[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16619993#comment-16619993 ] Ma Gang commented on KYLIN-3569: I think that is by design, query server can accept any restful request(including submit job request), and job server is responsible to schedule jobs. In a typical Kylin cluster setup, Kylin servers that behind LB(nginx, F5, etc) should have query server permission, so that it can accept any restful request, and the servers that are configured only as job server should not be configured in LB. For the permission issue, you should configure the ACL properly, to ensure that the BI tools use the user that only have read permission for your project. > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620023#comment-16620023 ] Zongwei Li commented on KYLIN-3569: --- For ' job server is responsible to schedule jobs', what's case for the schedule jobs? Can you help to give detail information about it, we want to know which function only can Job server take. It will help us to design the deployment architecture. Thanks > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620142#comment-16620142 ] Shaofeng SHI commented on KYLIN-3569: - This is by design; Query server won't execute job. The job can only be executed by job node. Please send your question to u...@kylin.apache.org. > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16620215#comment-16620215 ] Zongwei Li commented on KYLIN-3569: --- After code review again, there is a hardcode string in DistributedScheduler.class, line 192, if (!("job".equals(serverMode.toLowerCase()) || "all".equals(serverMode.toLowerCase( { logger.info("server mode: " + serverMode + ", no need to run job scheduler"); return; } Already clarify the responsibility which job engine take by code review, suggest refactor this code to replace the "job" with public final static String SERVER_MODE_JOB = "job"; in Contant.class which already exist > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626632#comment-16626632 ] Shaofeng SHI commented on KYLIN-3569: - Hi Zongwei, do you want to contribute a patch? > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
[ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626633#comment-16626633 ] Zongwei Li commented on KYLIN-3569: --- Sure, let me try it. > Server with query mode still can submit/build job > - > > Key: KYLIN-3569 > URL: https://issues.apache.org/jira/browse/KYLIN-3569 > Project: Kylin > Issue Type: Bug > Components: Job Engine, REST Service, Security >Affects Versions: v2.4.1 > Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456 >Reporter: Zongwei Li >Priority: Major > Labels: build, documentation, security > Attachments: kylinCode.png > > > From the Docs at Kylin site, > [http://kylin.apache.org/docs24/install/kylin_cluster.html] > * *query* : run query engine only; Kylin query engine accepts and answers > your SQL queries > It seems that if server set with 'kylin.server.mode=query', it should not can > support submit/build job. But as we tested, server with query mode still can > submit/build job from UI or RESTFul API. > We analyzed the source code, found that there didn't exist any protect logic > to check whether server is at 'job' or 'build' mode in service layer for > submit/build job. Already attach the source code in this issue. > This issue really confused us, because we considered query server cannot > build job in Kylin Docs and many Kylin books. And query server will exposed > to 3rd BI tool to query the data, if we forget to configure the suitable ACL > for Cubes, then the 3rd BI tool can trigger build job in any time. -- This message was sent by Atlassian JIRA (v7.6.3#76005)