Guys, Neither 1st or 2nd approaches are secure. Keep in mind that agent has a connection with the outside world, so it already will be considered a higher security risk. The safest way for it to connect to the cluster is via standard HTTP over port 80.
Generally, any approach that requires anything other than HTTP (port 80) introduces higher security risk. On top of that, it requires punching holes in a firewall, extra approvals, etc. My strong preference is 3rd approach. Web agent is simply a proxy between the web-control-center and the grid. It should simply forward requests/responses and have almost no logic of its own. D. On Tue, Jul 14, 2015 at 9:57 AM, Alexey Kuznetsov <[email protected]> wrote: > We need web-agent for three use cases: > #1 Grid monitoring. > #2 SQL. > #3 Collect metadata from RDBMS. > > #1 and #2 will require interaction with grid. > #3 just connect to DB and grab metadata. > > So, in this thread three approaches to design web-agent were introduced. > Let's see their pro and cons. > > First approach: implement web-agent as Ignite plugin that will start > singleton service. > Pro: Native to Ignite, automatic failover, easy to deploy (just put a > jar into classpath). > Cons: How to implement use case #3? What about security? Production grid > usually deployed in closed network. > > Second approach: implement web-agent as separate application that will > start daemon node inside when needed. Actually this is how Visor works. > Pro: Also native to Ignite (could reuse Visor tasks already). Easy to > deploy (as Visor) - just put some jars in bin/web-agent folder + > bin\web-agent.sh > Secure. Web-agent could use binary rest protocol as Visor and > work even via ssh tunnel. > Cons: No automatic failover. > > Third approach: implement web-agent as lightweight proxy between > web-server and Ignite. > Web-agent will retranslate http request to grid and retranslate results > from grid to web control center. > Pro: It is lightweight and could be implemented without dependencies > from Ignite. > Cons: Not native to Ignite. We need to implement two protocols: > web-control-center <-> web agent and web agent <-> Ignite. > > > As for me I most like second approach because we have a lot of experience > with Visor and could reuse code. > > > Thought? > > > On Tue, Jul 14, 2015 at 11:38 PM, Nikita Ivanov <[email protected]> > wrote: > > > +1 on Dmitriy's approach. > > > > -- > > Nikita Ivanov > > > > > > On Tue, Jul 14, 2015 at 9:30 AM, Dmitriy Setrakyan < > [email protected]> > > wrote: > > > > > On Tue, Jul 14, 2015 at 8:30 AM, Yakov Zhdanov <[email protected]> > > > wrote: > > > > > > > Why? Do you understand how many problems you bring with this > approach? > > > > > > > > > > Yakov, unfortunately this is not about ease of implementation, but > about > > > security. We will not be allowed to connect to the grid cluster from > > where > > > the web agent is running. > > > > > > I also don't see how we are adding a lot of complexity either. The way > I > > > see it being implemented is by creating a set of tasks that will return > > > JSON objects for metrics, topology, etc. which will be processed on the > > > browser side. These tasks can be easily executed over HTTP REST > protocol. > > > > > > > > > > > > > > --Yakov > > > > > > > > 2015-07-14 18:00 GMT+03:00 Dmitriy Setrakyan <[email protected] > >: > > > > > > > > > Yakov, > > > > > > > > > > We cannot start a client inside of an agent simply because agent > will > > > be > > > > > started outside of the cluster where grid is deployed. Agent will > be > > > > > connecting to the grid using HTTP Rest requests. > > > > > > > > > > D. > > > > > > > > > > On Tue, Jul 14, 2015 at 6:16 AM, Yakov Zhdanov < > [email protected]> > > > > > wrote: > > > > > > > > > > > I like the design where agent is a plugin to Ignite. > > > > Agent-ControlCenter > > > > > > can be incorporated into the singleton cluster-wide service > > deployed > > > by > > > > > > plugin on start. This approach seems very good and clean to me: > > > > > > 1. Easy to config - just drop JAR with plugin to classpath > > > > > > 2. It is native to the cluster - it operates inside. > > > > > > 3. Failover works out of the box. > > > > > > > > > > > > Thanks! > > > > > > > > > > > > --Yakov > > > > > > > > > > > > 2015-07-02 19:35 GMT+03:00 Dmitriy Setrakyan < > > [email protected] > > > >: > > > > > > > > > > > > > On Thu, Jul 2, 2015 at 8:08 AM, Sergey Evdokimov < > > > > > > [email protected]> > > > > > > > wrote: > > > > > > > > > > > > > > > Yes, Web Agent can open connection to Control Center at any > > time. > > > > Web > > > > > > > Agent > > > > > > > > is started up as much as started up cluster, but user looks > to > > > > > Control > > > > > > > > Center infrequently. Web Agent have to keep connection always > > > > opened > > > > > or > > > > > > > we > > > > > > > > need a way to notify Web Agent about new web-session on Web > > > Control > > > > > > > Center. > > > > > > > > > > > > > > > > > > > > > > Sergey, the agent should automatically reconnect whenever a > > > > connection > > > > > is > > > > > > > lost. For example, it can send a keep-alive ping every 2 > seconds > > > back > > > > > to > > > > > > > the web control center. > > > > > > > > > > > > > > If you having doubts in the approach, please ping me on Skype > so > > we > > > > > could > > > > > > > flush out the details. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jul 2, 2015 at 5:53 PM, Dmitriy Setrakyan < > > > > > > [email protected] > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > On Thu, Jul 2, 2015 at 7:29 AM, Sergey Evdokimov < > > > > > > > > [email protected]> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Web Agent can be shipped as Ignite plugin and start > inside > > > the > > > > > > > cluster > > > > > > > > as > > > > > > > > > > service to avoid unnecessary configuration. > > > > > > > > > > > > > > > > > > > > How Web Agent will detect that Web Control Center need a > > > data? > > > > > Web > > > > > > > > > Control > > > > > > > > > > Center cannot open connection to cluster, because cluster > > may > > > > be > > > > > in > > > > > > > > local > > > > > > > > > > network without static IP. Do you mean that Web Agent > will > > > keep > > > > > > > opened > > > > > > > > > > connection to Web Control Center always? > > > > > > > > > > > > > > > > > > > > > > > > > > > > However, the Ignite web agent should be able to open a > > > connection > > > > > to > > > > > > > the > > > > > > > > > web control center, no? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Jul 2, 2015 at 5:12 PM, Alexey Kuznetsov < > > > > > > > > > [email protected]> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Igniters, > > > > > > > > > > > > > > > > > > > > > > I'm working on Web Control Center and first release is > > > near. > > > > > > > > > > > In first release we will provide UI for cluster and > > caches > > > > > > > > > configuration. > > > > > > > > > > > > > > > > > > > > > > In next releases we will provide Monitoring, SQL and > > Schema > > > > > > Import > > > > > > > > > > Utility. > > > > > > > > > > > But those advanced features require access to Ignite > > > cluster > > > > > (for > > > > > > > > > > > Monitoring and SQL) > > > > > > > > > > > and access to DB server for Schema Import. > > > > > > > > > > > > > > > > > > > > > > After some thoughts we decided to create a so-called > "web > > > > > agent" > > > > > > it > > > > > > > > > will > > > > > > > > > > be > > > > > > > > > > > started "near" cluster and DB will connect to it and > send > > > all > > > > > > > needed > > > > > > > > > info > > > > > > > > > > > to Web Control Center. > > > > > > > > > > > > > > > > > > > > > > Any ideas, thoughts and suggestions are very welcome. > > > > > > > > > > > > > > > > > > > > > > Thanks. > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Alexey Kuznetsov > > > > > > > > > > > GridGain Systems > > > > > > > > > > > www.gridgain.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > Alexey Kuznetsov > GridGain Systems > www.gridgain.com >
