You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Bibin A Chundatt (JIRA)" <ji...@apache.org> on 2015/06/20 21:13:01 UTC
[jira] [Commented] (YARN-3838) Rest API failing when ip configured
in RM address in secure https mode
[ https://issues.apache.org/jira/browse/YARN-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14594737#comment-14594737 ]
Bibin A Chundatt commented on YARN-3838:
----------------------------------------
In case of resourcemanager the httpserver is started as below and the url used is just the ip address
{{WebApps#start}}
{code}
HttpServer2.Builder builder = new HttpServer2.Builder()
.setName(name)
.addEndpoint(
URI.create(httpScheme + bindAddress
+ ":" + port)).setConf(conf).setFindPort(findPort)
.setACL(new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)))
.setPathSpec(pathList.toArray(new String[0]));
{code}
Comparing the same to hdfs side for NameNode the URL is formed as below
{{DFSUtil#httpServerTemplateForNNAndJN}}
{code}
URI uri = URI.create("http://" + NetUtils.getHostPortString(httpAddr));
{code}
Seems like this is reason why there is a difference in both hdfs and yarn for *REST api functionality when IP is configured in kerberos mode*. In case of hdfs it works but yarn its doesnt.
Can we hange RM HTTPServer2.builder as velow
{code}
HttpServer2.Builder builder =
new HttpServer2.Builder()
.setName(name)
.addEndpoint(
URI.create(httpScheme
+ NetUtils.getHostPortString(new InetSocketAddress(
bindAddress, port))))
.setConf(conf)
.setFindPort(findPort)
.setACL(
new AccessControlList(conf.get(
YarnConfiguration.YARN_ADMIN_ACL,
YarnConfiguration.DEFAULT_YARN_ADMIN_ACL)))
.setPathSpec(pathList.toArray(new String[0]));
{code}
Please do correct me if i am wrong .
> Rest API failing when ip configured in RM address in secure https mode
> ----------------------------------------------------------------------
>
> Key: YARN-3838
> URL: https://issues.apache.org/jira/browse/YARN-3838
> Project: Hadoop YARN
> Issue Type: Bug
> Components: security
> Reporter: Bibin A Chundatt
> Assignee: Bibin A Chundatt
> Priority: Critical
> Attachments: 0001-HADOOP-12096.patch, 0001-YARN-3810.patch, 0002-YARN-3810.patch
>
>
> Steps to reproduce
> ===============
> 1.Configure hadoop.http.authentication.kerberos.principal as below
> {code:xml}
> <property>
> <name>hadoop.http.authentication.kerberos.principal</name>
> <value>HTTP/_HOST@HADOOP.COM</value>
> </property>
> {code}
> 2. In RM web address also configure IP
> 3. Startup RM
> Call Rest API for RM {{ curl -i -k --insecure --negotiate -u : https IP /ws/v1/cluster/info"}}
> *Actual*
> Rest API failing
> {code}
> 2015-06-16 19:03:49,845 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
> at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:399)
> at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348)
> at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:519)
> at org.apache.hadoop.yarn.server.security.http.RMAuthenticationFilter.doFilter(RMAuthenticationFilter.java:82)
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)