ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitriy Setrakyan <dsetrak...@apache.org>
Subject Re: Ignite Web Control Center Architecture
Date Tue, 14 Jul 2015 17:12:31 GMT
Guys,

Neither 1st or 2nd approaches are secure. Keep in mind that agent has a
connection with the outside world, so it already will be considered a
higher security risk. The safest way for it to connect to the cluster is
via standard HTTP over port 80.

Generally, any approach that requires anything other than HTTP (port 80)
introduces higher security risk. On top of that, it requires punching holes
in a firewall, extra approvals, etc.

My strong preference is 3rd approach. Web agent is simply a proxy between
the web-control-center and the grid. It should simply forward
requests/responses and have almost no logic of its own.

D.

On Tue, Jul 14, 2015 at 9:57 AM, Alexey Kuznetsov <akuznetsov@gridgain.com>
wrote:

> We need web-agent for three use cases:
> #1 Grid monitoring.
> #2 SQL.
> #3 Collect metadata from RDBMS.
>
> #1 and #2 will require interaction with grid.
> #3 just connect to DB and grab metadata.
>
> So, in this thread three approaches to design web-agent were introduced.
> Let's see their pro and cons.
>
> First approach: implement web-agent as Ignite plugin that will start
> singleton service.
>    Pro: Native to Ignite, automatic failover, easy to deploy (just put a
> jar into classpath).
>    Cons: How to implement use case #3? What about security? Production grid
> usually deployed in closed network.
>
> Second approach: implement web-agent as separate application that will
> start daemon node inside when needed. Actually this is how Visor works.
>    Pro: Also native to Ignite (could reuse Visor tasks already). Easy to
> deploy (as Visor) - just put some jars in bin/web-agent folder +
> bin\web-agent.sh
>           Secure. Web-agent could use binary rest protocol as Visor and
> work even via ssh tunnel.
>    Cons: No automatic failover.
>
> Third approach:  implement web-agent as lightweight proxy between
> web-server and Ignite.
>     Web-agent will retranslate http request to grid and retranslate results
> from grid to web control center.
>   Pro: It is lightweight and could be implemented  without dependencies
> from Ignite.
>   Cons: Not native to Ignite. We need to implement two protocols:
> web-control-center <-> web agent and web agent <-> Ignite.
>
>
> As for me I most like second approach because we have a lot of experience
> with Visor and could reuse code.
>
>
> Thought?
>
>
> On Tue, Jul 14, 2015 at 11:38 PM, Nikita Ivanov <nivanov30@gmail.com>
> wrote:
>
> > +1 on Dmitriy's approach.
> >
> > --
> > Nikita Ivanov
> >
> >
> > On Tue, Jul 14, 2015 at 9:30 AM, Dmitriy Setrakyan <
> dsetrakyan@apache.org>
> > wrote:
> >
> > > On Tue, Jul 14, 2015 at 8:30 AM, Yakov Zhdanov <yzhdanov@apache.org>
> > > wrote:
> > >
> > > > Why? Do you understand how many problems you bring with this
> approach?
> > > >
> > >
> > > Yakov, unfortunately this is not about ease of implementation, but
> about
> > > security. We will not be allowed to connect to the grid cluster from
> > where
> > > the web agent is running.
> > >
> > > I also don't see how we are adding a lot of complexity either. The way
> I
> > > see it being implemented is by creating a set of tasks that will return
> > > JSON objects for metrics, topology, etc. which will be processed on the
> > > browser side. These tasks can be easily executed over HTTP REST
> protocol.
> > >
> > >
> > > >
> > > > --Yakov
> > > >
> > > > 2015-07-14 18:00 GMT+03:00 Dmitriy Setrakyan <dsetrakyan@apache.org
> >:
> > > >
> > > > > Yakov,
> > > > >
> > > > > We cannot start a client inside of an agent simply because agent
> will
> > > be
> > > > > started outside of the cluster where grid is deployed. Agent will
> be
> > > > > connecting to the grid using HTTP Rest requests.
> > > > >
> > > > > D.
> > > > >
> > > > > On Tue, Jul 14, 2015 at 6:16 AM, Yakov Zhdanov <
> yzhdanov@apache.org>
> > > > > wrote:
> > > > >
> > > > > > I like the design where agent is a plugin to Ignite.
> > > > Agent-ControlCenter
> > > > > > can be incorporated into the singleton cluster-wide service
> > deployed
> > > by
> > > > > > plugin on start. This approach seems very good and clean to
me:
> > > > > > 1. Easy to config - just drop JAR with plugin to classpath
> > > > > > 2. It is native to the cluster - it operates inside.
> > > > > > 3. Failover works out of the box.
> > > > > >
> > > > > > Thanks!
> > > > > >
> > > > > > --Yakov
> > > > > >
> > > > > > 2015-07-02 19:35 GMT+03:00 Dmitriy Setrakyan <
> > dsetrakyan@apache.org
> > > >:
> > > > > >
> > > > > > > On Thu, Jul 2, 2015 at 8:08 AM, Sergey Evdokimov <
> > > > > > sevdokimov@gridgain.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Yes, Web Agent can open connection to Control Center
at any
> > time.
> > > > Web
> > > > > > > Agent
> > > > > > > > is started up as much as started up cluster, but user
looks
> to
> > > > > Control
> > > > > > > > Center infrequently. Web Agent have to keep connection
always
> > > > opened
> > > > > or
> > > > > > > we
> > > > > > > > need a way to notify Web Agent about new web-session
on Web
> > > Control
> > > > > > > Center.
> > > > > > > >
> > > > > > >
> > > > > > > Sergey, the agent should automatically reconnect whenever
a
> > > > connection
> > > > > is
> > > > > > > lost. For example, it can send a keep-alive ping every
2
> seconds
> > > back
> > > > > to
> > > > > > > the web control center.
> > > > > > >
> > > > > > > If you having doubts in the approach, please ping me on
Skype
> so
> > we
> > > > > could
> > > > > > > flush out the details.
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Jul 2, 2015 at 5:53 PM, Dmitriy Setrakyan
<
> > > > > > dsetrakyan@apache.org
> > > > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > On Thu, Jul 2, 2015 at 7:29 AM, Sergey Evdokimov
<
> > > > > > > > sevdokimov@gridgain.com>
> > > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Web Agent can be shipped as Ignite plugin
and start
> inside
> > > the
> > > > > > > cluster
> > > > > > > > as
> > > > > > > > > > service to avoid unnecessary configuration.
> > > > > > > > > >
> > > > > > > > > > How Web Agent will detect that Web Control
Center need a
> > > data?
> > > > > Web
> > > > > > > > > Control
> > > > > > > > > > Center cannot open connection to cluster,
because cluster
> > may
> > > > be
> > > > > in
> > > > > > > > local
> > > > > > > > > > network without static IP. Do you mean that
Web Agent
> will
> > > keep
> > > > > > > opened
> > > > > > > > > > connection to Web Control Center always?
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > However, the Ignite web agent should be able
to open a
> > > connection
> > > > > to
> > > > > > > the
> > > > > > > > > web control center, no?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Thu, Jul 2, 2015 at 5:12 PM, Alexey Kuznetsov
<
> > > > > > > > > akuznetsov@gridgain.com>
> > > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Igniters,
> > > > > > > > > > >
> > > > > > > > > > > I'm working on Web Control Center and
first release is
> > > near.
> > > > > > > > > > > In first release we will provide UI
for cluster and
> > caches
> > > > > > > > > configuration.
> > > > > > > > > > >
> > > > > > > > > > > In next releases we will provide Monitoring,
SQL and
> > Schema
> > > > > > Import
> > > > > > > > > > Utility.
> > > > > > > > > > > But those advanced features require
access to Ignite
> > > cluster
> > > > > (for
> > > > > > > > > > > Monitoring and SQL)
> > > > > > > > > > >  and access to DB server for Schema
Import.
> > > > > > > > > > >
> > > > > > > > > > > After some thoughts we decided to create
a so-called
> "web
> > > > > agent"
> > > > > > it
> > > > > > > > > will
> > > > > > > > > > be
> > > > > > > > > > > started "near" cluster and DB will
connect to it and
> send
> > > all
> > > > > > > needed
> > > > > > > > > info
> > > > > > > > > > > to Web Control Center.
> > > > > > > > > > >
> > > > > > > > > > > Any ideas, thoughts and suggestions
are very welcome.
> > > > > > > > > > >
> > > > > > > > > > > Thanks.
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Alexey Kuznetsov
> > > > > > > > > > > GridGain Systems
> > > > > > > > > > > www.gridgain.com
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
>
>
> --
> Alexey Kuznetsov
> GridGain Systems
> www.gridgain.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message