[
https://issues.apache.org/jira/browse/YARN-11937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18064149#comment-18064149
]
ASF GitHub Bot commented on YARN-11937:
---------------------------------------
brumi1024 commented on PR #8300:
URL: https://github.com/apache/hadoop/pull/8300#issuecomment-4024509611
### Code review
Found 2 issues:
1. **NullPointerException when tracking URL has no query string** —
`java.net.URI.getQuery()` returns `null` when the URI has no query component
(e.g., `http://host:8188/history/application_001`). Calling `.equals(...)` on
`null` will throw an NPE for any application whose tracking URL lacks a query
string, which is the common case. The fix is to add a null guard:
`toFetch.getQuery() != null && toFetch.getQuery().equals(...)` or flip the
receiver to `(redirectFlagName + "=true").equals(toFetch.getQuery())`.
https://github.com/apache/hadoop/blob/3ee560a6bdf87786d178473ef66c78cf45358e34/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L553-L560
2. **Redirect is unreachable for FINISHED/KILLED/FAILED applications** — The
new redirect-flag block is inserted after the application-state `switch`. For
`KILLED`, `FINISHED`, and `FAILED` states, the switch already calls
`ProxyUtils.sendRedirect(req, resp, toFetch.toString()); return;` and exits
before reaching the new block. The new code only executes for `RUNNING`
applications (the `default:` fall-through case). The PR's stated motivation is
Knox Gateway with Spark History Server — which serves **completed (FINISHED)
jobs** — so the feature will never trigger for its documented use case. The
redirect-flag check needs to be placed before the state switch, or the switch
cases need to be updated to respect the flag.
https://github.com/apache/hadoop/blob/3ee560a6bdf87786d178473ef66c78cf45358e34/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L527-L562
🤖 Generated with [Claude Code](https://claude.ai/code)
<sub>If this code review was useful, please react with 👍. Otherwise, react
with 👎.</sub>
> Yarn Proxy Behind a Reverse Proxy
> ---------------------------------
>
> Key: YARN-11937
> URL: https://issues.apache.org/jira/browse/YARN-11937
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn
> Affects Versions: 3.5.1
> Reporter: Bence Kosztolnik
> Assignee: Bence Kosztolnik
> Priority: Major
> Labels: pull-request-available
>
> h5. Description
> When the Yarn Proxy is deployed behind a reverse proxy that is also used in
> application tracking URLs, the Yarn Proxy should redirect requests to that
> proxy instead of attempting to proxy them internally.
> h5. Use Case
> Consider the following scenario:
> • A user runs a Spark job.
> • The Spark UI is hosted in the Spark History Server (SHS).
> • Multiple SHS instances are deployed for high availability (HA).
> • The tracking URL points to a Knox Gateway, which routes requests to
> the available SHS instances.
> This setup ensures high availability for the tracking UI. If one SHS instance
> becomes unavailable, another can continue serving the UI.
> h5. Problem Statement
> When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
> Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
> this proxied request does not include the JWT token. As a result, Knox
> initiates authentication instead of forwarding the request to the appropriate
> SHS instance.
> h5. Proposed Solution
> For security reasons, the JWT token must not be forwarded to the tracking
> URL. Therefore, when an application registers a tracking URL that includes a
> specific flag indicating that it is served behind a reverse proxy, the Yarn
> Proxy should redirect the user directly to the tracking URL instead of
> attempting to proxy the request internally.
> h5. Config
> New config was created: +yarn.web-proxy.redirect-flag+
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
