Hi Daryn,

I have just started reading the patch. Hence my apologies if my question has a response somewhere hidden in the patch.

Are you concerned that FSEditLock is taken in GlobalStateIdContext on Server side, and worried that a malicious or stupid client would
cause this lock to be held up for a long time?

How do retriable exceptions help? Wouldn’t the system eventually hold the lock similarly?

I am asking to understand this better so that I get a better sense when I am reading the code.

Thanks
Anu


On 12/6/18, 10:38 AM, "Daryn Sharp" <***@oath.com.INVALID> wrote:

-1 pending additional info. After a cursory scan, I have serious concerns
regarding the design. This seems like a feature that should have been
purely implemented in hdfs w/o touching the common IPC layer.

The biggest issue in the alignment context. It's purpose appears to be for
allowing handlers to reinsert calls back into the call queue. That's
completely unacceptable. A buggy or malicious client can easily cause
livelock in the IPC layer with handlers only looping on calls that never
satisfy the condition. Why is this not implemented via RetriableExceptions?
--

Daryn


B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[���[[ۋY]�][��X��ܚX�PY���\X�K�ܙ�B��܈Y][ۘ[��[X[�

Hi Daryn,

Wanted to backup Chen's earlier response to your concerns about rotating
calls in the call queue.
Our design
1. targets directly the livelock problem by rejecting calls on the Observer
that are not likely to be responded in timely matter: HDFS-13873.
2. The call queue rotation is only done on Observers, and never on the
active NN, so it stays free of attacks like you suggest.

If this is a satisfactory mitigation for the problem could you please
reconsider your -1, so that people could continue voting on this thread.

Thanks,
--Konst

Hi Daryn,

This is an interesting and valid point to consider different implications
for security.

The purpose of the alignment context is to allow clients and servers sync
on their global state, so that when clients switch between ANN/SBN or
between SBNs, the reads are always consistent. One reason of doing this on
RPC layer so that it is decoupled from client logic. Handlers reinserting
the call to the queue is a part of implementing the catch-up logic in
HDFS-13767 that standby waits until it receives all transactions to catch
up with the client's state.

By using RetriableExceptions, I assume you mean letting client retry if
server state is not ready? We did consider similar approach, but that
introduces multiple RPC calls for a single operation, adding overhead to
RPC queue which is already often a bottleneck as we've seen. To this
extend, even with RetriableException, it appears to me a buggy client can
still hurt NameNode although in a different way.

I agree that calls can potentially get stuck in the queue for a long time,
which can cause serious issues. We do have plans to introduce logic, which
makes Obsrever reject client requests if it has fallen too far behind the
client's state, please see HDFS-13873. Then Observer simply rejects the
call, and lets the client retry with other Observers or go straight to ANN.
This would free the Observer from serving this call and thus limit how much
damage a malicious client can do to it. Secondly, reinserting to queue
should by design only happen on Observer nodes, but never on ANN, so the
damage of potentially bad calls would not affect ANN. Meaning even in an
unlikely case that Observers were overloaded because of buggy/malicious
client calls, due to the rejection logic the clients will all end up
talking to ANN, which is still no worse than what we have today.

Thanks,
Chen