[
https://issues.apache.org/jira/browse/YARN-10291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17156763#comment-17156763
]
Brahma Reddy Battula commented on YARN-10291:
---------------------------------------------
[~eyang] thanks for bringing up this.. this makes me to trigger why hadoop uses
SSLEngine.
HDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage
SSLHDFS, MapReduce, and YARN use the Hadoop SSL Keystore Factory to manage
SSLCertificates. This factory uses a common directory for server keystore and
client truststore.The Hadoop SSL Keystore Factory allows you to use CA
certificates managed in their own stores.
The following list describes major differences between certificates managed by
the HadoopSSL Keystore Management Factory and certificates managed by JDK:
* Hadoop SSL Keystore Management Factory:
** Supports only JKS formatted keys.
** Supports toggling the shuffle between HTTP and HTTPS.
** Supports two way certificate and name validation.
** Uses a common location for both the keystore and truststore that is
available to other Hadoop core services.
** Allows you to manage SSL in a central location and propagate changes to
all cluster nodes.
** Automatically reloads the keystore and truststore without restarting
services.
* • SSL Management with JDK:
** Allows either HTTP or HTTPS.
** Uses hard-coded locations for truststores and keystores that may vary
between hosts. Typically, this requires you to generate key pairs and import
certificates on each host.
** Requires the service to be restarted to reload the keystores and
truststores.
** Requires certificates to be installed in the client CA truststore.
{quote}The odd ends of Hadoop ssl is having odd implementation of SSL support,
which does not have reliable accepted issuer validation.
{quote}
if this true, then we need to re-look whoever using in hadoop right..? and can
you elaborate more this..?
> Yarn service commands doesn't work when https is enabled in RM
> --------------------------------------------------------------
>
> Key: YARN-10291
> URL: https://issues.apache.org/jira/browse/YARN-10291
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Bilwa S T
> Assignee: Bilwa S T
> Priority: Major
> Attachments: YARN-10291.001.patch
>
>
> when we submit application using command "yarn app -launch sleeper-service
> ../share/hadoop/yarn/yarn-service-examples/sleeper/sleeper.json" , it throws
> below exception
> {code:java}
> com.sun.jersey.api.client.ClientHandlerException:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
> {code}
> We should use WebServiceClient#createClient as it takes care of setting
> sslfactory when https is called.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
