[
https://issues.apache.org/jira/browse/YARN-8448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16647209#comment-16647209
]
Haibo Chen commented on YARN-8448:
----------------------------------
Thanks [~rkanter] for the patch update! Posting some of my comments while I am
still finishing up looking at the c code changes and the ProxyCA code.
1) The YARN-specific secret keys should probably be moved to yarn-modules
(hadoop-yarn-server-common seems a good place), instead of being added to
hadoop-common.
2) In KeyStoreTestUtil.bytesToKeyStore(), should we use try clause for the
inputstream?
3) In YarnConfiguration and yarn-default.xml, can we rephrase the comments of
the new configuration? "Sets the policy the RM should use when enforcing HTTPS
...". => "Specifies what RM does to enforce HTTPS..."
For 'LENIEN', RM would always generate the key/trust store regardless of what
URL AM sends to RM, if the policy is LENIENT or STRICT. In fact, that happens
before AM is even launched. It is probably more accurate to say something along
the lines of "RM will generate and provide to AMs a keystore and truststore ,
which AMs are free to use to set up HTTPs in their tracking web server. The RM
webproxy would always connect users to AMs even they use HTTP"
Similarly for 'STRICT', "RM will always generate and provide a keystore and
truststore for AMs. AMs are free to use the keystore and truststore to set up
HTTPs in their tracking web server. However, RM webproxy would block users from
accessing any AM web server that runs in HTTP."
4) How about we move "KEYSTORE_FILE_LOCATION", "KEYSTORE_PASSWORD",
TRUSTSTORE_FILE_LOCATION and TRUSTSTORE_PASSWORD to ApplicationConstants?
5) In DefaultLinuxContainerRuntime and DockerLinuxContainerRuntime, can we do
null-checking for both keystore and truststore to be more defensive?
6) testLaunchContainerCopyFiles(boolean https) has a lot of if-statements
which I think justified having two different methods, each calling some utility
methods. Can you try to break it into two? Likewise for
testContainerLaunch(boolean https).
> AM HTTPS Support
> ----------------
>
> Key: YARN-8448
> URL: https://issues.apache.org/jira/browse/YARN-8448
> Project: Hadoop YARN
> Issue Type: Sub-task
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Major
> Attachments: YARN-8448.001.patch, YARN-8448.002.patch,
> YARN-8448.003.patch, YARN-8448.004.patch, YARN-8448.005.patch,
> YARN-8448.006.patch, YARN-8448.007.patch, YARN-8448.008.patch
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
