Haibo Chen reassigned YARN-6586:

    Assignee:     (was: Haibo Chen)

> YARN to facilitate HTTPS in AM web server
> -----------------------------------------
>                 Key: YARN-6586
>                 URL: https://issues.apache.org/jira/browse/YARN-6586
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>    Affects Versions: 3.0.0-alpha2
>            Reporter: Haibo Chen
>            Priority: Major
> MR AM today does not support HTTPS in its web server, so the traffic between 
> RMWebproxy and MR AM is in clear text.
> MR cannot easily achieve this mainly because MR AMs are untrusted by YARN. A 
> potential solution purely within MR, similar to what Spark has implemented, 
> is to allow users, when they enable HTTPS in MR job, to provide their own 
> keystore file, and then the file is uploaded to distributed cache and 
> localized for MR AM container. The configuration users need to do is complex.
> More importantly, in typical deployments, however, web browsers go through 
> RMWebProxy to indirectly access MR AM web server. In order to support MR AM 
> HTTPs, RMWebProxy therefore needs to trust the user-provided keystore, which 
> is problematic.  
> Alternatively, we can add an endpoint in NM web server that acts as a proxy 
> between AM web server and RMWebProxy. RMWebproxy, when configured to do so, 
> will send requests in HTTPS to the NM on which the AM is running, and the NM 
> then can communicate with the local AM web server in HTTP.   This adds one 
> hop between RMWebproxy and AM, but both MR and Spark can use such solution.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to