Yarn rest API protection
First Claim
1. A method, comprising:
- intercepting, by a reverse proxy in a cluster of computers in a distributed computing system, a request to access a resource manager service of the distributed computing system;
determining, by the reverse proxy, that the request includes a call that conforms to a REST (Representational State Transfer) API (application programming interface);
determining, by the reverse proxy, that the call has a particular method type that indicates requesting an action to be performed;
determining, by the reverse proxy based on authentication configuration information, whether the call needs to be authenticated, wherein the authentication configuration information includes a list of methods that need to be authenticated and determining whether the call needs to be authenticated comprises determining whether the particular method of the call is included in the list of methods of the authentication configuration information; and
in response to determining that the call needs to be authenticated;
authenticating the call using an authentication mechanism specified in the authentication configuration information,upon successful authentication of the call, performing authorization checks based on the configuration information, andupon successful authorization of the call, forwarding the request from the reverse proxy to a server that provides the resource manager service in the cluster,wherein the reverse proxy includes one or more computer processors.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, computer program products and methods implementing YARN service protection are described. A reverse proxy in a cluster of computers in a distributed computing system can intercept a request to access a YARN service. The request can be associated with requester credentials. The reverse proxy determines that the request includes a REST API call. The reverse proxy determines, based on authentication configuration information, that the call needs to be authenticated. The reverse proxy authenticates the call based on the requester credentials using an authentication mechanism specified in the configuration information. Upon successful authentication of the call, the reverse proxy makes authorization checks based on specified configuration information. If the authorization checks pass, the reverse proxy forwards the request to a server that provides the YARN service in the cluster. If the authentication or authorization checks fail, the reverse proxy denies the request.
-
Citations
22 Claims
-
1. A method, comprising:
-
intercepting, by a reverse proxy in a cluster of computers in a distributed computing system, a request to access a resource manager service of the distributed computing system; determining, by the reverse proxy, that the request includes a call that conforms to a REST (Representational State Transfer) API (application programming interface); determining, by the reverse proxy, that the call has a particular method type that indicates requesting an action to be performed; determining, by the reverse proxy based on authentication configuration information, whether the call needs to be authenticated, wherein the authentication configuration information includes a list of methods that need to be authenticated and determining whether the call needs to be authenticated comprises determining whether the particular method of the call is included in the list of methods of the authentication configuration information; and in response to determining that the call needs to be authenticated; authenticating the call using an authentication mechanism specified in the authentication configuration information, upon successful authentication of the call, performing authorization checks based on the configuration information, and upon successful authorization of the call, forwarding the request from the reverse proxy to a server that provides the resource manager service in the cluster, wherein the reverse proxy includes one or more computer processors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable storage medium storing instructions executable by a data processing apparatus and upon such execution cause the data processing apparatus to perform operations comprising:
-
intercepting, by a reverse proxy in a cluster of computers in a distributed computing system, a request to access a resource manager service of the distributed computing system; determining, by the reverse proxy, that the request includes a call that conforms to a REST (Representational State Transfer) API (application programming interface); determining, by the reverse proxy, that the call has a particular method type that indicates requesting an action to be performed; determining, by the reverse proxy based on authentication configuration information, whether the call needs to be authenticated, wherein the authentication configuration information includes a list of methods that need to be authenticated and determining whether the call needs to be authenticated comprises determining whether the particular method of the call is included in the list of methods of the authentication configuration information; in response to determining that the call needs to be authenticated, performing actions including; authenticating the call using an authentication mechanism specified in the authentication configuration information; upon successful authentication of the call, performing authorization checks based on the configuration information; and upon successful authorization of the call, forwarding the request from the reverse proxy to a server that provides the resource manager service in the cluster; and in response to determining that the call does not need to be authenticated, forwarding the request from the reverse proxy to the server that provides the resource manager service. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A system comprising:
one or more computers and one or more storage devices on which are stored instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising; intercepting, by a reverse proxy in a cluster of computers in a distributed computing system, a request to access a resource manager service of the distributed computing system; determining, by the reverse proxy, that the request includes a call that conforms to a REST (Representational State Transfer) API (application programming interface); determining, by the reverse proxy, that the call has a particular method type that indicates requesting an action to be performed; determining, by the reverse proxy based on authentication configuration information, whether the call needs to be authenticated, wherein the authentication configuration information includes a list of methods that need to be authenticated and determining whether the call needs to be authenticated comprises determining whether the particular method of the call is included in the list of methods of the authentication configuration information; in response to determining that the call needs to be authenticated, performing actions including; authenticating the call using an authentication mechanism specified in the authentication configuration information; upon successful authentication of the call, performing authorization checks based on the configuration information; and upon successful authorization of the call, forwarding the request from the reverse proxy to a server that provides the resource manager service in the cluster; and in response to determining that the call does not need to be authenticated, forwarding the request from the reverse proxy to the server that provides the resource manager service. - View Dependent Claims (18, 19, 20, 21, 22)
Specification