YARN to facilitate HTTPS in AM web server

MR AM today does not support HTTPS in its web server, so the traffic between RMWebproxy and MR AM is in clear text.

MR cannot easily achieve this mainly because MR AMs are untrusted by YARN. A potential solution purely within MR, similar to what Spark has implemented, is to allow users, when they enable HTTPS in MR job, to provide their own keystore file, and then the file is uploaded to distributed cache and localized for MR AM container. The configuration users need to do is complex.

More importantly, in typical deployments, however, web browsers go through RMWebProxy to indirectly access MR AM web server. In order to support MR AM HTTPs, RMWebProxy therefore needs to trust the user-provided keystore, which is problematic.

Alternatively, we can add an endpoint in NM web server that acts as a proxy between AM web server and RMWebProxy. RMWebproxy, when configured to do so, will send requests in HTTPS to the NM on which the AM is running, and the NM then can communicate with the local AM web server in HTTP. This adds one hop between RMWebproxy and AM, but both MR and Spark can use such solution.