How to use/verify public SSL certs for REST API?

[Joe]

Hey guys,

I'm looking over the docs for Genie and trying to figure out how/where to enable SSL for the REST API.  

• Is this feature available?
  
• Are there any docs on it?

Use case:

We use Heroku to submit jobs to our Hadoop clusters running on EC2.  This means API requests come in from the public internet.  So far, put Genie in a private subnet and wrapped a proxy around it that a) handles authentication and b) routes requests from the public internet to our internal network (and the Genie API).

This has been brittle and tedious.  We are looking into deprecating this and pulling in AWS API Gateway to handle the proxy and authentication efforts.  But API Gateway does not support routing through VPC yet.  So, again, we would have to expose the Genie API port to the public internet.  

API Gateway handles auth for requests routed through the gateway, but proxied servers are still essentially wide open to the internet without an on-box auth scheme.  

I would like to do this and limit all incoming requests to those with valid SSL certs from the API Gateway.

[Tom Gianos]

Hi Joe,

Genie 2 has no built in security features. This is something we're actively working on in Genie 3 (https://github.com/Netflix/genie/issues/96). Currently SAML (for UI) and OAuth2 (for REST API) is working and we're looking to add x509 pre-authentication support as well. Since it's all built on Spring Security if people need another authentication/authorization solution they should be able to plug it in.

That said that doesn't help you with your problem today or likely in the near term since Genie 3 is probably a few months from being ready for release. The only thing I can think of off the top of my head would be to set up two way SSL in your Tomcat (example: http://java-notes.com/index.php/two-way-ssl-on-tomcat). The downside of this is that everyone accessing your Genie instance would need a client certificate so it's not very flexible. You might be able to do some advanced configuration with an Apache server fronting your Tomcat and proxying requests where you only terminate SSL connections to the REST endpoints and require certs on them but let everything else through. I'd have to research something like that though.

Let us know if you have other questions or if you find an elegant solution it can be added to documentation. PR's are always welcome.

Tom

[Joe]

Hey Tom,

Thanks for the reply!

We're on Genie v1.  I've taken the opportunity to update us to Genie v2.2 and am following the setup posted here to refactor our build code in Chef.  I think I will go with the SSL options built into Tomcat 7.  That might turn the trick here.   I will post back with any questions or updates.

Btw, here are the docs I am referencing re: AWS API Gateway and SSL:

• Announcement, use case.
• Developer Guide - Client-side SSL Authentication   

I am not sure they support x.509 certificates for SSL at this time.  Hrmm.  Okay.  Taking a step back for a second.  Our goal here is to deprecate a self-managed proxy and rely on a managed-service (API Gateway) for authentication and routing to Genie.  Plus put the whole thing in code (which obviously factors out).

How do you guys handle routing and authentication to your Genie clusters at Netflix?  Do you have a reference architecture you can share?

Regards,
Joe Reid

[Tom Gianos]

Joe,

At this time access to our Genie clusters is restricted using Amazon's Security Groups. Since we don't have Genie on a public facing system we don't have the same concerns that you do here. We're adding authentication/authorization for application level security on top of the network layer in Genie 3.0.

Tom