[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564509#comment-17564509 ] Viraj Jasani commented on HBASE-27183: -- Sure [~zhangduo]. Until we get consensus on this, the PR stays blocked. > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. > Configs: > # hbase.master.expose.proxy.port: Master can use this config (int) to expose > new proxy port on active and backup master znodes. > # hbase.client.consume.master.proxy.port: Clients/Regionservers can use this > config (boolean) to determine whether to connect to active master on new > proxy port that master has exposed or continue using original port of master > for connection. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564500#comment-17564500 ] Duo Zhang commented on HBASE-27183: --- If the trick is done outside HBase, I think the correct way to address the remaining problem should also be done outside HBase. That means, you can implement something like a reverse proxy, by our own, and expose this reverse proxy to all the region server. The related trick logic can be included in this reverse proxy. FWIW, I do not feel like this is a general enough scenario which worth to add new stuff in HBase. For example, if masters are deployed with K8s, sometimes both the host name and port which are registered to zookeeper can not be directly connected, then we should also include a special host name field in the proto? And even on master we can not know what is the valid host name... Let's discuss more here or on the mailing list, before we land the actual changes. Thanks. > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 2.6.0, 2.5.1, 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. > Configs: > # hbase.master.expose.proxy.port: Master can use this config (int) to expose > new proxy port on active and backup master znodes. > # hbase.regionserver.consume.master.proxy.port: Clients/Regionservers can > use this config (boolean) to determine whether to connect to active master on > new proxy port that master has exposed or continue using original port of > master for connection. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[
https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564499#comment-17564499
]
Viraj Jasani commented on HBASE-27183:
--
{quote}the better way is to change the registry data on zookeeper, instead of
letting region server to do this static configured port change?
{quote}
This is covered with PR [https://github.com/apache/hbase/pull/4606]
Basically we let master continue exposing it's binding port but in addition to
that, also let it expose new proxy port for any client to connect to. So
masterAddress and backupAddress znodes both will have new proto field named
masterProxyPort. Now regionservers still continue using same ServerName object
retrieved/deserialized from znodes but with a new config, they can switch to
using new proxy port (only if master has exposed this port on znode in the
first place). Does this sound good to you [~zhangduo]?
{quote}If there is rule to block some ports due to security, then the correct
way is to not bind the master port in this blocked range?
{quote}
Valid question, no doubt. However, we have special encryption requirement where
a service should bind on one specific port but that port is not open for secure
communication. The secure channel is established on a new proxy port, and on
the master host, proxy port to original port redirection is automatically done,
something outside the scope of HBase/Hadoop application layer.
> Support regionserver to connect to HMaster proxy port
> -
>
> Key: HBASE-27183
> URL: https://issues.apache.org/jira/browse/HBASE-27183
> Project: HBase
> Issue Type: Improvement
>Reporter: Viraj Jasani
>Assignee: Viraj Jasani
>Priority: Major
> Fix For: 3.0.0-alpha-4
>
>
> Regionservers get active master address from Zookeeper/Master registry and
> tries to make RPC calls to master.
> For security concerns, regionservers might require making connection to a
> different proxy port of master rather than it's original port retrieved from
> Zookeeper.
> Configs:
> # hbase.master.expose.proxy.port: Master can use this config (int) to expose
> new proxy port on active and backup master znodes.
> # hbase.regionserver.consume.master.proxy.port: Clients/Regionservers can
> use this config (boolean) to determine whether to connect to active master on
> new proxy port that master has exposed or continue using original port of
> master for connection.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564497#comment-17564497 ] Duo Zhang commented on HBASE-27183: --- I do not feel this is the correct way to solve the problem. If there is rule to block some ports due to security, then the correct way is to not bind the master port in this blocked range? And what's more, even you want to hack into HBase, the better way is to change the registry data on zookeeper, instead of letting region server to do this static configured port change? Why not just register the proxy port on zookeeper? > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. > Configs: > # hbase.master.expose.proxy.port: Master can use this config (int) to expose > new proxy port on active and backup master znodes. > # hbase.regionserver.consume.master.proxy.port: Clients/Regionservers can > use this config (boolean) to determine whether to connect to active master on > new proxy port that master has exposed or continue using original port of > master for connection. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564353#comment-17564353 ] Viraj Jasani commented on HBASE-27183: -- New registry is required only if we are introducing new way of storing master and meta address. Here the hostname/ip address of active master remains same but only port is a proxy. But I think the better way is for master to publish it's own port by using new config. > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. We should support this case by introducing a new config. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564115#comment-17564115 ] Duo Zhang commented on HBASE-27183: --- I think we can implement a special registry? > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. We should support this case by introducing a new config. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564091#comment-17564091 ] Viraj Jasani commented on HBASE-27183: -- Sounds good, thanks > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. We should support this case by introducing a new config. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564090#comment-17564090 ] Duo Zhang commented on HBASE-27183: --- Oh, I removed the fix versions just because we will make releases on these lines soon, so let's not block them. It is OK to commit to branch-2.x. > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. We should support this case by introducing a new config. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-27183) Support regionserver to connect to HMaster proxy port
[ https://issues.apache.org/jira/browse/HBASE-27183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17564088#comment-17564088 ] Viraj Jasani commented on HBASE-27183: -- [~zhangduo] This is going to be config based change only, so good to rollout on branch-2 and 2.4 as well? > Support regionserver to connect to HMaster proxy port > - > > Key: HBASE-27183 > URL: https://issues.apache.org/jira/browse/HBASE-27183 > Project: HBase > Issue Type: Improvement >Reporter: Viraj Jasani >Assignee: Viraj Jasani >Priority: Major > Fix For: 3.0.0-alpha-4 > > > Regionservers get active master address from Zookeeper/Master registry and > tries to make RPC calls to master. > For security concerns, regionservers might require making connection to a > different proxy port of master rather than it's original port retrieved from > Zookeeper. We should support this case by introducing a new config. -- This message was sent by Atlassian Jira (v8.20.10#820010)
