kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ma Gang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job
Date Wed, 19 Sep 2018 02:30:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16619993#comment-16619993
] 

Ma Gang commented on KYLIN-3569:
--------------------------------

I think that is by design, query server can accept any restful request(including submit job
request), and job server is responsible to schedule jobs.

In a typical Kylin cluster setup, Kylin servers that behind LB(nginx, F5, etc) should have
query server permission, so that it can accept any restful request, and the servers that are
configured only as job server should not be configured in LB.

For the permission issue, you should configure the ACL properly, to ensure that the BI tools
use the user that only have read permission for your project.

> Server with query mode still can submit/build job
> -------------------------------------------------
>
>                 Key: KYLIN-3569
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3569
>             Project: Kylin
>          Issue Type: Bug
>          Components: Job Engine, REST Service, Security
>    Affects Versions: v2.4.1
>         Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456
>            Reporter: Zongwei Li
>            Priority: Major
>              Labels: build, documentation, security
>         Attachments: kylinCode.png
>
>
> From the Docs at Kylin site, [http://kylin.apache.org/docs24/install/kylin_cluster.html]
>  * *query* : run query engine only; Kylin query engine accepts and answers your SQL
queries
> It seems that if server set with 'kylin.server.mode=query', it should not can support
submit/build job. But as we tested, server with query mode still can submit/build job from
UI or RESTFul API. 
> We analyzed the source code, found that there didn't exist any protect logic to check
whether server is at 'job' or 'build' mode in service layer for submit/build job. Already attach
the source code in this issue.
> This issue really confused us, because we considered query server cannot build job in
Kylin Docs and many Kylin books. And query server will exposed to 3rd BI tool to query the
data, if we forget to configure the suitable ACL for Cubes, then the 3rd BI tool can trigger
build job in any time.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message