[ https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470814#comment-16470814 ]
Eric Yang commented on YARN-8108: --------------------------------- [~daryn] This issue doesn't present in Hadoop 2.7.5, does not mean it was done properly. It is not possible to configure different HTTP principal for RM and Proxy Server on the same host/port, and it was only half working. This is because Hadoop only have yarn.resourcemanager.webapp.spnego-keytab-file and yarn.resourcemanager.webapp.spnego-principal setting to define HTTP principal to use on RM server. It does not have yarn.web-proxy.webapp.spnego-keytab-file and yarn.web-proxy.webapp.spnego-principal settings to make differentiation. Even if those settings are defined, they are not being used. Further analysis on Hadoop 2.7.5, /proxy URL is not secured by any HTTP principal when running in RM embedded mode. > RM metrics rest API throws GSSException in kerberized environment > ----------------------------------------------------------------- > > Key: YARN-8108 > URL: https://issues.apache.org/jira/browse/YARN-8108 > Project: Hadoop YARN > Issue Type: Bug > Affects Versions: 3.0.0 > Reporter: Kshitij Badani > Assignee: Eric Yang > Priority: Major > Attachments: YARN-8108.001.patch > > > Test is trying to pull up metrics data from SHS after kiniting as 'test_user' > It is throwing GSSException as follows > {code:java} > b2b460b80713|RUNNING: curl --silent -k -X GET -D > /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate -u : > http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15 > 07:15:48,757|INFO|MainThread|machine.py:194 - > run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0 > 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 - > getMetricsJsonData()|metrics: > <html> > <head> > <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> > <title>Error 403 GSSException: Failure unspecified at GSS-API level > (Mechanism level: Request is a replay (34))</title> > </head> > <body><h2>HTTP ERROR 403</h2> > <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json. > Reason: > <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level: > Request is a replay (34))</pre></p> > </body> > </html> > {code} > Rootcausing :Â proxyserver on RM can't be supported for Kerberos enabled > cluster because AuthenticationFilter is applied twice in Hadoop code (once in > httpServer2 for RM, and another instance from AmFilterInitializer for proxy > server). This will require code changes to hadoop-yarn-server-web-proxy > project -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org