[ 
https://issues.apache.org/jira/browse/YARN-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14594737#comment-14594737
 ] 

Bibin A Chundatt commented on YARN-3838:
----------------------------------------

In case of resourcemanager the httpserver is started as below and the url used 
is just the ip address
{{WebApps#start}}
{code}
     HttpServer2.Builder builder = new HttpServer2.Builder()
            .setName(name)
            .addEndpoint(
                URI.create(httpScheme + bindAddress
                    + ":" + port)).setConf(conf).setFindPort(findPort)
            .setACL(new AccessControlList(conf.get(
              YarnConfiguration.YARN_ADMIN_ACL, 
              YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)))
            .setPathSpec(pathList.toArray(new String[0]));

{code}

Comparing the same to hdfs side for NameNode the URL is formed as below

{{DFSUtil#httpServerTemplateForNNAndJN}} 
{code}
      URI uri = URI.create("http://"; + NetUtils.getHostPortString(httpAddr));
{code}

Seems like this is reason why there is a difference in both hdfs and yarn for 
*REST api functionality when IP is configured in kerberos mode*. In case of 
hdfs it works but yarn its doesnt.

Can we hange RM HTTPServer2.builder as velow

{code}
  HttpServer2.Builder builder =
            new HttpServer2.Builder()
                .setName(name)
                .addEndpoint(
                    URI.create(httpScheme
                        + NetUtils.getHostPortString(new InetSocketAddress(
                            bindAddress, port))))
                .setConf(conf)
                .setFindPort(findPort)
                .setACL(
                    new AccessControlList(conf.get(
                        YarnConfiguration.YARN_ADMIN_ACL,
                        YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)))
                .setPathSpec(pathList.toArray(new String[0]));
{code}

Please do correct me if i am wrong .

> Rest API failing when ip configured in RM address in secure https mode
> ----------------------------------------------------------------------
>
>                 Key: YARN-3838
>                 URL: https://issues.apache.org/jira/browse/YARN-3838
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: security
>            Reporter: Bibin A Chundatt
>            Assignee: Bibin A Chundatt
>            Priority: Critical
>         Attachments: 0001-HADOOP-12096.patch, 0001-YARN-3810.patch, 
> 0002-YARN-3810.patch
>
>
> Steps to reproduce
> ===============
> 1.Configure hadoop.http.authentication.kerberos.principal as below
> {code:xml}
>   <property>
>     <name>hadoop.http.authentication.kerberos.principal</name>
>     <value>HTTP/_h...@hadoop.com</value>
>   </property>
> {code}
> 2. In RM web address also configure IP 
> 3. Startup RM 
> Call Rest API for RM  {{ curl -i -k  --insecure --negotiate -u : https IP 
> /ws/v1/cluster/info"}}
> *Actual*
> Rest API  failing
> {code}
> 2015-06-16 19:03:49,845 DEBUG 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter: 
> Authentication exception: GSSException: No valid credentials provided 
> (Mechanism level: Failed to find any Kerberos credentails)
> org.apache.hadoop.security.authentication.client.AuthenticationException: 
> GSSException: No valid credentials provided (Mechanism level: Failed to find 
> any Kerberos credentails)
>       at 
> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
>       at 
> org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
>       at 
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
>       at 
> org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.doFilter(RMAuthenticationFilter.java:82)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to