Haibo Chen created YARN-6586:
--------------------------------
Summary: YARN to facilitate HTTPS in AM web server
Key: YARN-6586
URL: https://issues.apache.org/jira/browse/YARN-6586
Project: Hadoop YARN
Issue Type: Improvement
Components: yarn
Affects Versions: 3.0.0-alpha2
Reporter: Haibo Chen
Assignee: Haibo Chen
MR AM today does not support HTTPS in its web server, so the traffic between
RMWebproxy and MR AM is in clear text.
MR cannot easily achieve this mainly because MR AMs are untrusted by YARN. A
potential solution purely within MR, similar to what Spark has implemented, is
to allow users, when they enable HTTPS in MR job, to provide their own keystore
file, and then the file is uploaded to distributed cache and localized for MR
AM container. The configuration users need to do is complex.
More importantly, in typical deployments, however, web browsers go through
RMWebProxy to indirectly access MR AM web server. In order to support MR AM
HTTPs, RMWebProxy therefore needs to trust the user-provided keystore, which is
problematic.
Alternatively, we can add an endpoint in NM web server that acts as a proxy
between AM web server and RMWebProxy. RMWebproxy, when configured to do so,
will send requests in HTTPS to the NM on which the AM is running, and the NM
then can communicate with the local AM web server in HTTP. This adds one hop
between RMWebproxy and AM, but both MR and Spark can use such solution.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
