[
https://issues.apache.org/jira/browse/YARN-8108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470814#comment-16470814
]
Eric Yang commented on YARN-8108:
---------------------------------
[~daryn] This issue doesn't present in Hadoop 2.7.5, does not mean it was done
properly. It is not possible to configure different HTTP principal for RM and
Proxy Server on the same host/port, and it was only half working. This is
because Hadoop only have yarn.resourcemanager.webapp.spnego-keytab-file and
yarn.resourcemanager.webapp.spnego-principal setting to define HTTP principal
to use on RM server. It does not have yarn.web-proxy.webapp.spnego-keytab-file
and yarn.web-proxy.webapp.spnego-principal settings to make differentiation.
Even if those settings are defined, they are not being used. Further analysis
on Hadoop 2.7.5, /proxy URL is not secured by any HTTP principal when running
in RM embedded mode.
> RM metrics rest API throws GSSException in kerberized environment
> -----------------------------------------------------------------
>
> Key: YARN-8108
> URL: https://issues.apache.org/jira/browse/YARN-8108
> Project: Hadoop YARN
> Issue Type: Bug
> Affects Versions: 3.0.0
> Reporter: Kshitij Badani
> Assignee: Eric Yang
> Priority: Major
> Attachments: YARN-8108.001.patch
>
>
> Test is trying to pull up metrics data from SHS after kiniting as 'test_user'
> It is throwing GSSException as follows
> {code:java}
> b2b460b80713|RUNNING: curl --silent -k -X GET -D
> /hwqe/hadoopqe/artifacts/tmp-94845 --negotiate -u :
> http://rm_host:8088/proxy/application_1518674952153_0070/metrics/json2018-02-15
> 07:15:48,757|INFO|MainThread|machine.py:194 -
> run()||GUID=fc5a3266-28f8-4eed-bae2-b2b460b80713|Exit Code: 0
> 2018-02-15 07:15:48,758|INFO|MainThread|spark.py:1757 -
> getMetricsJsonData()|metrics:
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 403 GSSException: Failure unspecified at GSS-API level
> (Mechanism level: Request is a replay (34))</title>
> </head>
> <body><h2>HTTP ERROR 403</h2>
> <p>Problem accessing /proxy/application_1518674952153_0070/metrics/json.
> Reason:
> <pre> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Request is a replay (34))</pre></p>
> </body>
> </html>
> {code}
> Rootcausing :Â proxyserver on RM can't be supported for Kerberos enabled
> cluster because AuthenticationFilter is applied twice in Hadoop code (once in
> httpServer2 for RM, and another instance from AmFilterInitializer for proxy
> server). This will require code changes to hadoop-yarn-server-web-proxy
> project
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
