Blocker Description
From: Vladimir
There are 2 requests where HBase returns internal cluster structure, Region Server address in particular (marked in red). Didn't noticed this earlier. Since it's not http address of Region Server should we actually hide it? If 'yes' then how it should be rewritten in Knox not to break existing HBase/Stargate clients?
GET http://localhost:8080/status/cluster
{ "requests":36125,
"LiveNodes":[
{
"name":"dev01.hortonworks.com:60020",
"requests":0,
"startCode":1379004777978,
"Region":[
,
...
],
"heapSizeMB":60,
"maxHeapSizeMB":1004
}
],
"DeadNodes":[
],
"regions":5,
"averageLoad":5.0
}
GET http://localhost:8080/test_table/regions
{
"name":"test_table",
"Region":[
]
}
From: Kevin
I can think of four things we can do.
Remove the value: "name":""
Hash the value: "name":"asdkljhasdfjkhasdkjlhsd"
This would make sense only if we never needed to get the original value back.
Encrypt the value.
The value of this beyond hashing would be that we could decrypt on input if required.
Number 5 below would make this easier though.
Replace with a URL that has the address encoded/encrypted as part of its query string.
region://knox-host:8334/gateway/cluster/hbase?_=asdlkjasdlajsdklasdflkjsda
This would make it easier to detect in incoming URLs and rewrite back to host:port.
This is similar to how datanode addresses are handled
Note that we can do different things for "name" and "location" if required.
From Vinay:
I think option 4 should be the default. IMO, it shields the cluster topology from leaking out and with Knox being able to encode/decode (or is it encrypt/decrypt) the internal cluster nodes aren't directly addressable.
This seems like the right behavior to me.