[jira] [Commented] (YARN-8108) RM metrics rest API throws GSSException in kerberized environment

Tue, 17 Apr 2018 07:47:54 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16440940#comment-16440940
 ] 

Daryn Sharp commented on YARN-8108:
-----------------------------------

Analysis looks sound.  Agree each servlet should scope filters for itself, not 
globally.

I'm surprised this hasn't been found before.  Is this specific to 3.x?  Or does 
it exist in 2.x?  (I guess we haven't see this bug due to an alternate auth for 
the RM)

> RM metrics rest API throws GSSException in kerberized environment
> -----------------------------------------------------------------
>
>                 Key: YARN-8108
>                 URL: https://issues.apache.org/jira/browse/YARN-8108
>             Project: Hadoop YARN
>          Issue Type: Bug
>    Affects Versions: 3.0.0
>            Reporter: Kshitij Badani
>            Priority: Major
>
> Test is trying to pull up metrics data from SHS after kiniting as 'test_user'
> It is throwing GSSException as follows
> {code:java}
> b2b460b80713|RUNNING: curl --silent -k -X GET -D 
> /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate -u : 
> http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15
>  07:15:48,757|INFO|MainThread|machine.py:194 - 
> run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0
> 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 - 
> getMetricsJsonData()|metrics:
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level 
> (Mechanism level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json. 
> Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: 
> Request is a replay (34))</pre></p>
> </body>
> </html>
> {code}
> Rootcausing : proxyserver on RM can't be supported for Kerberos enabled 
> cluster because AuthenticationFilter is applied twice in Hadoop code (once in 
> httpServer2 for RM, and another instance from AmFilterInitializer for proxy 
> server). This will require code changes to hadoop-yarn-server-web-proxy 
> project



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to