IP Filtering in IPFinders

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Ilya Kasnacheev
Hello!

What are the expected use cases for this feature? Can you please elaborate?

Thanks,
--
Ilya Kasnacheev


ср, 21 апр. 2021 г. в 08:23, Atri Sharma <[hidden email]>:

> Hi All,
>
> I have opened the following JIRA for the said topic:
>
> https://issues.apache.org/jira/browse/IGNITE-14606
>
> The concept is to filter IPs based on a pattern or a blocklist in
> IPFinders while consuming IPs. This is more pertinent for cloud based
> IPFinders since they can have shared containers.
>
> For the moment, I have implemented regex based filtering:
>
> https://issues.apache.org/jira/browse/IGNITE-14607
>
> for Azure Blob Storage IP Finder. Over time, we can extend the same to
> other IP finders.
>
> Please see the PR:
>
> https://github.com/apache/ignite/pull/9024
>
> Regards,
>
> Atri
>
> --
> Regards,
>
> Atri
> Apache Concerted
>
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Valentin Kulichenko
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Andrew Mashenkov
In reply to this post by Atri Sharma-2
Hi Atri,

You've added a new property to a base TcpDiscoveryIpFinder interface.
Actually, the only Azure IpFinder uses this setting, but the others.
This behavior may confuse the users.

Would you mind either making regexp filter setting a part of Azure IpFinder
only or fix other IpFinders as well?


On Wed, Apr 21, 2021 at 7:04 PM Atri Sharma <[hidden email]> wrote:

> Hi,
>
> When a container is shared by multiple clusters, then this can be useful
> for filtering IPs.
>
> Also, things like VPC based barriers can be circumvented using this
> technique.
>
> On Wed, 21 Apr 2021, 15:49 Ilya Kasnacheev, <[hidden email]>
> wrote:
>
> > Hello!
> >
> > What are the expected use cases for this feature? Can you please
> elaborate?
> >
> > Thanks,
> > --
> > Ilya Kasnacheev
> >
> >
> > ср, 21 апр. 2021 г. в 08:23, Atri Sharma <[hidden email]>:
> >
> > > Hi All,
> > >
> > > I have opened the following JIRA for the said topic:
> > >
> > > https://issues.apache.org/jira/browse/IGNITE-14606
> > >
> > > The concept is to filter IPs based on a pattern or a blocklist in
> > > IPFinders while consuming IPs. This is more pertinent for cloud based
> > > IPFinders since they can have shared containers.
> > >
> > > For the moment, I have implemented regex based filtering:
> > >
> > > https://issues.apache.org/jira/browse/IGNITE-14607
> > >
> > > for Azure Blob Storage IP Finder. Over time, we can extend the same to
> > > other IP finders.
> > >
> > > Please see the PR:
> > >
> > > https://github.com/apache/ignite/pull/9024
> > >
> > > Regards,
> > >
> > > Atri
> > >
> > > --
> > > Regards,
> > >
> > > Atri
> > > Apache Concerted
> > >
> >
>


--
Best regards,
Andrey V. Mashenkov
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
In reply to this post by Valentin Kulichenko
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
In reply to this post by Andrew Mashenkov
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
In reply to this post by Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Ilya Kasnacheev
In reply to this post by Atri Sharma-2
Hello!

AFAIK, a S3 container, Azure blob container, etc, is a relatively
lightweight entity, similar to a table in an SQL database. Why would
different clusters need to share the same discovery storage container?
When I tested Azure IP finder, it created several blob containers for me on
demand, based on the parameter passed to IP finder. If I wanted to have
more than one cluster it should have been seamless already.

I can theoretically see how address filtering may be useful to remove
public / private addresses or Docker gateway address, but it is usually
handled by setting localHost setting, although requiring tuning it for each
instance individually. Overall benefit seems to small.

This is why I am asking, do you have any specific scenario in mind where
this feature is an enabler? How did you arrive at the conclusion to go
forward with it?

Regards,
--
Ilya Kasnacheev


чт, 22 апр. 2021 г. в 07:51, Atri Sharma <[hidden email]>:

> Hi Val,
>
> Consider a scenario where multiple Ignite clusters are running and for
> operational ease (and also compliance, in some cases, e.g. to make
> auditing easier), people can configure cloud based IP finders to share
> the same container (blob container in Azure, S3 container in AWS etc).
>
> In such a case, IPs for all clusters will be in the same container.
> IPFinders of both the clusters will read the entire list. In this
> case, address filtering will help ignore the irrelevant IP addresses.
>
> Thank you for pointing me to the alternate direction. Let me research
> that and revert.
>
> Atri
>
> On Wed, Apr 21, 2021 at 10:46 PM Valentin Kulichenko
> <[hidden email]> wrote:
> >
> > Hi Atri,
> >
> > Can you describe the scenario in a little more detail? What exactly do
> you
> > mean by a container shared by multiple clusters? What are the
> consequences
> > of this? How does the proposed solution solve the problem?
> >
> > Also, I would suggest revisiting the design - I'm not sure such filtering
> > should be done on the IP finder level. Why not do this on the SPI level
> > instead? I would simply add something like "addressFilter" to the
> > TcpDiscoverySpi. The filter can be a generic IgnitePredicate, so you will
> > be able to provide any implementations, including regex or anything else.
> >
> > -Val
> >
> > On Wed, Apr 21, 2021 at 9:04 AM Atri Sharma <[hidden email]> wrote:
> >
> > > Hi,
> > >
> > > When a container is shared by multiple clusters, then this can be
> useful
> > > for filtering IPs.
> > >
> > > Also, things like VPC based barriers can be circumvented using this
> > > technique.
> > >
> > > On Wed, 21 Apr 2021, 15:49 Ilya Kasnacheev, <[hidden email]
> >
> > > wrote:
> > >
> > > > Hello!
> > > >
> > > > What are the expected use cases for this feature? Can you please
> > > elaborate?
> > > >
> > > > Thanks,
> > > > --
> > > > Ilya Kasnacheev
> > > >
> > > >
> > > > ср, 21 апр. 2021 г. в 08:23, Atri Sharma <[hidden email]>:
> > > >
> > > > > Hi All,
> > > > >
> > > > > I have opened the following JIRA for the said topic:
> > > > >
> > > > > https://issues.apache.org/jira/browse/IGNITE-14606
> > > > >
> > > > > The concept is to filter IPs based on a pattern or a blocklist in
> > > > > IPFinders while consuming IPs. This is more pertinent for cloud
> based
> > > > > IPFinders since they can have shared containers.
> > > > >
> > > > > For the moment, I have implemented regex based filtering:
> > > > >
> > > > > https://issues.apache.org/jira/browse/IGNITE-14607
> > > > >
> > > > > for Azure Blob Storage IP Finder. Over time, we can extend the
> same to
> > > > > other IP finders.
> > > > >
> > > > > Please see the PR:
> > > > >
> > > > > https://github.com/apache/ignite/pull/9024
> > > > >
> > > > > Regards,
> > > > >
> > > > > Atri
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > Atri
> > > > > Apache Concerted
> > > > >
> > > >
> > >
>
> --
> Regards,
>
> Atri
> Apache Concerted
>
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Ilya Kasnacheev
Hello!

I'm still not fully convinced, but Val's approach sounds rational to me.

Regards,
--
Ilya Kasnacheev


чт, 22 апр. 2021 г. в 12:45, Atri Sharma <[hidden email]>:

> Hello!
>
> I actually saw the shared container scenario being tried by somebody
> who wanted an external script to monitor all IPs being used by his
> clusters and hence thought of this idea. Another thing that came in
> was the Firewall blocking a few IP addresses, hence the idea.
>
> I feel that the footprint of this change is small, and can be useful
> for esoteric use cases too without really interfering in any existing
> code path. Val's suggestion seems the right way to go since it gives
> the functionality without much change.
>
> Thoughts?
>
> On Thu, Apr 22, 2021 at 2:47 PM Ilya Kasnacheev
> <[hidden email]> wrote:
> >
> > Hello!
> >
> > AFAIK, a S3 container, Azure blob container, etc, is a relatively
> > lightweight entity, similar to a table in an SQL database. Why would
> > different clusters need to share the same discovery storage container?
> > When I tested Azure IP finder, it created several blob containers for me
> on
> > demand, based on the parameter passed to IP finder. If I wanted to have
> > more than one cluster it should have been seamless already.
> >
> > I can theoretically see how address filtering may be useful to remove
> > public / private addresses or Docker gateway address, but it is usually
> > handled by setting localHost setting, although requiring tuning it for
> each
> > instance individually. Overall benefit seems to small.
> >
> > This is why I am asking, do you have any specific scenario in mind where
> > this feature is an enabler? How did you arrive at the conclusion to go
> > forward with it?
> >
> > Regards,
> > --
> > Ilya Kasnacheev
> >
> >
> > чт, 22 апр. 2021 г. в 07:51, Atri Sharma <[hidden email]>:
> >
> > > Hi Val,
> > >
> > > Consider a scenario where multiple Ignite clusters are running and for
> > > operational ease (and also compliance, in some cases, e.g. to make
> > > auditing easier), people can configure cloud based IP finders to share
> > > the same container (blob container in Azure, S3 container in AWS etc).
> > >
> > > In such a case, IPs for all clusters will be in the same container.
> > > IPFinders of both the clusters will read the entire list. In this
> > > case, address filtering will help ignore the irrelevant IP addresses.
> > >
> > > Thank you for pointing me to the alternate direction. Let me research
> > > that and revert.
> > >
> > > Atri
> > >
> > > On Wed, Apr 21, 2021 at 10:46 PM Valentin Kulichenko
> > > <[hidden email]> wrote:
> > > >
> > > > Hi Atri,
> > > >
> > > > Can you describe the scenario in a little more detail? What exactly
> do
> > > you
> > > > mean by a container shared by multiple clusters? What are the
> > > consequences
> > > > of this? How does the proposed solution solve the problem?
> > > >
> > > > Also, I would suggest revisiting the design - I'm not sure such
> filtering
> > > > should be done on the IP finder level. Why not do this on the SPI
> level
> > > > instead? I would simply add something like "addressFilter" to the
> > > > TcpDiscoverySpi. The filter can be a generic IgnitePredicate, so you
> will
> > > > be able to provide any implementations, including regex or anything
> else.
> > > >
> > > > -Val
> > > >
> > > > On Wed, Apr 21, 2021 at 9:04 AM Atri Sharma <[hidden email]> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > When a container is shared by multiple clusters, then this can be
> > > useful
> > > > > for filtering IPs.
> > > > >
> > > > > Also, things like VPC based barriers can be circumvented using this
> > > > > technique.
> > > > >
> > > > > On Wed, 21 Apr 2021, 15:49 Ilya Kasnacheev, <
> [hidden email]
> > > >
> > > > > wrote:
> > > > >
> > > > > > Hello!
> > > > > >
> > > > > > What are the expected use cases for this feature? Can you please
> > > > > elaborate?
> > > > > >
> > > > > > Thanks,
> > > > > > --
> > > > > > Ilya Kasnacheev
> > > > > >
> > > > > >
> > > > > > ср, 21 апр. 2021 г. в 08:23, Atri Sharma <[hidden email]>:
> > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > I have opened the following JIRA for the said topic:
> > > > > > >
> > > > > > > https://issues.apache.org/jira/browse/IGNITE-14606
> > > > > > >
> > > > > > > The concept is to filter IPs based on a pattern or a blocklist
> in
> > > > > > > IPFinders while consuming IPs. This is more pertinent for cloud
> > > based
> > > > > > > IPFinders since they can have shared containers.
> > > > > > >
> > > > > > > For the moment, I have implemented regex based filtering:
> > > > > > >
> > > > > > > https://issues.apache.org/jira/browse/IGNITE-14607
> > > > > > >
> > > > > > > for Azure Blob Storage IP Finder. Over time, we can extend the
> > > same to
> > > > > > > other IP finders.
> > > > > > >
> > > > > > > Please see the PR:
> > > > > > >
> > > > > > > https://github.com/apache/ignite/pull/9024
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Atri
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > >
> > > > > > > Atri
> > > > > > > Apache Concerted
> > > > > > >
> > > > > >
> > > > >
> > >
> > > --
> > > Regards,
> > >
> > > Atri
> > > Apache Concerted
> > >
>
> --
> Regards,
>
> Atri
> Apache Concerted
>
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Valentin Kulichenko
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Valentin Kulichenko
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: IP Filtering in IPFinders

Atri Sharma-2
CONTENTS DELETED
The author has deleted this message.