APEXCORE-488: Issues in SSL communication with StrAM #357
Conversation
pradeepdalvi
commented
Jul 11, 2016
- Fixed Application Master trackingURL
- StramAgent shall not assume always HTTP
String url; | ||
if (!info.appMasterTrackingUrl.startsWith("http://") | ||
&& !info.appMasterTrackingUrl.startsWith("https://")) { | ||
url = "http://" + info.appMasterTrackingUrl; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be logged, saying falling back to http
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is a secure cluster, then fallback should be https?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its not falling back. When protocol scheme is not specified in Tracking URL, it shall use the default protocol scheme i.e. 'http://'
@PramodSSImmaneni Could you please review this? |
@@ -608,13 +609,16 @@ protected void serviceStart() throws Exception | |||
|
|||
try { | |||
Configuration config = getConfig(); | |||
YarnConfiguration conf = new YarnConfiguration(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is it necessary to have Configuration and YarnConfiguration? Can this code be simplified to YarnConfiguration = StramClientUtils.getYarnConfiguration(getConfig());
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration is needed by WebApp server. We could probably do something like YarnConfiguration conf = StramClientUtils.getYarnConfiguration(config);
or
YarnConfiguration conf = new YarnConfiguration(config);
However in both cases there is not much significant difference unless & until config is instanceof YarnConfiguration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As Configuration
is a super class for YarnConfiguration
, Configuration
is not needed by WebApp server, it may use YarnConfiguration
. Please simplify code to avoid creating multiple Configuration/YarnConfiguration objects and reading .conf files multiple times.
d8b64f3
to
38dcce3
Compare
this.appMasterTrackingUrl = NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" + webApp.port(); | ||
String scheme = ConfigUtils.getSchemePrefix(config); | ||
String hostname = NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName(); | ||
this.appMasterTrackingUrl = scheme + hostname + ":" + webApp.port(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is changing the contract of appMasterTrackingUrl in the web service response even though this is probably how it should have been in the first place. This would be a backwards incompatible change. Suggest to use a separate property for scheme.
38dcce3
to
22783a7
Compare
@@ -68,15 +68,30 @@ public static String getRMUsername(Configuration conf) | |||
return principal; | |||
} | |||
|
|||
public static String getSchemePrefix(YarnConfiguration conf) | |||
public static boolean isSecure(Configuration conf) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change the name to isSSLEnabled or something like that, secure in hadoop context typically refers to kerberos security
22783a7
to
069a6ef
Compare
069a6ef
to
10619d6
Compare
// For backward compatibility, not adding scheme in TrackingURL for non-HTTPS | ||
// TODO: Remove the check in next major release and add scheme always | ||
if (ConfigUtils.isSSLEnabled(config)) { | ||
String scheme = ConfigUtils.getSchemePrefix(config); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do you need to make ConfigUtils.getSchemePrefix
call? If ConfigUtils.isSSLEnabled == true
then scheme is always https://..
Why not have this.appMasterTrackingUrl = ConfigUtils.getSchemePrefix(config) + host
instead of if-else
loop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gauravgopi123 to preserve compatibility with prior gateway version that assumes "http:" sceme and prepends "http://" to the tracking URL, it is necessary to check if SSL is enabled before prepending scheme, but it is not necessary to have if-else. It should be sufficient to prepend "https://" in case SSL is enabled:
appMasterTrackingUrl = NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" + webApp.port();
if (ConfigUtils.isSSLEnabled(config)) {
appMasterTrackingUrl = "https://" + appMasterTrackingUrl;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gauravgopi123 @vrozov I had same thing in mind, when I introduced isSSLEnabled function. And it was basically introduced to add scheme conditionally and to avoid compatibility issues before major release.
As you already got an idea, these changes were made while keeping future changes in mind. Ultimately we would like to see something like:
this.appMasterTrackingUrl = NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" + webApp.port();
this.appMasterTrackingUrl = ConfigUtils.getSchemePrefix(config) + this.appMasterTrackingUrl;
So IMO, we can make changes as below. And during next major release simply remove if condition.
this.appMasterTrackingUrl = NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" + webApp.port();
// For backward compatibility, not adding scheme in TrackingURL for non-HTTPS
// TODO: Remove the check in next major release and add scheme always
if (ConfigUtils.isSSLEnabled(config)) {
this.appMasterTrackingUrl = ConfigUtils.getSchemePrefix(config) + this.appMasterTrackingUrl;
}
Please let me know your thoughts on this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or something like this:
this.appMasterTrackingUrl = (ConfigUtils.isSSLEnabled(config) ? ConfigUtils.getSchemePrefix(config) : "") + NetUtils.getConnectAddress(webApp.getListenerAddress()).getHostName() + ":" + webApp.port();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pradeepdalvi : @vrozov had answered your question. Calling getSchemePrefix is again calling isSSLEnabled. Why is that requried
- Fixed Application Master trackingURL - StramAgent shall not assume always HTTP
10619d6
to
4f3ab00
Compare
{ | ||
if (HttpConfig.Policy.HTTPS_ONLY == HttpConfig.Policy.fromString(conf.get(YarnConfiguration.YARN_HTTP_POLICY_KEY, YarnConfiguration.YARN_HTTP_POLICY_DEFAULT))) { | ||
if (isSSLEnabled(conf)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think @vrozov also pointed out this earlier, but this function is not required.. I see all the usages passing Yarnconfiguration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean the getSchemePrefix(YarnConfiguration...) method? Needed for binary compatibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you good with that explanation @gauravgopi123
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PramodSSImmaneni : I am talking about getSchemePrefix(Configuration) method...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PramodSSImmaneni : In-fact I won't make any change in this file. I would just add following code in StreamingAppMasterService
if ("https//:".equals.(ConfigUtils. getSchemePrefix(config))) { appMasterTrackingUrl = "https://" + appMasterTrackingUrl; }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@PramodSSImmaneni : I missed one thing. New method is needed as AppMaster has Configuration and YarnConfiguration object..
Changes look good