Uploaded image for project: 'Apache Knox'
  1. Apache Knox
  2. KNOX-144

Ensure cluster topology details are rewritten for HBase/Stargate REST APIs

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 0.3.0
    • 0.3.0
    • Server
    • None

    Description

      From: Vladimir
      There are 2 requests where HBase returns internal cluster structure, Region Server address in particular (marked in red). Didn't noticed this earlier. Since it's not http address of Region Server should we actually hide it? If 'yes' then how it should be rewritten in Knox not to break existing HBase/Stargate clients?

      GET http://localhost:8080/status/cluster
      { "requests":36125,
      "LiveNodes":[
      {
      "name":"dev01.hortonworks.com:60020",
      "requests":0,
      "startCode":1379004777978,
      "Region":[

      { "name":"YW1iYXJpc21va2V0ZXN0LCwxMzc5MDA1MDIyNjc4LjkzN2M3YTcxODBlNTQ3Y2NiMDQ1ODdlNzA3Y2U1MTIyLg==", "readRequestsCount":0, "writeRequestsCount":1, "stores":1, "storefiles":1, "storefileSizeMB":0, "memstoreSizeMB":0, "storefileIndexSizeMB":0, "rootIndexSizeKB":0, "totalStaticIndexSizeKB":0, "totalStaticBloomSizeKB":0, "totalCompactingKVs":0, "currentCompactedKVs":0 }

      ,
      ...
      ],
      "heapSizeMB":60,
      "maxHeapSizeMB":1004
      }
      ],
      "DeadNodes":[

      ],
      "regions":5,
      "averageLoad":5.0
      }

      GET http://localhost:8080/test_table/regions
      {
      "name":"test_table",
      "Region":[

      { "endKey":"", "id":1379330509662, "location":"dev01.hortonworks.com:60020", "name":"test_table,,1379330509662.0381e0912d8802b53b3946987736748e.", "startKey":"" }

      ]
      }

      From: Kevin
      I can think of four things we can do.

      Remove the value: "name":""
      Hash the value: "name":"asdkljhasdfjkhasdkjlhsd"
      This would make sense only if we never needed to get the original value back.
      Encrypt the value.
      The value of this beyond hashing would be that we could decrypt on input if required.
      Number 5 below would make this easier though.
      Replace with a URL that has the address encoded/encrypted as part of its query string.
      region://knox-host:8334/gateway/cluster/hbase?_=asdlkjasdlajsdklasdflkjsda
      This would make it easier to detect in incoming URLs and rewrite back to host:port.
      This is similar to how datanode addresses are handled

      Note that we can do different things for "name" and "location" if required.

      From Vinay:
      I think option 4 should be the default. IMO, it shields the cluster topology from leaking out and with Knox being able to encode/decode (or is it encrypt/decrypt) the internal cluster nodes aren't directly addressable.

      This seems like the right behavior to me.

      Attachments

        Activity

          People

            kminder Kevin Minder
            kminder Kevin Minder
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: