[jira] [Commented] (APEXCORE-711) Support custom SSL keystore for the Stram REST API web service

Tue, 10 Oct 2017 20:32:04 -0700 

    [ 
https://issues.apache.org/jira/browse/APEXCORE-711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16199752#comment-16199752
 ] 

Sanjay M Pujare commented on APEXCORE-711:
------------------------------------------

[~vrozov] Hmmm, this is standard SSL stuff and really in the area of RM App 
Proxy <--> App-master SSL communication that is independent of Apex. But I get 
your point and might be worthwhile mentioning. I have already updated the 
relevant Apex doc 
(https://github.com/apache/apex-core/blob/master/docs/security.md) which I can 
enhance with this particular point (needing to update all relevant trust-stores 
to be able to connect to the Stram SSL endpoint using the custom SSL feature). 
Does that work?

> Support custom SSL keystore for the Stram REST API web service
> --------------------------------------------------------------
>
>                 Key: APEXCORE-711
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-711
>             Project: Apache Apex Core
>          Issue Type: Improvement
>            Reporter: Sanjay M Pujare
>            Assignee: Sanjay M Pujare
>             Fix For: 3.7.0
>
>   Original Estimate: 72h
>  Remaining Estimate: 72h
>
> Currently StrAM supports only the default Hadoop SSL configuration for the 
> web-service because it uses org.apache.hadoop.yarn.webapp.WebApps helper 
> class which has the limitation of only using the default Hadoop SSL config 
> that is read from Hadoop's ssl-server.xml resource file. Some users have run 
> into a situation where Hadoops' SSL keystore is not available on most cluster 
> nodes or the Stram process doesn't have read access to the keystore even when 
> present. So there is a need for the Stram to use a custom SSL keystore and 
> configuration that does not suffer from these limitations.
> There is already a PR https://github.com/apache/hadoop/pull/213 to Hadoop to 
> support this in Hadoop and it is in the process of getting merged soon.
> After that Stram needs to be enhanced (this JIRA) to accept the location of a 
> custom ssl-server.xml file (supplied by the client via a DAG attribute) and 
> use the values from that file to set up the config object to be passed to 
> WebApps which will end up using the custom SSL configuration. This approach 
> has already been verified in a prototype.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to