...
The APIs are simply a contract about the directory structure of the marketplace. All APIs are relative to a base path. For example, cask.co/marketplace/v1. The structure is expected to be:
...
List Categories
Code Block |
---|
GET /<cdap-version>/categories.json
ex: /4.0.0/categories.json
[
{
"name": "examples",
"label": "Examples",
"description": "Example applications to get started with CDAP."
},
{
"name": "use-cases",
"label": "Use Cases",
"description": "Common Use Cases."
},
...
] |
List all Packages
Code Block |
---|
GET /<cdap-version>/packages.json
ex: /4.0.0/packages.json
[
{
"name": "PurchaseExample",
"label": "Purchase History",
"description": "Example Application demonstrating usage of flows, workflows, mapreduce, and services.",
"author": "Cask",
"org": "Cask Data Inc.",
"version": "4.0.1",
"categories": [ "examples" ]
},
{
"name": "HelloWorld",
"label": "Hello World",
"description": "Simple application demonstrating usage of flows and services.",
"author": "Cask",
"org": "Cask Data Inc.",
"version": "4.0.0",
"categories": [ "examples" ]
},
...
] |
Note |
---|
This leaves display of multiple versions of the same package up to the UI. Though it seems like most of the time we would only have one version of the package per cdap version so maybe it's not a big problem. |
Get Package Archive
Code Block |
---|
GET /<cdap-version>/packages/<package-name>/<version>/archive.zip
ex: GET /4.0.0/packages/PurchaseExample/4.0.1/archive.zip
[ binary archive contents] |
Get Package Archive Signature
Code Block |
---|
GET /<cdap-version>/packages/<package-name>/<version>/archive.zip.asc
ex: GET /4.0.0/packages/PurchaseExample/4.0.1/archive.zip.asc
[ archive signature ] |
Get Package Spec
Code Block |
---|
GET /<cdap-version>/packages/<package-name>/<version>/spec.json
ex: GET /4.0.0/packages/PurchaseExample/4.0.10/spec.json
{
"spec-version": "1.0",
"name": "PurchaseExample",
"label": "Purchase History",
"description": "Example Application demonstrating usage of flows, workflows, mapreduce, and services.",
"author": "Cask",
"org": "Cask Data Inc.",
"version": "4.0.10",
"created": 1234567899,
"changelog": "fixed a small parsing bug",
"categories": [ "examples" ],
"dependencies": { },
"actions": [
{
"type": "create_artifact",
"arguments": [
{
"name": "name",
"value": "PurchaseHistoryExample"
},
{
"name": "version",
"value": "4.0.1"
},
{
"name": "scope",
"value": "user"
},
{
"name": "jar",
"value": "PurchaseHistoryExample-4.0.1.jar"
}
]
},
{
"type": "create_app",
"arguments": [
{
"name": "name",
"default": "PurchaseHistory"
}
]
}
]
} |
Get Package Spec Signature
Code Block |
---|
GET /<cdap-version>/packages/<package-name>/<version>/spec.asc
ex: GET /4.0.0/packages/PurchaseExample/4.0.10/spec.asc
[ spec signature ] |
Get Package Icon
Code Block |
---|
GET /<cdap-version>/packages/<package-name>/<version>/icon.jpg
ex: GET /4.0.0/packages/PurchaseExample/4.0.0/icon.jpg
[ icon bytes ] |
Security
Since people will be able to download code from the marketplace, it is especially important that there is protection against malicious code. We can make use of PGP in order to sign both the package archive and the package spec that are downloadable from the marketplace. The Market UI will have to be configured to use a GPG key (for the public CDAP marketplace, we could re-use the GPG key used for CDAP rpms and debians or create another one). It can then use that public key along with the signature APIs to verify that the spec and archive were signed by the owner of the package.
...