Skip to content

tractoai/ytsaurus-ariadne

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
docker
docker
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
run_build.sh
run_build.sh
 
 

Repository files navigation

Ariadne

Ariadne serves as the authentication gateway for user services on YTsaurus exec nodes.

This gateway manages secure access to services operating on exec nodes by verifying user identities through YT tokens and cookies. It then grants or restricts access based on the YT operation permission levels, ensuring proper security controls.

How does it work:

  1. Authentication:

    • For HTTP requests: standard auth methods YTSaurus http proxy (cookies, headers).
    • For gRPC calls: token is passed in metadata with key Authorization.
    • The token is validated against YT using WhoAmI() call.
    • Valid token provides user identity (login).

  2. Authorization:

    • Each request specifies where it should be routed.
      • HTTP
        • host + port ariadne-http.cluster.tracto.ai/_ariadne/exec_nodes/<host>/<port>/<target page>.
        • operation_id + job_id + port_id <operation_id>.operation.ariadne-http.cluster.tracto.ai/_ariadne/job/<job_id>/port0/<port_id>/path/<target page>.
        • operation_id + task_name + port_id <operation_id>.operation.ariadne-http.cluster.tracto.ai/_ariadne/task_name/<task_name>/port0/<port_id>/path/<target page>.
        • operation_id + task_name + port_id <operation_id>-<task_name>-<port_id>.operation-id-task-name-port-id.ariadne-http.cluster.tracto.ai/<target page>.
      • GRPC
        • x-target-host and x-target-port in metadata.
    • In cases where the request does not explicitly include the host and port (only operation_id, job_id, task_name or port_id are provided), the proxy resolves the actual host and port.
    • Proxy gets the actual port by port_id (its index in the spec).
    • Proxy checks if the host exists in YT under //sys/exec_nodes/{host}:9029.
    • Searches for active jobs on this host that use the requested port.
    • For each matching job:
      • Extracts operationID from job metadata.
      • Checks if the authenticated user has READ permission on operation's ACL.
    • Access is granted only if user has permission to the operation that owns the port.

  3. Host Resolution:

    • After successful authorization, proxy resolves actual host endpoint for tcprouter-controlled nodes.
    • Uses YT node annotation host_endpoint if available.
    • Falls back to original hostname if no endpoint annotation exists.

Proxy has cache for checking permissions and host endpoint resolution to reduce load on masters.

Purpose

Auth Proxy provides secure access to Ray and SPYT services running on YTsaurus exec nodes. These services lack built-in authentication, so the proxy handles access control using YT operation permissions.

About

Authentication gateway for user services on YTsaurus.

tracto.ai

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages