Tamas Domok created YARN-11735:
----------------------------------
Summary: Be able to configure custom trust store for
WebAppProxyServlet
Key: YARN-11735
URL: https://issues.apache.org/jira/browse/YARN-11735
Project: Hadoop YARN
Issue Type: New Feature
Components: resourcemanager
Affects Versions: 3.5.0
Reporter: Tamas Domok
Assignee: Tamas Domok
h2. General
There is no way to proxy HTTPS AM Web Servers with self-signed certificates
where the trust cannot be established with the default trust store. There is no
configuration for the HttpClientBuilder to use custom trust stores.
[WebAppProxyServlet.proxyLink|https://github.com/apache/hadoop/blob/b781882020f42933bddab8a8e0badeae7229828f/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java#L233-L261]
h2. Reproduction
h3. Spark app with custom Spark UI TLS configuration
Submit a spark-app with custom TLS configuration with a self-signed certificate:
{code:bash}
$ spark-submit \
--conf spark.ui.enabled=false \
--conf spark.ssl.ui.keyStoreType=jks \
--conf spark.ssl.ui.protocol=TLSv1.2 \
--conf spark.ssl.ui.keyStore=keystore.jks \
--conf spark.ssl.ui.enabled=true \
--conf spark.yarn.historyServer.allowTracking=true \
--class org.apache.spark.examples.SparkPi --executor-memory 1G --queue
root.default spark-examples.jar 100000
{code}
Open the trackingURL from the spark-submit log (the application must be in
running phase) or use the RM UI and open the History link.
{noformat}
2024-09-20 11:42:20,258 ERROR
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG
client.execute GET https://a.b.c.d:4440 HTTP/1.1
2024-09-20 11:42:20,683 ERROR
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG
client.execute exception Received fatal alert: handshake_failure
{noformat}
In this case, the proxy code would proxy the Spark App's UI on port 4440.
h3. Spark app with UI disabled
Prerequisites: run the Spark History Server with a TLS configuration with a
self-signed certificate.
Submit a spark-app with custom configuration:
{code:bash}
$ spark-submit \
--conf spark.ui.enabled=false \
--conf spark.yarn.historyServer.allowTracking=true \
--class org.apache.spark.examples.SparkPi --executor-memory 1G --queue
root.default spark-examples.jar 100000
{code}
Open the trackingURL from the spark-submit log (the application must be in
running phase) or use the RM UI and open the History link.
{noformat}
2024-09-24 11:57:49,377 ERROR
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG
client.execute GET
http://a.b.c.d:18088/history/application_1727178836972_0001/1?redirect=true
HTTP/1.1
2024-09-24 11:57:49,451 ERROR
org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet: EXTRA_DEBUG
client.execute exception PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
{noformat}
In this case, the proxy code would proxy the Spark History UI on port 18088.
h2. Proof of concept
NOTE: this is not the way to do it, just an example solution.
Create a trust store with the root CA and configure it in the ssl-client.xml,
then add this code snippet to the proxyLink method, it will create the
SSLContext based on the ssl-client.xml.
{code:java}
try {
SSLFactory sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
sslFactory.init();
KeyStoresFactory keystoresFactory = sslFactory.getKeystoresFactory();
SSLContext context = SSLContext.getInstance("TLS");
context.init(keystoresFactory.getKeyManagers(),
keystoresFactory.getTrustManagers(), null);
httpClientBuilder.setSSLContext(context);
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
{code}
The patched proxy should work with the above spark applications.
NOTE: the real production ready implementation should be more general
(shouldn't depend on the clien-ssl.xml and it should work hand-in-hand with the
RM_APPLICATION_HTTPS_POLICY and ProxyCA feature).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
