[opt](http) enable auth token with BE http request #41994
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thank you for your contribution to Apache Doris. Since 2024-03-18, the Document has been moved to doris-website. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
be/src/agent/heartbeat_server.cpp
Outdated
Comment on lines
282
to
289
| } else if (_master_info->curr_auth_token != master_info.auth_token) | ||
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); |
There was a problem hiding this comment.
warning: statement should be inside braces [readability-braces-around-statements]
Suggested change
| } else if (_master_info->curr_auth_token != master_info.auth_token) | |
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); | |
| } else if (_master_info->curr_auth_token != master_info.auth_token) { | |
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); | |
| } |
| @@ -94,5 +94,6 @@ const char* HttpHeaders::WEBSOCKET_PROTOCOL = "WebSocket-Protocol"; | |||
| const char* HttpHeaders::WWW_AUTHENTICATE = "WWW-Authenticate"; | |||
|
|
|||
| const std::string HttpHeaders::JsonType = "application/json"; | |||
| const std::string HttpHeaders::AUTH_TOKEN = "Auth-Token"; | |||
There was a problem hiding this comment.
warning: no member named 'AUTH_TOKEN' in 'doris::HttpHeaders' [clang-diagnostic-error]
const std::string HttpHeaders::AUTH_TOKEN = "Auth-Token";
^
morningman
force-pushed
the
auth_token
branch
2 times, most recently
from
2f02060 to
00880a0
Compare
| uint32_t worker_thread_num, TMasterInfo* local_master_info) { | ||
| HeartbeatServer* heartbeat_server = new HeartbeatServer(local_master_info); | ||
| uint32_t worker_thread_num, ClusterInfo* cluster_info) { | ||
| HeartbeatServer* heartbeat_server = new HeartbeatServer(cluster_info); |
There was a problem hiding this comment.
warning: use auto when initializing with new to avoid duplicating the type name [modernize-use-auto]
Suggested change
| HeartbeatServer* heartbeat_server = new HeartbeatServer(cluster_info); | |
| auto* heartbeat_server = new HeartbeatServer(cluster_info); |
|
run buildall |
|
run buildall |
|
run buildall |
gavinchou
reviewed
Nov 7, 2024
| // This class is used to save the cluster info | ||
| // like cluster id, epoch, cloud_unique_id, etc. | ||
| // These info are usually in heartbeat from Master FE. | ||
| class ClusterInfo { |
There was a problem hiding this comment.
class and struct is same?
| int64_t backend_id = 0; | ||
|
|
||
| // Auth token for internal authentication | ||
| std::string curr_auth_token = ""; |
There was a problem hiding this comment.
What is the relationship and connection between these "tokens"?
| @@ -43,6 +43,8 @@ struct TMasterInfo { | |||
| 11: optional string cloud_unique_id; | |||
| // See configuration item Config.java rehash_tablet_after_be_dead_seconds for meaning | |||
| 12: optional i64 tablet_report_inactive_duration_ms; | |||
| 13: optional string last_auth_token; | |||
There was a problem hiding this comment.
seems FE does not set it?
|
how do we get it tested? |
|
TeamCity be ut coverage result: |
|
run buildall |
already described in PR description. But we also need test it in a multi node env |
morningman
force-pushed
the
auth_token
branch
from
8531881 to
8fe9ba3
Compare
|
run buildall |
|
TeamCity be ut coverage result: |
hubgeter
approved these changes
Nov 11, 2024
|
PR approved by anyone and no changes requested. |
|
PR approved by at least one committer and no changes requested. |
github-actions
bot
added
the
approved
CalvinKirs
approved these changes
Nov 12, 2024
github-actions bot
pushed a commit
that referenced
this pull request
Nov 12, 2024
### What problem does this PR solve? Related PR: #39577 Problem Summary: In #39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <[email protected]>
zzzxl1993
pushed a commit
to zzzxl1993/doris
that referenced
this pull request
Nov 12, 2024
### What problem does this PR solve? Related PR: apache#39577 Problem Summary: In apache#39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <[email protected]>
morningman
added a commit
that referenced
this pull request
Nov 12, 2024
Cherry-picked from #41994 Co-authored-by: Mingyu Chen (Rayner) <[email protected]> Co-authored-by: morningman <[email protected]>
py023
pushed a commit
to py023/doris
that referenced
this pull request
Nov 13, 2024
### What problem does this PR solve? Related PR: apache#39577 Problem Summary: In apache#39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
Related PR: #39577
Problem Summary:
In #39577, we added the auth check for all HTTP API on FE side.
But it introduced an issue that when
enable_all_http_auth, the internal http requestwill fail due to lack of authentication info.
For example, when cloning replica from one BE to another, it use HTTP API.
This PR mainly changes:
Unify the token generation and checking logic
Move
TokenManagerfromloadpackage toEnv, as a global mgr.It is responsible for generating tokens at fix interval.
And the token will be sent to BE via heartbeat.
BE will save last 2 tokens, and use the latest token in HTTP request.
All HTTP request sent by BE will add a header
Auth-Token,and BE's HTTP server will check if this token in header is same as token
from FE heartbeat.
Add a new class
ClusterInfoon BE side to replaceTMasterInfo.TMasterInfois a thrift object used to save master info and pass themfrom FE to BE via heartbeat.
So it should only be a message payload, we should get info from it and
save it in another structure:
ClusterInfo.Check List (For Committer)
Test
I created a cluster with 2 BE, set
enable_all_http_auth=true. And create a table with 1 replica,and then modify the replica num to 2. The clone task run success.
Behavior changed:
Does this need documentation?
Release note
None
Check List (For Reviewer who merge this PR)