Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-15113

Remote runtime cannot use secure store

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.0.0
    • Component/s: None
    • Labels:
      None
    • Rank:
      1|i00mdz:

      Description

      This is due to the remote runtime doesn't have network connectivity back to CDAP master services. To workaround this issue, we can use the same SSH session that CDAP master uses for monitoring to perform remote port forwarding.

      Design

      The CDAP master already has an active SSH session for polling data from the remote runtime, with dynamic socks proxy and local port forwarding (see CDAP-13566). The same SSH session can be used to setup a remote port forwarding, allowing traffic initiated from the remote runtime to reach CDAP master services. A SOCKS proxy server will be running inside the CDAP master cluster, and HTTP(s) requests from the remote runtime will be proxying through that SOCKS proxy, via the SSH remote port forwarding channel.

      Discovery Based SOCKS Proxy

      The SOCKS proxy will be receiving URI with the hostname as the CDAP service name (e.g. secure.store.service). The SOCKS proxy will use discovery service to resolve the CDAP service into an actual endpoint, connect to it, and forward all the traffic to that.

      Remote Port Forwarding

      A remote port forwarding will be used to allow traffic from the remote runtime host (i.e. the host where the driver process runs, which currently is the remote cluster master node) get tunnel back to a specific port in the CDAP master host, in which the Discovery Based SOCKS Proxy is listening to. All other nodes in the remote cluster, such as MR worker nodes or Spark executor nodes, will be using the remote runtime host as the SOCKS proxy setting, in which all traffic get relay back to the CDAP master via the port forwarding tunnel. 

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                terence Terence Yim
                Reporter:
                terence Terence Yim
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: