K0K0V0K opened a new pull request, #8300:
URL: https://github.com/apache/hadoop/pull/8300
### Description of PR
When the Yarn Proxy is deployed behind a reverse proxy that is also used in
application tracking URLs, the Yarn Proxy should redirect requests to that
proxy instead of attempting to proxy them internally.
**Use Case**
Consider the following scenario:
• A user runs a Spark job.
• The Spark UI is hosted in the Spark History Server (SHS).
• Multiple SHS instances are deployed for high availability (HA).
• The tracking URL points to a Knox Gateway, which routes requests to
the available SHS instances.
This setup ensures high availability for the tracking UI. If one SHS
instance becomes unavailable, another can continue serving the UI.
**Problem Statement**
When the Knox Gateway forwards a user’s HTTP request to the Yarn Proxy, the
Yarn Proxy attempts to proxy the request back to the Knox Gateway. However,
this proxied request does not include the JWT token. As a result, Knox
initiates authentication instead of forwarding the request to the appropriate
SHS instance.
**Proposed Solution**
For security reasons, the JWT token must not be forwarded to the tracking
URL. Therefore, when an application registers a tracking URL that includes a
specific flag indicating that it is served behind a reverse proxy, the Yarn
Proxy should redirect the user directly to the tracking URL instead of
attempting to proxy the request internally.
Config
New config was created: yarn.web-proxy.redirect-flag
### How was this patch tested?
- UT was created
- Deployed a cluster with YARN, SPARK, KNOX and checked it there
### For code changes:
- [ ] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
### AI Tooling
If an AI tool was used:
- [ ] The PR includes the phrase "Contains content generated by <tool>"
where <tool> is the name of the AI tool used.
- [ ] My use of AI contributions follows the ASF legal policy
https://www.apache.org/legal/generative-tooling.html
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
