Ryan Blough created HDDS-15385:
----------------------------------
Summary: We should accommodate users who work in heavily secured
environments who cannot rely on webUI functionality with CLI changes
Key: HDDS-15385
URL: https://issues.apache.org/jira/browse/HDDS-15385
Project: Apache Ozone
Issue Type: Epic
Components: Ozone CLI
Reporter: Ryan Blough
By design, several functions in Ozone rely on the webUI. The most clear-cut is
Recon, but other examples include commands like:
* ozone daemonlog (inherited from hadoop daemonlog)
* ozone insight (targeting certain debug log categories)
The key problem is that webUIs are not reliable in secured environments. There
is a fairly large combination of firewall policies, encryption layers,
privilege restrictions, proxy configurations, up to and including blanket
policy prohibitions against exposing any interface which could plausibly
contain sensitive data (like debug logs or configurations). Anything that
disables or restricts access to the webUI outside of the control of the cluster
admin team _also_ breaks the functionality of these commands.
Unfortunately it is also the case that heavily secured enterprise environments
are the same environments that would benefit the most from being able to change
log levels, or at least fetch debug log details, without having to change
configurations or undergo restarts. This leaves an important segment of heavy
users of Ozone unable to efficiently troubleshoot non-obvious problems.
I think the solution is to skip contact with webUI endpoints, and get the data
locally before it is served by the webUI. I suspect this in turn would require
some changes to make the data being served by the webUI more accessible to
direct CLI access.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
