Kevin Minder created KNOX-144:
---------------------------------
Summary: Ensure cluster topology details are rewritten for
HBase/Stargate REST APIs
Key: KNOX-144
URL: https://issues.apache.org/jira/browse/KNOX-144
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 0.3.0
Reporter: Kevin Minder
Priority: Blocker
Fix For: 0.3.0
From: Vladimir
There are 2 requests where HBase returns internal cluster structure, Region
Server address in particular (marked in red). Didn't noticed this earlier.
Since it's not http address of Region Server should we actually hide it? If
'yes' then how it should be rewritten in Knox not to break existing
HBase/Stargate clients?
GET http://localhost:8080/status/cluster
{ "requests":36125,
"LiveNodes":[
{
"name":"dev01.hortonworks.com:60020",
"requests":0,
"startCode":1379004777978,
"Region":[
{
"name":"YW1iYXJpc21va2V0ZXN0LCwxMzc5MDA1MDIyNjc4LjkzN2M3YTcxODBlNTQ3Y2NiMDQ1ODdlNzA3Y2U1MTIyLg==",
"readRequestsCount":0,
"writeRequestsCount":1,
"stores":1,
"storefiles":1,
"storefileSizeMB":0,
"memstoreSizeMB":0,
"storefileIndexSizeMB":0,
"rootIndexSizeKB":0,
"totalStaticIndexSizeKB":0,
"totalStaticBloomSizeKB":0,
"totalCompactingKVs":0,
"currentCompactedKVs":0
},
...
],
"heapSizeMB":60,
"maxHeapSizeMB":1004
}
],
"DeadNodes":[
],
"regions":5,
"averageLoad":5.0
}
GET http://localhost:8080/test_table/regions
{
"name":"test_table",
"Region":[
{
"endKey":"",
"id":1379330509662,
"location":"dev01.hortonworks.com:60020",
"name":"test_table,,1379330509662.0381e0912d8802b53b3946987736748e.",
"startKey":""
}
]
}
From: Kevin
I can think of four things we can do.
Remove the value: "name":""
Hash the value: "name":"asdkljhasdfjkhasdkjlhsd"
This would make sense only if we never needed to get the original value
back.
Encrypt the value.
The value of this beyond hashing would be that we could decrypt on
input if required.
Number 5 below would make this easier though.
Replace with a URL that has the address encoded/encrypted as part of its
query string.
region://knox-host:8334/gateway/cluster/hbase?_=asdlkjasdlajsdklasdflkjsda
This would make it easier to detect in incoming URLs and rewrite back
to host:port.
This is similar to how datanode addresses are handled
Note that we can do different things for "name" and "location" if required.
>From Vinay:
I think option 4 should be the default. IMO, it shields the cluster topology
from leaking out and with Knox being able to encode/decode (or is it
encrypt/decrypt) the internal cluster nodes aren't directly addressable.
This seems like the right behavior to me.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
