[Feature-11652][2022Q4 RoadMap] DS support remote SSH task. #12736
Conversation
DarkAssassinator
requested review from
kezhenxu94,
zhongjiajie,
Tianqi-Dotes,
EricGao888,
songjianet,
Amy0104,
caishunfeng,
SbloodyS,
zhuangchong and
ruanwenjun
as code owners
DarkAssassinator
force-pushed
the
dev_yann_feature_add_ssh
branch
from
5352b4b
to
748af92
Compare
Codecov Report
@@ Coverage Diff @@
## dev #12736 +/- ##
============================================
- Coverage 39.37% 39.13% -0.25%
- Complexity 4271 4305 +34
============================================
Files 1067 1079 +12
Lines 40118 40661 +543
Branches 4603 4666 +63
============================================
+ Hits 15797 15912 +115
- Misses 22544 22955 +411
- Partials 1777 1794 +17
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @ResponseStatus(HttpStatus.OK) | ||
| @ApiException(VARIFY_TASK_REMOTE_HOST_ERROR) | ||
| @AccessLogAnnotation(ignoreRequestArgs = "loginUser") | ||
| public Result verifyTaskRemoteHost(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser, |
Check notice
Code scanning / CodeQL
Useless parameter
| @ResponseStatus(HttpStatus.OK) | ||
| @ApiException(TEST_CONNECT_ERROR) | ||
| @AccessLogAnnotation(ignoreRequestArgs = "loginUser") | ||
| public Result testConnect(@Parameter(hidden = true) @RequestAttribute(value = Constants.SESSION_USER) User loginUser, |
Check notice
Code scanning / CodeQL
Useless parameter
...duler-dao/src/test/java/org/apache/dolphinscheduler/dao/mapper/TaskRemoteHostMapperTest.java
Fixed
Show fixed
Hide fixed
dolphinscheduler-dao/src/main/resources/sql/dolphinscheduler_mysql.sql
Outdated
Show resolved
Hide resolved
| SSHResponse response = execCommand("mkdir -p " + remoteDirPath); | ||
| return response.getExitCode() == 0; | ||
| } | ||
|
|
||
| public void clearPath(String path) { | ||
| if (SINGLE_SLASH.equals(path)) { | ||
| return; | ||
| } | ||
| execCommand("rm -rf " + path); |
There was a problem hiding this comment.
I think it's better to use File.delete to perform operations instead of shell commands.
There was a problem hiding this comment.
I think it's better to use
File.deleteto perform operations instead of shell commands.
Becuase these codes need to clear the path on the remote SSH server, so use the rm -rf command, not File.delete
There was a problem hiding this comment.
Please don't mark it as resolved if it's not addressed. cc @zhongjiajie @caishunfeng
There was a problem hiding this comment.
Please don't mark it as resolved if it's not addressed. cc @zhongjiajie @caishunfeng
Sorry, sure, and i think that File.delete cannot delete the remote dir and files, so i think that this case has resolved. WDYT.
DarkAssassinator
force-pushed
the
dev_yann_feature_add_ssh
branch
from
f1ac7d5
to
bf6fbe0
Compare
| DROP TABLE IF EXISTS `t_ds_task_remote_host`; | ||
| CREATE TABLE `t_ds_task_remote_host` |
There was a problem hiding this comment.
I do not think adding a table for a task type is a good idea, can we ship it to our data source center? I know that we will change its name from datasource center to connection center, which can have various types of connection instead of database only
There was a problem hiding this comment.
Add a Task Remote Host Management page in Security
If we add it to connection center, we can also migrate it into connection center, which may keep our web UI simple and unify
There was a problem hiding this comment.
Add a Task Remote Host Management page in Security
If we add it to
connection center, we can also migrate it intoconnection center, which may keep our web UI simple and unify
yes, but the conclusion we discussed bi-week was to temporarily in Security, after Connection center fine, we will migrate it into Connection center
DarkAssassinator
force-pushed
the
dev_yann_feature_add_ssh
branch
2 times, most recently
from
dc8084b
to
fb3ae31
Compare
...r-api/src/main/java/org/apache/dolphinscheduler/api/controller/TaskRemoteHostController.java
Outdated
Show resolved
Hide resolved
...r-api/src/main/java/org/apache/dolphinscheduler/api/controller/TaskRemoteHostController.java
Outdated
Show resolved
Hide resolved
...r-api/src/main/java/org/apache/dolphinscheduler/api/controller/TaskRemoteHostController.java
Outdated
Show resolved
Hide resolved
...pi/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskRemoteHostServiceImpl.java
Outdated
Show resolved
Hide resolved
dolphinscheduler-dao/src/main/resources/sql/dolphinscheduler_h2.sql
Outdated
Show resolved
Hide resolved
| // because JSch .chmod is not stable, so use the 'chmod -R' instead | ||
| logger.info("update remote path's permission:{} on session:{} to 755", taskRequest.getExecutePath(), | ||
| sessionHost.toString()); | ||
| String chmodCommand = "chmod -R 755 " + taskRequest.getExecutePath(); |
There was a problem hiding this comment.
Why it should chmod 755? I'm not sure whether it will cause some CVE? cc @ruanwenjun
There was a problem hiding this comment.
Why it should chmod 755? I'm not sure whether it will cause some CVE? cc @ruanwenjun
because remote server should keep same as DS worker, and just chmod the execute path, if there are any worry, we can change to 600. WDYT
There was a problem hiding this comment.
Why it should chmod 755? I'm not sure whether it will cause some CVE? cc @ruanwenjun
because remote server should keep same as DS worker, and just chmod the execute path, if there are any worry, we can change to 600. WDYT
If chmod 600 can work, I think it is better.
There was a problem hiding this comment.
Why it should chmod 755? I'm not sure whether it will cause some CVE? cc @ruanwenjun
because remote server should keep same as DS worker, and just chmod the execute path, if there are any worry, we can change to 600. WDYT
If chmod 600 can work, I think it is better.
ohh sorry, my mistake, not 600, chmod 700 should be ok
...i/src/main/java/org/apache/dolphinscheduler/plugin/task/api/ssh/PooledSSHSessionFactory.java
Outdated
Show resolved
Hide resolved
@DarkAssassinator please check the sonar result and fix it. |
DarkAssassinator
force-pushed
the
dev_yann_feature_add_ssh
branch
from
b1bb091
to
b2af72b
Compare
Sure, but these 4 Security Hotspots are not really issue, just password word |
… BashTaskExecutionContext
DarkAssassinator
force-pushed
the
dev_yann_feature_add_ssh
branch
from
71b8b00
to
f03f8a1
Compare
|
Hi @SbloodyS @caishunfeng, please PTAL again, thx |
There was a problem hiding this comment.
I have one question that in #12552, DS supports to define file parameter. It seems like you don't consider this scenario, output files might be created under remote host's execution directory, however, you only fetch stdout and neglect output files.
this is a new add scenario, i will check it. and please help to review other codes. |
|
SonarCloud Quality Gate failed. |
|
This pull request has been automatically marked as stale because it has not had recent activity for 120 days. It will be closed in 7 days if no further activity occurs. |
|
This pull request has been automatically marked as stale because it has not had recent activity for 120 days. It will be closed in 7 days if no further activity occurs. |
|
This pull request has been closed because it has not had recent activity. You could reopen it if you try to continue your work, and anyone who are interested in it are encouraged to continue work on this pull request. |
Purpose of the pull request
Brief change log
1. Add a Task Remote Host Management
t_ds_task_remote_hostin DBTask Remote Host Managementpage inSecurity2. Add a column named
remoteHostCodeinTaskInstance,TaskDefinitionandTaskDefinitionLogentities.3. Add SSH code for shell task.
ACPto controll SSH Session. And the pooled object just is session not channel. If DS need channel control in the future, i will add channel pooled object.Limitations
Verify this pull request
This pull request is already covered by existing tests