[jira] [Commented] (APEXCORE-711) Support custom SSL keystore for the Stram REST API web service

Tue, 10 Oct 2017 17:08:25 -0700 

    [ 
https://issues.apache.org/jira/browse/APEXCORE-711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16199599#comment-16199599
 ] 

Sanjay M Pujare commented on APEXCORE-711:
------------------------------------------

[~vrozov] yes, it does affect Apex and I was aware of it while testing for this 
JIRA. If I remember right, I added Stram's self-signed cert to Yarn's (RM's) 
truststore. This is somewhat based on 
http://docs.h2o.ai/h2o/latest-stable/h2o-docs/security.html#keystore-truststore-generation
 and other similar descriptions you'll find for such use cases.

> Support custom SSL keystore for the Stram REST API web service
> --------------------------------------------------------------
>
>                 Key: APEXCORE-711
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-711
>             Project: Apache Apex Core
>          Issue Type: Improvement
>            Reporter: Sanjay M Pujare
>            Assignee: Sanjay M Pujare
>             Fix For: 3.7.0
>
>   Original Estimate: 72h
>  Remaining Estimate: 72h
>
> Currently StrAM supports only the default Hadoop SSL configuration for the 
> web-service because it uses org.apache.hadoop.yarn.webapp.WebApps helper 
> class which has the limitation of only using the default Hadoop SSL config 
> that is read from Hadoop's ssl-server.xml resource file. Some users have run 
> into a situation where Hadoops' SSL keystore is not available on most cluster 
> nodes or the Stram process doesn't have read access to the keystore even when 
> present. So there is a need for the Stram to use a custom SSL keystore and 
> configuration that does not suffer from these limitations.
> There is already a PR https://github.com/apache/hadoop/pull/213 to Hadoop to 
> support this in Hadoop and it is in the process of getting merged soon.
> After that Stram needs to be enhanced (this JIRA) to accept the location of a 
> custom ssl-server.xml file (supplied by the client via a DAG attribute) and 
> use the values from that file to set up the config object to be passed to 
> WebApps which will end up using the custom SSL configuration. This approach 
> has already been verified in a prototype.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to