You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kylin.apache.org by "Ma Gang (JIRA)" <ji...@apache.org> on 2018/09/19 02:30:00 UTC

[jira] [Commented] (KYLIN-3569) Server with query mode still can submit/build job

    [ https://issues.apache.org/jira/browse/KYLIN-3569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16619993#comment-16619993 ] 

Ma Gang commented on KYLIN-3569:
--------------------------------

I think that is by design, query server can accept any restful request(including submit job request), and job server is responsible to schedule jobs.

In a typical Kylin cluster setup, Kylin servers that behind LB(nginx, F5, etc) should have query server permission, so that it can accept any restful request, and the servers that are configured only as job server should not be configured in LB.

For the permission issue, you should configure the ACL properly, to ensure that the BI tools use the user that only have read permission for your project.

> Server with query mode still can submit/build job
> -------------------------------------------------
>
>                 Key: KYLIN-3569
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3569
>             Project: Kylin
>          Issue Type: Bug
>          Components: Job Engine, REST Service, Security
>    Affects Versions: v2.4.1
>         Environment: CentOS 6.7, HBase 1.2.0+cdh5.14.2+456
>            Reporter: Zongwei Li
>            Priority: Major
>              Labels: build, documentation, security
>         Attachments: kylinCode.png
>
>
> From the Docs at Kylin site, [http://kylin.apache.org/docs24/install/kylin_cluster.html]
>  * *query* : run query engine only; Kylin query engine accepts and answers your SQL queries
> It seems that if server set with 'kylin.server.mode=query', it should not can support submit/build job. But as we tested, server with query mode still can submit/build job from UI or RESTFul API. 
> We analyzed the source code, found that there didn't exist any protect logic to check whether server is at 'job' or 'build' mode in service layer for submit/build job. Already attach the source code in this issue.
> This issue really confused us, because we considered query server cannot build job in Kylin Docs and many Kylin books. And query server will exposed to 3rd BI tool to query the data, if we forget to configure the suitable ACL for Cubes, then the 3rd BI tool can trigger build job in any time.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)