[
https://issues.apache.org/jira/browse/YARN-6586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated YARN-6586:
--------------------------------
Attachment: Design Document v1.pdf
> YARN to facilitate HTTPS in AM web server
> -----------------------------------------
>
> Key: YARN-6586
> URL: https://issues.apache.org/jira/browse/YARN-6586
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.0.0-alpha2
> Reporter: Haibo Chen
> Priority: Major
> Attachments: Design Document v1.pdf
>
>
> MR AM today does not support HTTPS in its web server, so the traffic between
> RMWebproxy and MR AM is in clear text.
> MR cannot easily achieve this mainly because MR AMs are untrusted by YARN. A
> potential solution purely within MR, similar to what Spark has implemented,
> is to allow users, when they enable HTTPS in MR job, to provide their own
> keystore file, and then the file is uploaded to distributed cache and
> localized for MR AM container. The configuration users need to do is complex.
> More importantly, in typical deployments, however, web browsers go through
> RMWebProxy to indirectly access MR AM web server. In order to support MR AM
> HTTPs, RMWebProxy therefore needs to trust the user-provided keystore, which
> is problematic.
> Alternatively, we can add an endpoint in NM web server that acts as a proxy
> between AM web server and RMWebProxy. RMWebproxy, when configured to do so,
> will send requests in HTTPS to the NM on which the AM is running, and the NM
> then can communicate with the local AM web server in HTTP. This adds one
> hop between RMWebproxy and AM, but both MR and Spark can use such solution.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
