You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by Rick Kellogg <rm...@comcast.net> on 2017/06/14 19:11:12 UTC
Knox Gateway Registration within Zookeeper
Greetings,
What are your thoughts about optional registering of live Knox Gateway
instances in Zookeeper? Then as a client, I could query Zookeeper to find a
valid host.
No idea of complexity involved but it seems to be a good idea to me.
Thoughts?
Rick
Re: Knox Gateway Registration within Zookeeper
Posted by larry mccay <la...@gmail.com>.
Yeah, Rick - we have always advocated using some sort of loadbalancer in
front of some number of Knox instances.
I think we document one way to use Apache as a loadbalancer across a
cluster of Knox instances, others have used Nginx as well.
I think this is more REST friendly than forcing some specific leader
determining protocol on the clients.
You certainly could also using DNS based loadbalancing and there are a
number of services available for that these days too.
On Wed, Jun 14, 2017 at 3:44 PM, Rick Kellogg <rm...@comcast.net> wrote:
> Larry,
>
> You are absolutely correct. We should not be able to see the protected
> Zookeeper instance in the first place.
>
> What I am trying to solve is the problem of which Knox Gateway instance is
> available to our external client app. We hope to have several for load
> balancing and high availability purposes. Another hardware option is the
> use of a F5 with DNS load balancing against Knox.
>
> Thanks for bringing this up.
> Rick
>
> -----Original Message-----
> From: larry mccay [mailto:lmccay@apache.org]
> Sent: Wednesday, June 14, 2017 3:18 PM
> To: dev@knox.apache.org
> Subject: Re: Knox Gateway Registration within Zookeeper
>
> Hi Rick -
>
> It's an interesting thought.
> My follow up question would be...
>
> How often does the REST client that is having access to services gated by
> Knox have line of sight of ZK?
> My personal expectation is that most clients of Knox do not and ZK should
> actually be hidden from them.
>
> ZK is rather cumbersome to secure and there are lots of sensitive network
> topology and state information in there.
>
> While I do dream of the day that Knox will be able to discover all the
> URLs of the services in a topology from the ZK based register, I don't
> think that I can see the value in having Knox be discoverable through it.
>
> Can you more fully articulate the usecase?
>
> thanks!
>
> --larry
>
>
> On Wed, Jun 14, 2017 at 3:11 PM, Rick Kellogg <rm...@comcast.net>
> wrote:
>
> > Greetings,
> >
> >
> >
> > What are your thoughts about optional registering of live Knox Gateway
> > instances in Zookeeper? Then as a client, I could query Zookeeper to
> > find a valid host.
> >
> >
> >
> > No idea of complexity involved but it seems to be a good idea to me.
> >
> >
> >
> > Thoughts?
> >
> > Rick
> >
> >
>
>
RE: Knox Gateway Registration within Zookeeper
Posted by Rick Kellogg <rm...@comcast.net>.
Larry,
You are absolutely correct. We should not be able to see the protected Zookeeper instance in the first place.
What I am trying to solve is the problem of which Knox Gateway instance is available to our external client app. We hope to have several for load balancing and high availability purposes. Another hardware option is the use of a F5 with DNS load balancing against Knox.
Thanks for bringing this up.
Rick
-----Original Message-----
From: larry mccay [mailto:lmccay@apache.org]
Sent: Wednesday, June 14, 2017 3:18 PM
To: dev@knox.apache.org
Subject: Re: Knox Gateway Registration within Zookeeper
Hi Rick -
It's an interesting thought.
My follow up question would be...
How often does the REST client that is having access to services gated by Knox have line of sight of ZK?
My personal expectation is that most clients of Knox do not and ZK should actually be hidden from them.
ZK is rather cumbersome to secure and there are lots of sensitive network topology and state information in there.
While I do dream of the day that Knox will be able to discover all the URLs of the services in a topology from the ZK based register, I don't think that I can see the value in having Knox be discoverable through it.
Can you more fully articulate the usecase?
thanks!
--larry
On Wed, Jun 14, 2017 at 3:11 PM, Rick Kellogg <rm...@comcast.net> wrote:
> Greetings,
>
>
>
> What are your thoughts about optional registering of live Knox Gateway
> instances in Zookeeper? Then as a client, I could query Zookeeper to
> find a valid host.
>
>
>
> No idea of complexity involved but it seems to be a good idea to me.
>
>
>
> Thoughts?
>
> Rick
>
>
Re: Knox Gateway Registration within Zookeeper
Posted by larry mccay <lm...@apache.org>.
Hi Rick -
It's an interesting thought.
My follow up question would be...
How often does the REST client that is having access to services gated by
Knox have line of sight of ZK?
My personal expectation is that most clients of Knox do not and ZK should
actually be hidden from them.
ZK is rather cumbersome to secure and there are lots of sensitive network
topology and state information in there.
While I do dream of the day that Knox will be able to discover all the URLs
of the services in a topology from the ZK based register, I don't think
that I can see the value in having Knox be discoverable through it.
Can you more fully articulate the usecase?
thanks!
--larry
On Wed, Jun 14, 2017 at 3:11 PM, Rick Kellogg <rm...@comcast.net> wrote:
> Greetings,
>
>
>
> What are your thoughts about optional registering of live Knox Gateway
> instances in Zookeeper? Then as a client, I could query Zookeeper to find
> a
> valid host.
>
>
>
> No idea of complexity involved but it seems to be a good idea to me.
>
>
>
> Thoughts?
>
> Rick
>
>