Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-15113

Remote runtime cannot use secure store


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.0.0
    • Component/s: None
    • Labels:
    • Rank:


      This is due to the remote runtime doesn't have network connectivity back to CDAP master services. To workaround this issue, we can use the same SSH session that CDAP master uses for monitoring to perform remote port forwarding.


      The CDAP master already has an active SSH session for polling data from the remote runtime, with dynamic socks proxy and local port forwarding (see CDAP-13566). The same SSH session can be used to setup a remote port forwarding, allowing traffic initiated from the remote runtime to reach CDAP master services. A SOCKS proxy server will be running inside the CDAP master cluster, and HTTP(s) requests from the remote runtime will be proxying through that SOCKS proxy, via the SSH remote port forwarding channel.

      Discovery Based SOCKS Proxy

      The SOCKS proxy will be receiving URI with the hostname as the CDAP service name (e.g. secure.store.service). The SOCKS proxy will use discovery service to resolve the CDAP service into an actual endpoint, connect to it, and forward all the traffic to that.

      Remote Port Forwarding

      A remote port forwarding will be used to allow traffic from the remote runtime host (i.e. the host where the driver process runs, which currently is the remote cluster master node) get tunnel back to a specific port in the CDAP master host, in which the Discovery Based SOCKS Proxy is listening to. All other nodes in the remote cluster, such as MR worker nodes or Spark executor nodes, will be using the remote runtime host as the SOCKS proxy setting, in which all traffic get relay back to the CDAP master via the port forwarding tunnel. 


          Issue Links



              • Assignee:
                terence Terence Yim
                terence Terence Yim
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: