[
https://issues.apache.org/jira/browse/YARN-11937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18063175#comment-18063175
]
ASF GitHub Bot commented on YARN-11937:
---------------------------------------
hadoop-yetus commented on PR #8300:
URL: https://github.com/apache/hadoop/pull/8300#issuecomment-4004066969
:broken_heart: **-1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
| +0 :ok: | reexec | 0m 0s | | Docker mode activated. |
| -1 :x: | patch | 0m 20s | |
https://github.com/apache/hadoop/pull/8300 does not apply to trunk. Rebase
required? Wrong Branch? See
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute for help.
|
| Subsystem | Report/Notes |
|----------:|:-------------|
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8300/1/console |
| versions | git=2.34.1 |
| Powered by | Apache Yetus 0.14.1 https://yetus.apache.org |
This message was automatically generated.
> Yarn Proxy Behind a Reverse Proxy
> ---------------------------------
>
> Key: YARN-11937
> URL: https://issues.apache.org/jira/browse/YARN-11937
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.0
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h5. Description
> When the Yarn Proxy is deployed behind a reverse proxy that is also used in
> application tracking URLs, the Yarn Proxy should redirect requests to that
> proxy instead of attempting to proxy them internally.
> h5. Use Case
> Consider the following scenario:
> • A user runs a Spark job.
> • The Spark UI is hosted in the Spark History Server (SHS).
> • Multiple SHS instances are deployed for high availability (HA).
> • The tracking URL points to a Knox Gateway, which routes requests to
> the available SHS instances.
> This setup ensures high availability for the tracking UI. If one SHS instance
> becomes unavailable, another can continue serving the UI.
> h5. Problem Statement
> When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
> Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
> this proxied request does not include the JWT token. As a result, Knox
> initiates authentication instead of forwarding the request to the appropriate
> SHS instance.
> h5. Proposed Solution
> For security reasons, the JWT token must not be forwarded to the tracking
> URL. Therefore, when an application registers a tracking URL that includes a
> specific flag indicating that it is served behind a reverse proxy, the Yarn
> Proxy should redirect the user directly to the tracking URL instead of
> attempting to proxy the request internally.
> h5. Config
> New config was created: +yarn.web-proxy.redirect-flag+
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
