[
https://issues.apache.org/jira/browse/YARN-11937?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bence Kosztolnik updated YARN-11937:
------------------------------------
Description:
h5. Description
When the Yarn Proxy is deployed behind a reverse proxy that is also used in
application tracking URLs, the Yarn Proxy should redirect requests to that
proxy instead of attempting to proxy them internally.
h5. Use Case
Consider the following scenario:
• A user runs a Spark job.
• The Spark UI is hosted in the Spark History Server (SHS).
• Multiple SHS instances are deployed for high availability (HA).
• The tracking URL points to a Knox Gateway, which routes requests to the
available SHS instances.
This setup ensures high availability for the tracking UI. If one SHS instance
becomes unavailable, another can continue serving the UI.
h5. Problem Statement
When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
this proxied request does not include the JWT token. As a result, Knox
initiates authentication instead of forwarding the request to the appropriate
SHS instance.
h5. Proposed Solution
For security reasons, the JWT token must not be forwarded to the tracking URL.
Therefore, when an application registers a tracking URL that includes a
specific flag indicating that it is served behind a reverse proxy, the Yarn
Proxy should redirect the user directly to the tracking URL instead of
attempting to proxy the request internally.
h5. Config
New config was created: +yarn.web-proxy.redirect-flag+
!image-2026-03-05-11-18-22-816.png!
was:
h5. Description
When the Yarn Proxy is deployed behind a reverse proxy that is also used in
application tracking URLs, the Yarn Proxy should redirect requests to that
proxy instead of attempting to proxy them internally.
h5. Use Case
Consider the following scenario:
• A user runs a Spark job.
• The Spark UI is hosted in the Spark History Server (SHS).
• Multiple SHS instances are deployed for high availability (HA).
• The tracking URL points to a Knox Gateway, which routes requests to the
available SHS instances.
This setup ensures high availability for the tracking UI. If one SHS instance
becomes unavailable, another can continue serving the UI.
h5. Problem Statement
When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
this proxied request does not include the JWT token. As a result, Knox
initiates authentication instead of forwarding the request to the appropriate
SHS instance.
h5. Proposed Solution
For security reasons, the JWT token must not be forwarded to the tracking URL.
Therefore, when an application registers a tracking URL that includes a
specific flag indicating that it is served behind a reverse proxy, the Yarn
Proxy should redirect the user directly to the tracking URL instead of
attempting to proxy the request internally.
h5. Config
New config was created: +yarn.web-proxy.redirect-flag
!image-2026-03-05-11-18-22-816.png!
> Yarn Proxy Behind a Reverse Proxy
> ---------------------------------
>
> Key: YARN-11937
> URL: https://issues.apache.org/jira/browse/YARN-11937
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
> Attachments: image-2026-03-05-11-18-22-816.png
>
>
> h5. Description
> When the Yarn Proxy is deployed behind a reverse proxy that is also used in
> application tracking URLs, the Yarn Proxy should redirect requests to that
> proxy instead of attempting to proxy them internally.
> h5. Use Case
> Consider the following scenario:
> • A user runs a Spark job.
> • The Spark UI is hosted in the Spark History Server (SHS).
> • Multiple SHS instances are deployed for high availability (HA).
> • The tracking URL points to a Knox Gateway, which routes requests to
> the available SHS instances.
> This setup ensures high availability for the tracking UI. If one SHS instance
> becomes unavailable, another can continue serving the UI.
> h5. Problem Statement
> When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
> Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
> this proxied request does not include the JWT token. As a result, Knox
> initiates authentication instead of forwarding the request to the appropriate
> SHS instance.
> h5. Proposed Solution
> For security reasons, the JWT token must not be forwarded to the tracking
> URL. Therefore, when an application registers a tracking URL that includes a
> specific flag indicating that it is served behind a reverse proxy, the Yarn
> Proxy should redirect the user directly to the tracking URL instead of
> attempting to proxy the request internally.
> h5. Config
> New config was created: +yarn.web-proxy.redirect-flag+
> !image-2026-03-05-11-18-22-816.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
