You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Prabhu Joseph (JIRA)" <ji...@apache.org> on 2019/08/04 17:13:00 UTC

[jira] [Commented] (YARN-9701) Yarn service cli commands do not connect to ssl enabled RM using ssl-client.xml configs

    [ https://issues.apache.org/jira/browse/YARN-9701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16899658#comment-16899658 ] 

Prabhu Joseph commented on YARN-9701:
-------------------------------------

[~tarunparimi]  The patch looks good and works fine on the repro cluster.

1. Below line looks not needed
{code:java}
SSLSocketFactory sslSocketF = clientSslFactory
                    .createSSLSocketFactory();
{code}
2. Better to destroy the Client and SSLFactory.

> Yarn service cli commands do not connect to ssl enabled RM using ssl-client.xml configs
> ---------------------------------------------------------------------------------------
>
>                 Key: YARN-9701
>                 URL: https://issues.apache.org/jira/browse/YARN-9701
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: yarn-native-services
>    Affects Versions: 3.1.0
>            Reporter: Tarun Parimi
>            Assignee: Tarun Parimi
>            Priority: Major
>         Attachments: YARN-9701.001.patch
>
>
> Yarn service commands use the yarn service rest api. When ssl is enabled for RM, the yarn service commands fail as they don't read the ssl-client.xml configs to create ssl connection to the rest api.
> This becomes a problem especially for self signed certificates as the truststore location specified at ssl.client.truststore.location is not considered by commands.
> As workaround, we need to import the certificates to the java default cacert for the yarn service commands to work via ssl. It would be more proper if the yarn service commands makes use of the configs at ssl-client.xml instead to configure and create an ssl client connection. This workaround may not even work if there are additional properties configured in ssl-client.xml that are necessary apart from the truststore related properties.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org