You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Zhijie Shen (JIRA)" <ji...@apache.org> on 2014/08/01 09:13:39 UTC

[jira] [Commented] (YARN-2277) Add Cross-Origin support to the ATS REST API

    [ https://issues.apache.org/jira/browse/YARN-2277?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14082007#comment-14082007 ] 

Zhijie Shen commented on YARN-2277:
-----------------------------------

[~jeagles], I did some investigation into CORS and JSONP. Here're some of my findings. It seems that CORS is a relative more modern way of requesting resources across site than JSONP. CORS provides a more flexible way of validating the response for the security purpose, while JSONP is venerable to XXS  CORS can support more methods than GET, while JSONP only supports GET. Though TEZ-8 may only use the GET APIs, IMHO, it's good to choose the technique which is extensive to the potential usage of the POST API of the timeline web services. Hence personally I think CORS is a preferable choice here. Please let me know if you miss some points.

As to CORS, I'm not sure the patch is able to handle all the use case, and be secure enough. I was looking into this document to get the idea:

{quote}
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control
{quote}

It seems that CORS is more than just a single header. While TEZ-8 may only need the simplest set, my concern is that if we claim to support CORS for timeline web services, we need somehow to have a more generalized solution to support other use cases as well. In addition, I think the current patch may not work if the timeline server is running in a secure mode, isn't it? It seems that we need to use "Access-Control-Allow-Credentials: true" as well. Any thoughts?

 

> Add Cross-Origin support to the ATS REST API
> --------------------------------------------
>
>                 Key: YARN-2277
>                 URL: https://issues.apache.org/jira/browse/YARN-2277
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2277-CORS.patch, YARN-2277-JSONP.patch
>
>
> As the Application Timeline Server is not provided with built-in UI, it may make sense to enable JSONP or CORS Rest API capabilities to allow for remote UI to access the data directly via javascript without cross side server browser blocks coming into play.
> Example client may be like
> http://api.jquery.com/jQuery.getJSON/ 
> This can alleviate the need to create a local proxy cache.



--
This message was sent by Atlassian JIRA
(v6.2#6252)