MAPREDUCE-3737. The Web Application Proxy's is not documented very well. (Robert Evans via mahadev)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1236371 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
5283398187
commit
af6448e543
|
@ -197,6 +197,9 @@ Release 0.23.1 - Unreleased
|
||||||
|
|
||||||
MAPREDUCE-2765. DistCp Rewrite. (Mithun Radhakrishnan via mahadev)
|
MAPREDUCE-2765. DistCp Rewrite. (Mithun Radhakrishnan via mahadev)
|
||||||
|
|
||||||
|
MAPREDUCE-3737. The Web Application Proxy's is not documented very well.
|
||||||
|
(Robert Evans via mahadev)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
MAPREDUCE-3567. Extraneous JobConf objects in AM heap. (Vinod Kumar
|
MAPREDUCE-3567. Extraneous JobConf objects in AM heap. (Vinod Kumar
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
~~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~~ you may not use this file except in compliance with the License.
|
||||||
|
~~ You may obtain a copy of the License at
|
||||||
|
~~
|
||||||
|
~~ http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~~
|
||||||
|
~~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~~ See the License for the specific language governing permissions and
|
||||||
|
~~ limitations under the License. See accompanying LICENSE file.
|
||||||
|
|
||||||
|
---
|
||||||
|
YARN
|
||||||
|
---
|
||||||
|
---
|
||||||
|
${maven.build.timestamp}
|
||||||
|
|
||||||
|
Web Application Proxy
|
||||||
|
|
||||||
|
The Web Application Proxy is part of YARN. By default it will run as part of
|
||||||
|
the Resource Manager(RM), but can be configured to run in stand alone mode.
|
||||||
|
The reason for the proxy is to reduce the possibility of web based attacks
|
||||||
|
through YARN.
|
||||||
|
|
||||||
|
In YARN the Application Master(AM) has the responsibility to provide a web UI
|
||||||
|
and to send that link to the RM. This opens up a number of potential
|
||||||
|
issues. The RM runs as a trusted user, and people visiting that web
|
||||||
|
address will treat it, and links it provides to them as trusted, when in
|
||||||
|
reality the AM is running as a non-trusted user, and the links it gives to
|
||||||
|
the RM could point to anything malicious or otherwise. The Web Application
|
||||||
|
Proxy mitigates this risk by warning users that do not own the given
|
||||||
|
application that they are connecting to an untrusted site.
|
||||||
|
|
||||||
|
In addition to this the proxy also tries to reduce the impact that a malicious
|
||||||
|
AM could have on a user. It primarily does this by stripping out cookies from
|
||||||
|
the user, and replacing them with a single cookie providing the user name of
|
||||||
|
the logged in user. This is because most web based authentication systems will
|
||||||
|
identify a user based off of a cookie. By providing this cookie to an
|
||||||
|
untrusted application it opens up the potential for an exploit. If the cookie
|
||||||
|
is designed properly that potential should be fairly minimal, but this is just
|
||||||
|
to reduce that potential attack vector. The current proxy implementation does
|
||||||
|
nothing to prevent the AM from providing links to malicious external sites,
|
||||||
|
nor does it do anything to prevent malicious javascript code from running as
|
||||||
|
well. In fact javascript can be used to get the cookies, so stripping the
|
||||||
|
cookies from the request has minimal benefit at this time.
|
||||||
|
|
||||||
|
In the future we hope to address the attack vectors described above and make
|
||||||
|
attaching to an AM's web UI safer.
|
|
@ -47,4 +47,6 @@ MapReduce NextGen aka YARN aka MRv2
|
||||||
|
|
||||||
* {{{./CapacityScheduler.html}Capacity Scheduler}}
|
* {{{./CapacityScheduler.html}Capacity Scheduler}}
|
||||||
|
|
||||||
|
* {{{./WebApplicationProxy.html}Web Application Proxy}}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -61,6 +61,7 @@
|
||||||
<item name="YARN Architecture" href="hadoop-yarn/hadoop-yarn-site/YARN.html"/>
|
<item name="YARN Architecture" href="hadoop-yarn/hadoop-yarn-site/YARN.html"/>
|
||||||
<item name="Writing Yarn Applications" href="hadoop-yarn/hadoop-yarn-site/WritingYarnApplications.html"/>
|
<item name="Writing Yarn Applications" href="hadoop-yarn/hadoop-yarn-site/WritingYarnApplications.html"/>
|
||||||
<item name="Capacity Scheduler" href="hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html"/>
|
<item name="Capacity Scheduler" href="hadoop-yarn/hadoop-yarn-site/CapacityScheduler.html"/>
|
||||||
|
<item name="Web Application Proxy" href="hadoop-yarn/hadoop-yarn-site/WebApplicationProxy.html"/>
|
||||||
</menu>
|
</menu>
|
||||||
|
|
||||||
<menu name="YARN REST API's" inherit="top">
|
<menu name="YARN REST API's" inherit="top">
|
||||||
|
|
Loading…
Reference in New Issue