org.apache.hadoop.yarn.server.webproxy.WebAppProxyServlet Maven / Gradle / Ivy
The newest version!
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.yarn.server.webproxy;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.ObjectInputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.SocketException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriBuilderException;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationReport;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.AppReportSource;
import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.FetchedAppReport;
import org.apache.hadoop.yarn.util.Apps;
import org.apache.hadoop.yarn.util.StringHelper;
import org.apache.hadoop.yarn.util.TrackingUriPlugin;
import org.apache.hadoop.yarn.webapp.MimeType;
import org.apache.hadoop.yarn.webapp.hamlet2.Hamlet;
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class WebAppProxyServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
private static final Logger LOG = LoggerFactory.getLogger(
WebAppProxyServlet.class);
private static final String REDIRECT = "/redirect";
private static final Set PASS_THROUGH_HEADERS =
new HashSet<>(Arrays.asList(
"User-Agent",
"Accept",
"Accept-Encoding",
"Accept-Language",
"Accept-Charset",
"Content-Type",
"Origin",
"Access-Control-Request-Method",
"Access-Control-Request-Headers"));
public static final String PROXY_USER_COOKIE_NAME = "proxy-user";
private transient List trackingUriPlugins;
private final String failurePageUrlBase;
private transient YarnConfiguration conf;
/**
* HTTP methods.
*/
private enum HTTP { GET, POST, HEAD, PUT, DELETE }
/**
* Empty Hamlet class.
*/
private static class __ implements Hamlet.__ {
//Empty
}
private static class Page extends Hamlet {
Page(PrintWriter out) {
super(out, 0, false);
}
public HTML html() {
return new HTML<>("html", null, EnumSet.of(EOpt.ENDTAG));
}
}
protected void setConf(YarnConfiguration conf){
this.conf = conf;
}
/**
* Default constructor
*/
public WebAppProxyServlet() {
super();
conf = new YarnConfiguration();
this.trackingUriPlugins =
conf.getInstances(YarnConfiguration.YARN_TRACKING_URL_GENERATOR,
TrackingUriPlugin.class);
this.failurePageUrlBase =
StringHelper.pjoin(WebAppUtils.getResolvedRMWebAppURLWithScheme(conf),
"cluster", "failure");
}
private String getRmAppPageUrlBase(ApplicationId id) throws YarnException, IOException {
ServletContext context = getServletContext();
AppReportFetcher af = (AppReportFetcher) context.getAttribute(WebAppProxy.FETCHER_ATTRIBUTE);
return af.getRmAppPageUrlBase(id);
}
private String getAhsAppPageUrlBase() {
ServletContext context = getServletContext();
AppReportFetcher af = (AppReportFetcher) context.getAttribute(WebAppProxy.FETCHER_ATTRIBUTE);
return af.getAhsAppPageUrlBase();
}
/**
* Output 404 with appropriate message.
* @param resp the http response.
* @param message the message to include on the page.
* @throws IOException on any error.
*/
private static void notFound(HttpServletResponse resp, String message)
throws IOException {
ProxyUtils.notFound(resp, message);
}
/**
* Warn the user that the link may not be safe!
* @param resp the http response
* @param link the link to point to
* @param user the user that owns the link.
* @throws IOException on any error.
*/
private static void warnUserPage(HttpServletResponse resp, String link,
String user, ApplicationId id) throws IOException {
//Set the cookie when we warn which overrides the query parameter
//This is so that if a user passes in the approved query parameter without
//having first visited this page then this page will still be displayed
resp.addCookie(makeCheckCookie(id, false));
resp.setContentType(MimeType.HTML);
Page p = new Page(resp.getWriter());
p.html().
h1("WARNING: The following page may not be safe!").
h3().
__("click ").a(link, "here").
__(" to continue to an Application Master web interface owned by ", user).
__().
__();
}
/**
* Show the user a page that says that HTTPS must be used but was not.
* @param resp the http response
* @param link the link to point to
* @return true if HTTPS must be used but was not, false otherwise
* @throws IOException on any error.
*/
@VisibleForTesting
static boolean checkHttpsStrictAndNotProvided(
HttpServletResponse resp, URI link, YarnConfiguration conf)
throws IOException {
String httpsPolicy = conf.get(
YarnConfiguration.RM_APPLICATION_HTTPS_POLICY,
YarnConfiguration.DEFAULT_RM_APPLICATION_HTTPS_POLICY);
boolean required = httpsPolicy.equals("STRICT");
boolean provided = link.getScheme().equals("https");
if (required && !provided) {
resp.setContentType(MimeType.HTML);
Page p = new Page(resp.getWriter());
p.html().
h1("HTTPS must be used").
h3().
__(YarnConfiguration.RM_APPLICATION_HTTPS_POLICY,
"is set to STRICT, which means that the tracking URL ",
"must be an HTTPS URL, but it is not.").
__("The tracking URL is: ", link).
__().
__();
return true;
}
return false;
}
/**
* Download link and have it be the response.
* @param req the http request
* @param resp the http response
* @param link the link to download
* @param c the cookie to set if any
* @param proxyHost the proxy host
* @param method the http method
* @param appId the ApplicationID
* @throws IOException on any error.
*/
private void proxyLink(final HttpServletRequest req,
final HttpServletResponse resp, final URI link, final Cookie c,
final String proxyHost, final HTTP method, final ApplicationId appId)
throws IOException {
HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
String httpsPolicy = conf.get(YarnConfiguration.RM_APPLICATION_HTTPS_POLICY,
YarnConfiguration.DEFAULT_RM_APPLICATION_HTTPS_POLICY);
boolean connectionTimeoutEnabled =
conf.getBoolean(YarnConfiguration.RM_PROXY_TIMEOUT_ENABLED,
YarnConfiguration.DEFALUT_RM_PROXY_TIMEOUT_ENABLED);
int connectionTimeout =
conf.getInt(YarnConfiguration.RM_PROXY_CONNECTION_TIMEOUT,
YarnConfiguration.DEFAULT_RM_PROXY_CONNECTION_TIMEOUT);
if (httpsPolicy.equals("LENIENT") || httpsPolicy.equals("STRICT")) {
ProxyCA proxyCA = getProxyCA();
// ProxyCA could be null when the Proxy is run outside the RM
if (proxyCA != null) {
try {
httpClientBuilder.setSSLContext(proxyCA.createSSLContext(appId));
httpClientBuilder.setSSLHostnameVerifier(
proxyCA.getHostnameVerifier());
} catch (Exception e) {
throw new IOException(e);
}
}
}
// Make sure we send the request from the proxy address in the config
// since that is what the AM filter checks against. IP aliasing or
// similar could cause issues otherwise.
InetAddress localAddress = InetAddress.getByName(proxyHost);
LOG.debug("local InetAddress for proxy host: {}", localAddress);
httpClientBuilder.setDefaultRequestConfig(
connectionTimeoutEnabled ?
RequestConfig.custom()
.setCircularRedirectsAllowed(true)
.setLocalAddress(localAddress)
.setConnectionRequestTimeout(connectionTimeout)
.setSocketTimeout(connectionTimeout)
.setConnectTimeout(connectionTimeout)
.build() :
RequestConfig.custom()
.setCircularRedirectsAllowed(true)
.setLocalAddress(localAddress)
.build());
HttpRequestBase base = null;
if (method.equals(HTTP.GET)) {
base = new HttpGet(link);
} else if (method.equals(HTTP.PUT)) {
base = new HttpPut(link);
StringBuilder sb = new StringBuilder();
BufferedReader reader =
new BufferedReader(
new InputStreamReader(req.getInputStream(), StandardCharsets.UTF_8));
String line;
while ((line = reader.readLine()) != null) {
sb.append(line);
}
((HttpPut) base).setEntity(new StringEntity(sb.toString()));
} else {
resp.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
return;
}
@SuppressWarnings("unchecked")
Enumeration names = req.getHeaderNames();
while (names.hasMoreElements()) {
String name = names.nextElement();
if (PASS_THROUGH_HEADERS.contains(name)) {
String value = req.getHeader(name);
LOG.debug("REQ HEADER: {} : {}", name, value);
base.setHeader(name, value);
}
}
String user = req.getRemoteUser();
if (user != null && !user.isEmpty()) {
base.setHeader("Cookie",
PROXY_USER_COOKIE_NAME + "=" + URLEncoder.encode(user, "ASCII"));
}
OutputStream out = resp.getOutputStream();
HttpClient client = httpClientBuilder.build();
try {
HttpResponse httpResp = client.execute(base);
resp.setStatus(httpResp.getStatusLine().getStatusCode());
for (Header header : httpResp.getAllHeaders()) {
resp.setHeader(header.getName(), header.getValue());
}
if (c != null) {
resp.addCookie(c);
}
InputStream in = httpResp.getEntity().getContent();
if (in != null) {
IOUtils.copyBytes(in, out, 4096, true);
}
} finally {
base.releaseConnection();
}
}
private static String getCheckCookieName(ApplicationId id){
return "checked_"+id;
}
private static Cookie makeCheckCookie(ApplicationId id, boolean isSet) {
Cookie c = new Cookie(getCheckCookieName(id),String.valueOf(isSet));
c.setHttpOnly(true);
c.setPath(ProxyUriUtils.getPath(id));
c.setMaxAge(60 * 60 * 2); //2 hours in seconds
return c;
}
private boolean isSecurityEnabled() {
Boolean b = (Boolean) getServletContext()
.getAttribute(WebAppProxy.IS_SECURITY_ENABLED_ATTRIBUTE);
return b != null ? b : false;
}
private FetchedAppReport getApplicationReport(ApplicationId id)
throws IOException, YarnException {
return ((AppReportFetcher) getServletContext()
.getAttribute(WebAppProxy.FETCHER_ATTRIBUTE)).getApplicationReport(id);
}
private ProxyCA getProxyCA() {
return ((ProxyCA) getServletContext().getAttribute(WebAppProxy.PROXY_CA));
}
private String getProxyHost() throws IOException {
return ((String) getServletContext()
.getAttribute(WebAppProxy.PROXY_HOST_ATTRIBUTE));
}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
methodAction(req, resp, HTTP.GET);
}
@Override
protected final void doPut(final HttpServletRequest req,
final HttpServletResponse resp) throws ServletException, IOException {
methodAction(req, resp, HTTP.PUT);
}
/**
* The action against the HTTP method.
* @param req the HttpServletRequest
* @param resp the HttpServletResponse
* @param method the HTTP method
* @throws ServletException
* @throws IOException
*/
private void methodAction(final HttpServletRequest req,
final HttpServletResponse resp,
final HTTP method) throws ServletException, IOException {
try {
String userApprovedParamS =
req.getParameter(ProxyUriUtils.PROXY_APPROVAL_PARAM);
boolean userWasWarned = false;
boolean userApproved = Boolean.parseBoolean(userApprovedParamS);
boolean securityEnabled = isSecurityEnabled();
boolean isRedirect = false;
String pathInfo = req.getPathInfo();
final String remoteUser = req.getRemoteUser();
String[] parts = null;
if (pathInfo != null) {
// If there's a redirect, strip the redirect so that the path can be
// parsed
if (pathInfo.startsWith(REDIRECT)) {
pathInfo = pathInfo.substring(REDIRECT.length());
isRedirect = true;
}
parts = pathInfo.split("/", 3);
}
if ((parts == null) || (parts.length < 2)) {
LOG.warn("{} gave an invalid proxy path {}", remoteUser, pathInfo);
notFound(resp, "Your path appears to be formatted incorrectly.");
return;
}
//parts[0] is empty because path info always starts with a /
String appId = parts[1];
String rest = parts.length > 2 ? parts[2] : "";
ApplicationId id = Apps.toAppID(appId);
if (id == null) {
LOG.warn("{} attempting to access {} that is invalid",
remoteUser, appId);
notFound(resp, appId + " appears to be formatted incorrectly.");
return;
}
// If this call is from an AM redirect, we need to be careful about how
// we handle it. If this method returns true, it means the method
// already redirected the response, so we can just return.
if (isRedirect && handleRedirect(appId, req, resp)) {
return;
}
if (securityEnabled) {
String cookieName = getCheckCookieName(id);
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (Cookie c : cookies) {
if (cookieName.equals(c.getName())) {
userWasWarned = true;
userApproved = userApproved || Boolean.parseBoolean(c.getValue());
break;
}
}
}
}
boolean checkUser = securityEnabled && (!userWasWarned || !userApproved);
FetchedAppReport fetchedAppReport;
try {
fetchedAppReport = getFetchedAppReport(id);
} catch (ApplicationNotFoundException e) {
fetchedAppReport = null;
}
ApplicationReport applicationReport = null;
if (fetchedAppReport != null) {
applicationReport = fetchedAppReport.getApplicationReport();
}
if (applicationReport == null) {
LOG.warn("{} attempting to access {} that was not found",
remoteUser, id);
URI toFetch =
ProxyUriUtils
.getUriFromTrackingPlugins(id, this.trackingUriPlugins);
if (toFetch != null) {
ProxyUtils.sendRedirect(req, resp, toFetch.toString());
return;
}
notFound(resp, "Application " + appId + " could not be found " +
"in RM or history server");
return;
}
URI trackingUri = getTrackingUri(req, resp, id,
applicationReport.getOriginalTrackingUrl(),
fetchedAppReport.getAppReportSource());
// If the tracking URI is null, there was a redirect, so just return.
if (trackingUri == null) {
return;
}
if (checkHttpsStrictAndNotProvided(resp, trackingUri, conf)) {
return;
}
String runningUser = applicationReport.getUser();
if (checkUser && !runningUser.equals(remoteUser)) {
LOG.info("Asking {} if they want to connect to the "
+ "app master GUI of {} owned by {}",
remoteUser, appId, runningUser);
warnUserPage(resp, ProxyUriUtils.getPathAndQuery(id, rest,
req.getQueryString(), true), runningUser, id);
return;
}
// Append the user-provided path and query parameter to the original
// tracking url.
URI toFetch = buildTrackingUrl(trackingUri, req, rest);
LOG.info("{} is accessing unchecked {}"
+ " which is the app master GUI of {} owned by {}",
remoteUser, toFetch, appId, runningUser);
switch (applicationReport.getYarnApplicationState()) {
case KILLED:
case FINISHED:
case FAILED:
ProxyUtils.sendRedirect(req, resp, toFetch.toString());
return;
default:
// fall out of the switch
}
Cookie c = null;
if (userWasWarned && userApproved) {
c = makeCheckCookie(id, true);
}
proxyLink(req, resp, toFetch, c, getProxyHost(), method, id);
} catch(URISyntaxException | YarnException e) {
throw new IOException(e);
}
}
/**
* Return a URL based on the {@code trackingUri} that includes the
* user-provided path and query parameters.
*
* @param trackingUri the base tracking URI
* @param req the service request
* @param rest the user-provided path
* @return the new tracking URI
* @throws UriBuilderException if there's an error building the URL
*/
private URI buildTrackingUrl(URI trackingUri, final HttpServletRequest req,
String rest) throws UriBuilderException {
UriBuilder builder = UriBuilder.fromUri(trackingUri);
String queryString = req.getQueryString();
if (queryString != null) {
List queryPairs = URLEncodedUtils.parse(queryString, null);
for (NameValuePair pair : queryPairs) {
builder.queryParam(pair.getName(), pair.getValue());
}
}
return builder.path(rest).build();
}
/**
* Locate the tracking URI for the application based on the reported tracking
* URI. If the reported URI is invalid, redirect to the history server or RM
* app page. If the URI is valid, covert it into a usable URI object with a
* schema. If the returned URI is null, that means there was a redirect.
*
* @param req the servlet request for redirects
* @param resp the servlet response for redirects
* @param id the application ID
* @param originalUri the reported tracking URI
* @param appReportSource the source of the application report
* @return a valid tracking URI or null if redirected instead
* @throws IOException thrown if the redirect fails
* @throws URISyntaxException if the tracking URI is invalid
*/
private URI getTrackingUri(HttpServletRequest req, HttpServletResponse resp,
ApplicationId id, String originalUri, AppReportSource appReportSource)
throws IOException, URISyntaxException, YarnException {
URI trackingUri = null;
if ((originalUri == null) ||
originalUri.equals("N/A") ||
originalUri.equals("")) {
if (appReportSource == AppReportSource.RM) {
// fallback to ResourceManager's app page if no tracking URI provided
// and Application Report was fetched from RM
LOG.debug("Original tracking url is '{}'. Redirecting to RM app page",
originalUri == null ? "NULL" : originalUri);
ProxyUtils.sendRedirect(req, resp, StringHelper.pjoin(getRmAppPageUrlBase(id),
id.toString()));
} else if (appReportSource == AppReportSource.AHS) {
// fallback to Application History Server app page if the application
// report was fetched from AHS
LOG.debug("Original tracking url is '{}'. Redirecting to AHS app page",
originalUri == null ? "NULL" : originalUri);
ProxyUtils.sendRedirect(req, resp, StringHelper.pjoin(getAhsAppPageUrlBase(),
id.toString()));
}
} else if (ProxyUriUtils.getSchemeFromUrl(originalUri).isEmpty()) {
trackingUri =
ProxyUriUtils.getUriFromAMUrl(WebAppUtils.getHttpSchemePrefix(conf),
originalUri);
} else {
trackingUri = new URI(originalUri);
}
return trackingUri;
}
/**
* Fetch the application report from the RM.
*
* @param id the app ID
* @return the application report
* @throws IOException if the request to the RM fails
* @throws YarnException if the request to the RM fails
*/
private FetchedAppReport getFetchedAppReport(ApplicationId id)
throws IOException, YarnException {
FetchedAppReport fetchedAppReport = getApplicationReport(id);
if (fetchedAppReport != null) {
if ((fetchedAppReport.getAppReportSource() != AppReportSource.RM) &&
(fetchedAppReport.getAppReportSource() != AppReportSource.AHS)) {
throw new UnsupportedOperationException("Application report not "
+ "fetched from RM or history server.");
}
}
return fetchedAppReport;
}
/**
* Check whether the request is a redirect from the AM and handle it
* appropriately. This check exists to prevent the AM from forwarding back to
* the web proxy, which would contact the AM again, which would forward
* again... If this method returns true, there was a redirect, and
* it was handled by redirecting the current request to an error page.
*
* @param id the app id
* @param req the request object
* @param resp the response object
* @return whether there was a redirect
* @throws IOException if a redirect fails
*/
private boolean handleRedirect(String id, HttpServletRequest req,
HttpServletResponse resp) throws IOException {
// If this isn't a redirect, we don't care.
boolean badRedirect = false;
// If this is a redirect, check if we're calling ourselves.
try {
badRedirect = NetUtils.getLocalInetAddress(req.getRemoteHost()) != null;
} catch (SocketException ex) {
// This exception means we can't determine the calling host. Odds are
// that means it's not us. Let it go and hope it works out better next
// time.
}
// If the proxy tries to call itself, it gets into an endless
// loop and consumes all available handler threads until the
// application completes. Redirect to the app page with a flag
// that tells it to print an appropriate error message.
if (badRedirect) {
LOG.error("The AM's web app redirected the RM web proxy's request back "
+ "to the web proxy. The typical cause is that the AM is resolving "
+ "the RM's address as something other than what it expects. Check "
+ "your network configuration and the value of the "
+ "yarn.web-proxy.address property. Once the host resolution issue "
+ "has been resolved, you will likely need to delete the "
+ "misbehaving application, " + id);
String redirect = StringHelper.pjoin(failurePageUrlBase, id);
LOG.error("REDIRECT: sending redirect to " + redirect);
ProxyUtils.sendRedirect(req, resp, redirect);
}
return badRedirect;
}
/**
* This method is used by Java object deserialization, to fill in the
* transient {@link #trackingUriPlugins} field.
* See {@link ObjectInputStream#defaultReadObject()}
*
* Do not remove
*
* YARN isn't currently serializing this class, but findbugs
* complains in its absence.
*
*
* @param input source
* @throws IOException IO failure
* @throws ClassNotFoundException classloader fun
*/
private void readObject(ObjectInputStream input)
throws IOException, ClassNotFoundException {
input.defaultReadObject();
conf = new YarnConfiguration();
this.trackingUriPlugins =
conf.getInstances(YarnConfiguration.YARN_TRACKING_URL_GENERATOR,
TrackingUriPlugin.class);
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy