[opt](http) enable auth token with BE http request#41994
Merged
morningman merged 11 commits intoapache:masterfrom Nov 12, 2024
Merged
[opt](http) enable auth token with BE http request#41994morningman merged 11 commits intoapache:masterfrom
morningman merged 11 commits intoapache:masterfrom
Conversation
|
Thank you for your contribution to Apache Doris. Since 2024-03-18, the Document has been moved to doris-website. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Comment on lines
+282
to
+289
| } else if (_master_info->curr_auth_token != master_info.auth_token) | ||
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); |
Contributor
There was a problem hiding this comment.
warning: statement should be inside braces [readability-braces-around-statements]
Suggested change
| } else if (_master_info->curr_auth_token != master_info.auth_token) | |
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); | |
| } else if (_master_info->curr_auth_token != master_info.auth_token) { | |
| _master_info->__set_last_auth_token(_master_info->curr_auth_token); | |
| } |
| const char* HttpHeaders::WWW_AUTHENTICATE = "WWW-Authenticate"; | ||
|
|
||
| const std::string HttpHeaders::JsonType = "application/json"; | ||
| const std::string HttpHeaders::AUTH_TOKEN = "Auth-Token"; |
Contributor
There was a problem hiding this comment.
warning: no member named 'AUTH_TOKEN' in 'doris::HttpHeaders' [clang-diagnostic-error]
const std::string HttpHeaders::AUTH_TOKEN = "Auth-Token";
^
morningman
force-pushed
the
auth_token
branch
2 times, most recently
from
2f02060 to
00880a0
Compare
| uint32_t worker_thread_num, TMasterInfo* local_master_info) { | ||
| HeartbeatServer* heartbeat_server = new HeartbeatServer(local_master_info); | ||
| uint32_t worker_thread_num, ClusterInfo* cluster_info) { | ||
| HeartbeatServer* heartbeat_server = new HeartbeatServer(cluster_info); |
Contributor
There was a problem hiding this comment.
warning: use auto when initializing with new to avoid duplicating the type name [modernize-use-auto]
Suggested change
| HeartbeatServer* heartbeat_server = new HeartbeatServer(cluster_info); | |
| auto* heartbeat_server = new HeartbeatServer(cluster_info); |
Contributor
Author
|
run buildall |
Contributor
Author
|
run buildall |
Contributor
Author
|
run buildall |
gavinchou
reviewed
Nov 7, 2024
| // This class is used to save the cluster info | ||
| // like cluster id, epoch, cloud_unique_id, etc. | ||
| // These info are usually in heartbeat from Master FE. | ||
| class ClusterInfo { |
Contributor
Author
There was a problem hiding this comment.
class and struct is same?
| int64_t backend_id = 0; | ||
|
|
||
| // Auth token for internal authentication | ||
| std::string curr_auth_token = ""; |
Contributor
There was a problem hiding this comment.
What is the relationship and connection between these "tokens"?
| 11: optional string cloud_unique_id; | ||
| // See configuration item Config.java rehash_tablet_after_be_dead_seconds for meaning | ||
| 12: optional i64 tablet_report_inactive_duration_ms; | ||
| 13: optional string last_auth_token; |
Contributor
There was a problem hiding this comment.
seems FE does not set it?
Contributor
|
how do we get it tested? |
|
TeamCity be ut coverage result: |
Contributor
Author
|
run buildall |
Contributor
Author
already described in PR description. But we also need test it in a multi node env |
|
|
||
| #pragma once | ||
|
|
||
| #include <gen_cpp/Types_types.h> |
Contributor
There was a problem hiding this comment.
warning: 'gen_cpp/Types_types.h' file not found [clang-diagnostic-error]
#include <gen_cpp/Types_types.h>
^
morningman
force-pushed
the
auth_token
branch
from
8531881 to
8fe9ba3
Compare
Contributor
Author
|
run buildall |
|
TeamCity be ut coverage result: |
hubgeter
approved these changes
Nov 11, 2024
Contributor
|
PR approved by anyone and no changes requested. |
Contributor
|
PR approved by at least one committer and no changes requested. |
github-actions
Bot
added
the
approved
CalvinKirs
approved these changes
Nov 12, 2024
github-actions Bot
pushed a commit
that referenced
this pull request
Nov 12, 2024
### What problem does this PR solve? Related PR: #39577 Problem Summary: In #39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <yunyou@selectdb.com>
zzzxl1993
pushed a commit
to zzzxl1993/doris
that referenced
this pull request
Nov 12, 2024
### What problem does this PR solve? Related PR: apache#39577 Problem Summary: In apache#39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <yunyou@selectdb.com>
morningman
added a commit
that referenced
this pull request
Nov 12, 2024
Cherry-picked from #41994 Co-authored-by: Mingyu Chen (Rayner) <morningman@163.com> Co-authored-by: morningman <yunyou@selectdb.com>
py023
pushed a commit
to py023/doris
that referenced
this pull request
Nov 13, 2024
### What problem does this PR solve? Related PR: apache#39577 Problem Summary: In apache#39577, we added the auth check for all HTTP API on FE side. But it introduced an issue that when `enable_all_http_auth`, the internal http request will fail due to lack of authentication info. For example, when cloning replica from one BE to another, it use HTTP API. This PR mainly changes: 1. Unify the token generation and checking logic Move `TokenManager` from `load` package to `Env`, as a global mgr. It is responsible for generating tokens at fix interval. And the token will be sent to BE via heartbeat. BE will save last 2 tokens, and use the latest token in HTTP request. All HTTP request sent by BE will add a header `Auth-Token`, and BE's HTTP server will check if this token in header is same as token from FE heartbeat. 2. Add a new class `ClusterInfo` on BE side to replace `TMasterInfo`. `TMasterInfo` is a thrift object used to save master info and pass them from FE to BE via heartbeat. So it should only be a message payload, we should get info from it and save it in another structure: `ClusterInfo`. Co-authored-by: morningman <yunyou@selectdb.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
Related PR: #39577
Problem Summary:
In #39577, we added the auth check for all HTTP API on FE side.
But it introduced an issue that when
enable_all_http_auth, the internal http requestwill fail due to lack of authentication info.
For example, when cloning replica from one BE to another, it use HTTP API.
This PR mainly changes:
Unify the token generation and checking logic
Move
TokenManagerfromloadpackage toEnv, as a global mgr.It is responsible for generating tokens at fix interval.
And the token will be sent to BE via heartbeat.
BE will save last 2 tokens, and use the latest token in HTTP request.
All HTTP request sent by BE will add a header
Auth-Token,and BE's HTTP server will check if this token in header is same as token
from FE heartbeat.
Add a new class
ClusterInfoon BE side to replaceTMasterInfo.TMasterInfois a thrift object used to save master info and pass themfrom FE to BE via heartbeat.
So it should only be a message payload, we should get info from it and
save it in another structure:
ClusterInfo.Check List (For Committer)
Test
I created a cluster with 2 BE, set
enable_all_http_auth=true. And create a table with 1 replica,and then modify the replica num to 2. The clone task run success.
Behavior changed:
Does this need documentation?
Release note
None
Check List (For Reviewer who merge this PR)