Enable HTTPS between ResourceManager and Application Master
If you want to enable HTTPS communication between the ResourceManager and the Application Master, you have to use a ResourceManager-level and two Application Master-level configuration properties.
-
Enable HTTPS communication on the ResourceManager’s side:
- Navigate to Cloudera Manager.
- Select the YARN service.
- Search for ResourceManager and find the ResourceManager Advanced Configuration Snippet (Safety Valve) for yarn-site.xml safety valve.
-
Add the following configuration:
<property> <name>yarn.resourcemanager.application-https.policy</name> <value>STRICT</value> </property> -
Restart the ResourceManager to apply the configuration change.
HTTPS communication is enabled on the ResourceManager’s side. Keystore and Truststore are available.
There are two supported Keystore and Truststore formats. The format is automatically set by the ResourceManager:- JKS: when FIPS is not enabled
- BCFKS: when FIPS is enabled
The NodeManager collects the Keystore and Truststore related information (location on the file system, password, and format) and uses environment variables to provide the Application Master with the information.
-
Enable the HTTPS communication on the ApplicationMaster’s side:
When submitting a job set the
yarn.app.mapreduce.am.webapp.https.enabledand theyarn.app.mapreduce.am.webapp.https.client.authproperties totrue.The following is an example of a simple ‘pi job’ that can be considered as a test job. Note that the jar file is depending on the deployed CDP version:yarn jar /opt/cloudera/parcels/CDH-7.1.5-1.cdh7.1.5.p0.6683980/lib/hadoop-mapreduce/hadoop-mapreduce-examples-3.1.1.7.1.5.0-149.jar pi -Dyarn.app.mapreduce.am.webapp.https.enabled=true -Dyarn.app.mapreduce.am.webapp.https.client.auth=true 1 1000HTTPS communication between ResourceManager and Application Master is enabled.
For more information, see the design document in YARN-6586
