270 |
| Optional Tests | asflicense compile javac javadoc mvninstall mvnsite
unit xml findbugs checkstyle |
| uname | Linux 4c1f32b0d329 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12
13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh
|
| git revision | trunk / 83449ab |
| Default Java | 1.8.0_144 |
| findbugs | v3.1.0-RC1 |
| javac |
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157544#comment-16157544
]
Aki Tanaka commented on YARN-2554:
--
I want to raise the issue again since the issue affects other application which
runs on YARN. Actually, I see this problem when we run Spark job on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we enable
SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In this
case, Yarn web proxy cannot connect the Spark context web UI since the web
proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. I added
the updated patch, and this patch lets web proxy use an SSL custom trust-store
if it is configured in ssl-client.xml
Pull Request: https://github.com/apache/hadoop/pull/270
> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -
>
> Key: YARN-2554
> URL: https://issues.apache.org/jira/browse/YARN-2554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Affects Versions: 2.6.0
>Reporter: Jonathan Maron
> Labels: BB2015-05-TBR
> Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
> YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are
> initialized with SSL listeners. The RM has a web app proxy servlet that acts
> as a proxy for incoming AM requests. In order to forward the requests to the
> AM the proxy servlet makes use of HttpClient. However, the HttpClient
> utilized is not initialized correctly with the necessary certs to allow for
> successful one way SSL invocations to the other nodes in the cluster (it is
> not configured to access/load the client truststore specified in
> ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
> utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157543#comment-16157543
]
ASF GitHub Bot commented on YARN-2554:
--
GitHub user thide opened a pull request:
https://github.com/apache/hadoop/pull/270
YARN-2554. RM webproxy uses the client truststore specified in
ssl-client.xml
I want to raise the issue again since the issue affects other application
which runs on YARN. Actually, I see this problem when we run Spark app on Yarn.
Spark launches Spark context web UI with custom SSL certificate when we
enable SSL with "spark.ssl.trustStore" and "spark.ssl.keyStore" properties. In
this case, Yarn web proxy cannot connect the Spark context web UI since the web
proxy cannot verify the SSL cert ("javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed" error is
returned).
We should add an option to set SSL trust store to Yarn RM web proxy. I
added an updated patch, and this patch lets web proxy use an SSL custom
trust-store if it is configured in ssl-client.xml
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/thide/hadoop YARN-2554
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/hadoop/pull/270.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #270
commit 90744cf7393b520c009e4709619e73310f093654
Author: Aki Tanaka
Date: 2017-09-07T19:53:29Z
YARN-2554. RM webproxy uses the client truststore specified in
ssl-client.xml
> Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
> -
>
> Key: YARN-2554
> URL: https://issues.apache.org/jira/browse/YARN-2554
> Project: Hadoop YARN
> Issue Type: Bug
> Components: webapp
>Affects Versions: 2.6.0
>Reporter: Jonathan Maron
> Labels: BB2015-05-TBR
> Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
> YARN-2554.3.patch
>
>
> If the HTTP policy to enable HTTPS is specified, the RM and AM are
> initialized with SSL listeners. The RM has a web app proxy servlet that acts
> as a proxy for incoming AM requests. In order to forward the requests to the
> AM the proxy servlet makes use of HttpClient. However, the HttpClient
> utilized is not initialized correctly with the necessary certs to allow for
> successful one way SSL invocations to the other nodes in the cluster (it is
> not configured to access/load the client truststore specified in
> ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
> utilized to create an instance that can be assigned to the HttpClient.
> The symptoms of this issue are:
> AM: Displays "unknown_certificate" exception
> RM: Displays an exception such as "javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target"
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14524962#comment-14524962
]
Hadoop QA commented on YARN-2554:
-
\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:red}-1{color} | patch | 0m 0s | The patch command could not apply
the patch during dryrun. |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12670251/YARN-2554.3.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / f1a152c |
| Console output |
https://builds.apache.org/job/PreCommit-YARN-Build/7631/console |
This message was automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
YARN-2554.3.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14525024#comment-14525024
]
Hadoop QA commented on YARN-2554:
-
\\
\\
| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:red}-1{color} | patch | 0m 0s | The patch command could not apply
the patch during dryrun. |
\\
\\
|| Subsystem || Report/Notes ||
| Patch URL |
http://issues.apache.org/jira/secure/attachment/12670251/YARN-2554.3.patch |
| Optional Tests | javadoc javac unit findbugs checkstyle |
| git revision | trunk / f1a152c |
| Console output |
https://builds.apache.org/job/PreCommit-YARN-Build/7648/console |
This message was automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
YARN-2554.3.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14143495#comment-14143495 ] Steve Loughran commented on YARN-2554: -- Vinod, this patch is independent of kerberos, secure AMs, etc. This patch so to an any AM to export an HTTPS URL; you can't do this on a secure or insecure cluster today. It doesn't mean that clients can trust something just because it is on HTTPS; that's an independent issue. Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy - Key: YARN-2554 URL: https://issues.apache.org/jira/browse/YARN-2554 Project: Hadoop YARN Issue Type: Bug Components: webapp Affects Versions: 2.6.0 Reporter: Jonathan Maron Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners. The RM has a web app proxy servlet that acts as a proxy for incoming AM requests. In order to forward the requests to the AM the proxy servlet makes use of HttpClient. However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient. The symptoms of this issue are: AM: Displays unknown_certificate exception RM: Displays an exception such as javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142488#comment-14142488 ] Jonathan Maron commented on YARN-2554: -- Let me try to address each of these concerns: - the key-store needs to present on all machine to distribute certificates: AMs may come up anywhere. The client trust store appears to an already defined keystore in the secure deployments I've seen so far. - the key-store used by Hadoop daemons CANNOT be shared with AMs: AMs run user-code as the user - the key-store cannot be shared across AMs of different users: Assuming I am running three different Slider apps as three different users, you don't want to have a single key-store instance accessible by all Slider AMs. Your concern about sharing elements between daemon processes and users is correct in the context of kerberos - principals are used for authentication and authorization and it wouldn't be prudent to have those shared. When code is running within an AM, the identity that is established and governs its authorized interactions is done via kerberos. But SSL is a security offering targeted for the transport layer. Typically with SSL, for client C and server S, SSL only establishes that: C believes S is who it intended to contact C believes it has a secure connection to S S believes it has a secure connection to C In addition, typically SSL ensures authentication of the server alone (the CN is generally the host name), so the trust between C and S is more along the lines of trusting the C is actually talking to host S. The session key for the RM (C) and AM (S), given the host certificate of the AM, will be unique - it is created by the RM, encrypted using the AM cert (using the AM public key), and sent to the AM to be decrypted by the AM's private key. I guess I don't see the issue with hadoop applications, whether daemon or AM, using the available hadoop keystores. The tranport layer mechanism doesn't play a role in the application level authorization since it has no role to play in establishing the user's subject etc. Having said all that, I may not be aware of some uses of the keystores in a hadoop cluster (or perhaps my assumption about the availability of a client trust store is wrong). In addition, it'd be nice to get the perspective of some of the security folks about the role of SSL in the security layers provided in a secure cluster. Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy - Key: YARN-2554 URL: https://issues.apache.org/jira/browse/YARN-2554 Project: Hadoop YARN Issue Type: Bug Components: webapp Affects Versions: 2.6.0 Reporter: Jonathan Maron Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners. The RM has a web app proxy servlet that acts as a proxy for incoming AM requests. In order to forward the requests to the AM the proxy servlet makes use of HttpClient. However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient. The symptoms of this issue are: AM: Displays unknown_certificate exception RM: Displays an exception such as javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142212#comment-14142212
]
Hadoop QA commented on YARN-2554:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12670250/YARN-2554.3.patch
against trunk revision 84a0a62.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-YARN-Build/5062//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/5062//console
This message is automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
YARN-2554.3.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142216#comment-14142216
]
Hadoop QA commented on YARN-2554:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12670251/YARN-2554.3.patch
against trunk revision 84a0a62.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-YARN-Build/5063//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/5063//console
This message is automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch,
YARN-2554.3.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142253#comment-14142253 ] Vinod Kumar Vavilapalli commented on YARN-2554: --- Sorry, for jumping in late. You could fix the webapp proxy in theory. But the set up to make AM web UIs accept Https is impractical. AMs can launch on any machine in a cluster. They can be run by different users. Enabling SSL through distribution of keys per application, per user across the cluster is not a great solution. This is the reason why chose to not fix it and thus not enable the same for MapReduce. The better solution is either - to keep the status quo (AM webUIs don't enable SSL) or - to get rid of AM UIs altogether and move to a client-side UI on top of Timeline server (YARN-1530) - it has its own limitations though. Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy - Key: YARN-2554 URL: https://issues.apache.org/jira/browse/YARN-2554 Project: Hadoop YARN Issue Type: Bug Components: webapp Affects Versions: 2.6.0 Reporter: Jonathan Maron Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners. The RM has a web app proxy servlet that acts as a proxy for incoming AM requests. In order to forward the requests to the AM the proxy servlet makes use of HttpClient. However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient. The symptoms of this issue are: AM: Displays unknown_certificate exception RM: Displays an exception such as javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142256#comment-14142256 ] Jonathan Maron commented on YARN-2554: -- I'm not certain I understand your comment about the keys. The client trust store configured via ssl-client.xml generally contains the certificates for the cluster hosts, it is not specific to users or applications. In any usage scenario it would by necessity contain those certificates. Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy - Key: YARN-2554 URL: https://issues.apache.org/jira/browse/YARN-2554 Project: Hadoop YARN Issue Type: Bug Components: webapp Affects Versions: 2.6.0 Reporter: Jonathan Maron Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners. The RM has a web app proxy servlet that acts as a proxy for incoming AM requests. In order to forward the requests to the AM the proxy servlet makes use of HttpClient. However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient. The symptoms of this issue are: AM: Displays unknown_certificate exception RM: Displays an exception such as javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[ https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14142268#comment-14142268 ] Vinod Kumar Vavilapalli commented on YARN-2554: --- I am talking about the server-side i.e. AMs. To use ssl to AM webapps, - the key-store needs to present on all machine to distribute certificates: AMs may come up anywhere. - the key-store used by Hadoop daemons *CANNOT* be shared with AMs: AMs run user-code as the user - the key-store cannot be shared across AMs of different users: Assuming I am running three different Slider apps as three different users, you don't want to have a single key-store instance accessible by all Slider AMs. - And distributing/installing/managing it per user is complex. Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy - Key: YARN-2554 URL: https://issues.apache.org/jira/browse/YARN-2554 Project: Hadoop YARN Issue Type: Bug Components: webapp Affects Versions: 2.6.0 Reporter: Jonathan Maron Attachments: YARN-2554.1.patch, YARN-2554.2.patch, YARN-2554.3.patch, YARN-2554.3.patch If the HTTP policy to enable HTTPS is specified, the RM and AM are initialized with SSL listeners. The RM has a web app proxy servlet that acts as a proxy for incoming AM requests. In order to forward the requests to the AM the proxy servlet makes use of HttpClient. However, the HttpClient utilized is not initialized correctly with the necessary certs to allow for successful one way SSL invocations to the other nodes in the cluster (it is not configured to access/load the client truststore specified in ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be utilized to create an instance that can be assigned to the HttpClient. The symptoms of this issue are: AM: Displays unknown_certificate exception RM: Displays an exception such as javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14137544#comment-14137544
]
Hadoop QA commented on YARN-2554:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12669439/YARN-2554.1.patch
against trunk revision c0c7e6f.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:red}-1 javac{color:red}. The patch appears to cause the build to
fail.
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/4990//console
This message is automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (YARN-2554) Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
[
https://issues.apache.org/jira/browse/YARN-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14137629#comment-14137629
]
Hadoop QA commented on YARN-2554:
-
{color:red}-1 overall{color}. Here are the results of testing the latest
attachment
http://issues.apache.org/jira/secure/attachment/12669448/YARN-2554.2.patch
against trunk revision c0c7e6f.
{color:green}+1 @author{color}. The patch does not contain any @author
tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include
any new or modified tests.
Please justify why no new tests are needed for this
patch.
Also please list what manual steps were performed to
verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the
total number of javac compiler warnings.
{color:green}+1 javadoc{color}. There were no new javadoc warning messages.
{color:green}+1 eclipse:eclipse{color}. The patch built with
eclipse:eclipse.
{color:green}+1 findbugs{color}. The patch does not introduce any new
Findbugs (version 2.0.3) warnings.
{color:green}+1 release audit{color}. The applied patch does not increase
the total number of release audit warnings.
{color:green}+1 core tests{color}. The patch passed unit tests in
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy.
{color:green}+1 contrib tests{color}. The patch passed contrib unit tests.
Test results:
https://builds.apache.org/job/PreCommit-YARN-Build/4991//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/4991//console
This message is automatically generated.
Slider AM Web UI is inaccessible if HTTPS/SSL is specified as the HTTP policy
-
Key: YARN-2554
URL: https://issues.apache.org/jira/browse/YARN-2554
Project: Hadoop YARN
Issue Type: Bug
Components: webapp
Affects Versions: 2.6.0
Reporter: Jonathan Maron
Attachments: YARN-2554.1.patch, YARN-2554.2.patch
If the HTTP policy to enable HTTPS is specified, the RM and AM are
initialized with SSL listeners. The RM has a web app proxy servlet that acts
as a proxy for incoming AM requests. In order to forward the requests to the
AM the proxy servlet makes use of HttpClient. However, the HttpClient
utilized is not initialized correctly with the necessary certs to allow for
successful one way SSL invocations to the other nodes in the cluster (it is
not configured to access/load the client truststore specified in
ssl-client.xml). I imagine SSLFactory.createSSLSocketFactory() could be
utilized to create an instance that can be assigned to the HttpClient.
The symptoms of this issue are:
AM: Displays unknown_certificate exception
RM: Displays an exception such as javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
