[jira] [Created] (YARN-11735) Be able to configure custom trust store for WebAppProxyServlet

[Tamas Domok (Jira)]

Tamas Domok created YARN-11735:
----------------------------------

             Summary: Be able to configure custom trust store for 
WebAppProxyServlet
                 Key: YARN-11735
                 URL: https://issues.apache.org/jira/browse/YARN-11735
             Project: Hadoop YARN
          Issue Type: New Feature
          Components: resourcemanager
    Affects Versions: 3.5.0
            Reporter: Tamas Domok
            Assignee: Tamas Domok


h2. General

There is no way to proxy HTTPS AM Web Servers with self-signed certificates 
where the trust cannot be established with the default trust store. There is no 
configuration for the HttpClientBuilder to use custom trust stores.

[WebAppProxyServlet.proxyLink|https://github.com/apache/hadoop/blob/b781882020f42933bddab8a8e0badeae7229828f/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L233-L261]

h2. Reproduction

h3. Spark app with custom Spark UI TLS configuration

Submit a spark-app with custom TLS configuration with a self-signed certificate:
{code:bash}
$ spark-submit \
   --conf spark.ui.enabled=false \
   --conf spark.ssl.ui.keyStoreType=jks \
   --conf spark.ssl.ui.protocol=TLSv1.2 \
   --conf spark.ssl.ui.keyStore=keystore.jks \
   --conf spark.ssl.ui.enabled=true \
   --conf spark.yarn.historyServer.allowTracking=true \
   --class org.apache.spark.examples.SparkPi  --executor-memory 1G --queue 
root.default spark-examples.jar 100000
{code}

Open the trackingURL from the spark-submit log (the application must be in 
running phase) or use the RM UI and open the History link.

{noformat}
2024-09-20 11:42:20,258 ERROR 
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG 
client.execute GET https://a.b.c.d:4440 HTTP/1.1
2024-09-20 11:42:20,683 ERROR 
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG 
client.execute exception Received fatal alert: handshake_failure
{noformat}

In this case, the proxy code would proxy the Spark App's UI on port 4440.

h3. Spark app with UI disabled

Prerequisites: run the Spark History Server with a TLS configuration with a 
self-signed certificate. 

Submit a spark-app with custom configuration:
{code:bash}
$ spark-submit \
   --conf spark.ui.enabled=false \
   --conf spark.yarn.historyServer.allowTracking=true \
   --class org.apache.spark.examples.SparkPi  --executor-memory 1G --queue 
root.default spark-examples.jar 100000
{code}

Open the trackingURL from the spark-submit log (the application must be in 
running phase) or use the RM UI and open the History link.

{noformat}
2024-09-24 11:57:49,377 ERROR 
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG 
client.execute GET 
http://a.b.c.d:18088/history/application_1727178836972_0001/1?redirect=true 
HTTP/1.1
2024-09-24 11:57:49,451 ERROR 
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG 
client.execute exception PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target
{noformat}

In this case, the proxy code would proxy the Spark History UI on port 18088.

h2. Proof of concept

NOTE: this is not the way to do it, just an example solution.

Create a trust store with the root CA and configure it in the ssl-client.xml, 
then add this code snippet to the proxyLink method, it will create the 
SSLContext based on the ssl-client.xml.

{code:java}
    try {
      SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
      sslFactory.init();
      KeyStoresFactory keystoresFactory = sslFactory.getKeystoresFactory();
      SSLContext context = SSLContext.getInstance("TLS");
      context.init(keystoresFactory.getKeyManagers(),
              keystoresFactory.getTrustManagers(), null);
      httpClientBuilder.setSSLContext(context);
    } catch (GeneralSecurityException e) {
      throw new RuntimeException(e);
    }
{code}

The patched proxy should work with the above spark applications.

NOTE: the real production ready implementation should be more general 
(shouldn't depend on the clien-ssl.xml and it should work hand-in-hand with the 
RM_APPLICATION_HTTPS_POLICY and ProxyCA feature).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org