apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From davidyan74 <...@git.apache.org>
Subject [GitHub] incubator-apex-core pull request: APEXCORE-457 Added web service s...
Date Mon, 16 May 2016 23:29:15 GMT
Github user davidyan74 commented on a diff in the pull request:

    https://github.com/apache/incubator-apex-core/pull/333#discussion_r63443468
  
    --- Diff: docs/security.md ---
    @@ -142,7 +168,15 @@ When operators are running there will be effective processing rate
differences b
     
     Like STRAM, streaming containers also need to communicate with NameNode to use HDFS persistence
for reasons such as saving the state of the operators. In secure mode they also use NameNode
delegation tokens for authentication. These tokens are also seeded by STRAM for the streaming
containers.
     
    +#### Stram Webservices
    +
    +Clients connects to STRAM and make web service requests to obtain operational information
about a runtime application. When security is enabled we want this connection to also be authenticated.
In this mode the client passes a web service token in the request and the STRAM checks this
token. If the token is valid, then the request is processed else it is denied.
    +
    +How does the client get the web service token in the first place The client will first
have to first connect to STRAM via the Resource Manager Web Services Proxy which is a service
run by Hadoop to proxy requests to application web services. This connection is authenticated
by the proxy service using a protocol called SPNEGO when secure mode is enabled. SPNEGO is
Kerberos over HTTP and the client also needs to support it. If the authentication is successful
the proxy forwards the request to STRAM. STRAM in processing the request generates and send
back a web service token similar to a delegation token. This token is then used by client
in subsequent requests it makes directly to STRAM and STRAM is able to validate it since it
generated the token in the first place.
    --- End diff --
    
    ... in the first place (add a question mark) The client ...


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message