Oliver Nicholas created MESOS-2856:
--------------------------------------

             Summary: fully functional webui requires all masters+slaves to be 
routable by browser
                 Key: MESOS-2856
                 URL: https://issues.apache.org/jira/browse/MESOS-2856
             Project: Mesos
          Issue Type: Bug
            Reporter: Oliver Nicholas
            Assignee: Oliver Nicholas


The core issue is that the Mesos web UI doesn't play well behind a proxy.  This 
is closely related to MESOS-1822, but I propose a different mechanism to 
resolve it.

The mesos webui expects that it can both: 
 # redirect your browser to the {{--hostname}} registered for another master if 
the master you're currently hitting isn't the leader (this is MESOS-1822)
 # redirect you directly to the {{--hostname}} of any slave (eg/ to look at 
sandbox logs)

But I don't want that to be possible really - fundamentally, mesos-master's 
webui is not appropriate for direct exposure to the Internet; in many 
enterprise cases it's not appropriate for wide exposure on a VPN either.  It 
has no access controls. And those machines shouldn't really have public IPs or 
DNS entries anyway.

The way I want to resolve this for my enterprise is to have a _single_ hostname 
(as in URL component, not literally unix host), with public DNS that can handle 
the entire webui experience (aside: the vhost this hits has a authentication 
middleware to handle the access control part).  In my case, the vhost is load 
balanced randomly across the mesos master quorum machines, and some slightly 
complex nginx rules allow it to effectively proxy any request to the actual 
leader master regardless of where the request goes.  This works nicely.

However, the mesos webui also attempts to route directly to slave machines  
with JSONP requests (eg/ as i mentioned above, to load the sandbox stdout for a 
task).  My slave machines don't even have public IPs.

Given this existing code for generating the parameters for URLs to slaves:
{code:javascript}
        var pid = $scope.slaves[$routeParams.slave_id].pid;
        var hostname = $scope.slaves[$routeParams.slave_id].hostname;
        var id = pid.substring(0, pid.indexOf('@'));
        var host = hostname + ":" + pid.substring(pid.lastIndexOf(':') + 1);
{code}

I'd like to implement a {{--enable-webui-proxy-urls}} option on the master that 
would change behavior in the webui from generating a slave URL as:
{code:javascript}
var url = '//' + host + '/files/browse.json?jsonp=JSON_CALLBACK';
{code}

to instead generate the URL as:
{code:javascript}
var url = '/proxy?host=' + encodeURIComponent(host) + '&orig=' 
encodeURIComponent('/files/browse.json?jsonp=JSON_CALLBACK');
{code}

and then nginx can take care of rewriting/reissuing the request and proxying 
the results back to the browser.

All of this could be obviated and probably made more elegant by implementing 
MESOS-2130/MESOS-2131 but..this seems like a simple change to make.  Any 
thoughts?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to