[jira] [Commented] (YARN-2277) Add Cross-Origin support to the ATS REST API

Fri, 01 Aug 2014 00:14:27 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-2277?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14082007#comment-14082007
 ] 

Zhijie Shen commented on YARN-2277:
-----------------------------------

[~jeagles], I did some investigation into CORS and JSONP. Here're some of my 
findings. It seems that CORS is a relative more modern way of requesting 
resources across site than JSONP. CORS provides a more flexible way of 
validating the response for the security purpose, while JSONP is venerable to 
XXS  CORS can support more methods than GET, while JSONP only supports GET. 
Though TEZ-8 may only use the GET APIs, IMHO, it's good to choose the technique 
which is extensive to the potential usage of the POST API of the timeline web 
services. Hence personally I think CORS is a preferable choice here. Please let 
me know if you miss some points.

As to CORS, I'm not sure the patch is able to handle all the use case, and be 
secure enough. I was looking into this document to get the idea:

{quote}
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control
{quote}

It seems that CORS is more than just a single header. While TEZ-8 may only need 
the simplest set, my concern is that if we claim to support CORS for timeline 
web services, we need somehow to have a more generalized solution to support 
other use cases as well. In addition, I think the current patch may not work if 
the timeline server is running in a secure mode, isn't it? It seems that we 
need to use "Access-Control-Allow-Credentials: true" as well. Any thoughts?

 

> Add Cross-Origin support to the ATS REST API
> --------------------------------------------
>
>                 Key: YARN-2277
>                 URL: https://issues.apache.org/jira/browse/YARN-2277
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2277-CORS.patch, YARN-2277-JSONP.patch
>
>
> As the Application Timeline Server is not provided with built-in UI, it may 
> make sense to enable JSONP or CORS Rest API capabilities to allow for remote 
> UI to access the data directly via javascript without cross side server 
> browser blocks coming into play.
> Example client may be like
> http://api.jquery.com/jQuery.getJSON/ 
> This can alleviate the need to create a local proxy cache.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to