scql icon indicating copy to clipboard operation
scql copied to clipboard

Published 20 hours ago verified publisher icon secretflow

在kuscia中运行时候如何配置安全退让配置

Open popai9527 opened this issue 7 months ago • 6 comments

Issue Type

Others

Have you searched for existing issues?

Yes

Link to Relevant Documentation

No response

Question Details

在appimage中配置了对应安全退让配置,但是在查询的时候还是提示低于4条会被过滤

popai9527 avatar May 07 '25 12:05 popai9527

P2P 模式下

popai9527 avatar May 07 '25 12:05 popai9527

你指的是在kuscia 部署scql https://www.secretflow.org.cn/zh-CN/docs/kuscia/v0.14.0b0/tutorial/run_scql_on_kuscia_cn 执行查询操作时执行Group BY 低于4条会被过滤的问题吗?

可以更清晰的描述下你要做的事情,现在出现了什么错误?组件版本?

wangzul avatar May 08 '25 02:05 wangzul

你指的是在kuscia 部署scql https://www.secretflow.org.cn/zh-CN/docs/kuscia/v0.14.0b0/tutorial/run_scql_on_kuscia_cn 执行查询操作时执行Group BY 低于4条会被过滤的问题吗?

可以更清晰的描述下你要做的事情,现在出现了什么错误?组件版本?

在kuscia中部署了scql,使用的p2p模式,scql 版 0.9.3b1,配置security_compromise:reveal_group_mark 值是 true,group_by_threshold 值是1 但是并没有关闭group 分组低于4条被过滤的这个配置,下面是appiamges的配置 apiVersion: kuscia.secretflow/v1alpha1 kind: AppImage metadata: name: scql spec: configTemplates: brokerConf: |- intra_server: protocol: http host: 0.0.0.0 port: {{.KUSCIA_PORT_INTRA_NUMBER}} inter_server: port: {{.KUSCIA_PORT_INTER_NUMBER}} protocol: http cert_file: "{{.SERVER_CERT_FILE}}" key_file: "{{.SERVER_PRIVATE_KEY_FILE}}" inter_timeout: 30s party_code: {{.KUSCIA_DOMAIN_ID}} private_key_data: {{.KUSCIA_DOMAIN_KEY_DATA}} intra_host: "scql-broker-intra.{{.KUSCIA_DOMAIN_ID}}.svc:{{.KUSCIA_PORT_INTRA_NUMBER}}" discovery: type: kuscia kuscia: endpoint: kusciaapi:8083 tls_mode: {{.KUSCIA_API_PROTOCOL}} cert: {{.CLIENT_CERT_FILE}} key: {{.CLIENT_PRIVATE_KEY_FILE}} cacert: {{.TRUSTED_CA_FILE}} token: {{.KUSCIA_API_TOKEN}} engine: timeout: 120s protocol: http content_type: application/json scheduler: kuscia kuscia_scheduler: endpoint: kusciaapi:8083 tls_mode: {{.KUSCIA_API_PROTOCOL}} cert: {{.CLIENT_CERT_FILE}} key: {{.CLIENT_PRIVATE_KEY_FILE}} cacert: {{.TRUSTED_CA_FILE}} token: {{.KUSCIA_API_TOKEN}} keep_job_alive_for_debug: false security_compromise: reveal_group_mark: false group_by_threshold: 1 storage: type: sqlite conn_str: "/home/kuscia/var/storage/data/broker.db" max_idle_conns: 10 max_open_conns: 100 conn_max_idle_time: 2m conn_max_lifetime: 5m engineConf: |- --listen_port={{.KUSCIA_PORT_ENGINEPORT_NUMBER}} --enable_separate_link_port=true --link_port={{.KUSCIA_PORT_LINKPORT_NUMBER}} --enable_driver_authorization=false --datasource_router=embed #--embed_router_conf=xxx # NOTE: set --datasource_router to kusciadatamesh if use kuscia datamesh --datasource_router=kusciadatamesh --kuscia_datamesh_endpoint=datamesh:8071 --kuscia_datamesh_client_cert_path={{.CLIENT_CERT_FILE}} --kuscia_datamesh_client_key_path={{.CLIENT_PRIVATE_KEY_FILE}} --kuscia_datamesh_cacert_path={{.TRUSTED_CA_FILE}} --security_compromise.group_by_threshold=1 # party authentication flags --enable_self_auth=false --enable_peer_auth=false --enable_restricted_read_path=false # https flags --server_enable_ssl=false --server_ssl_certificate=/home/admin/engine/conf/cert.pem --server_ssl_private_key=/home/admin/engine/conf/key.pem # set peer_engine_enable_ssl_as_client to true when peer SCQLEngine has https enabled --peer_engine_enable_ssl_as_client=false # set false when SCQLBroker IntraServer not enable https --driver_enable_ssl_as_client=false --peer_engine_protocol=http:proto --peer_engine_connection_type=pooled --peer_engine_load_balancer=rr deployTemplates: - name: broker role: broker replicas: 1 spec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - topologyKey: kubernetes.io/hostname containers: - command: - /home/admin/bin/broker - -config=./configs/config.yml configVolumeMounts: - mountPath: /work/configs/config.yml subPath: brokerConf name: broker ports: - name: intra port: 8080 protocol: HTTP scope: Domain - name: inter port: 8081 protocol: HTTP scope: Cluster readinessProbe: httpGet: path: /health port: intra workingDir: /work restartPolicy: Always - name: engine role: engine replicas: 1 spec: containers: - command: - /home/admin/bin/scqlengine - --flagfile=./conf/gflags.conf configVolumeMounts: - mountPath: /work/conf/gflags.conf subPath: engineConf name: engine resources: requests: cpu: 16 memory: 32Gi ports: - name: engineport port: 8003 protocol: HTTP scope: Domain - name: linkport port: 8004 protocol: HTTP scope: Cluster workingDir: /work restartPolicy: Never image: name: "secretflow-registry.cn-hangzhou.cr.aliyuncs.com/secretflow/scql" tag: "0.9.3b1"

popai9527 avatar May 08 '25 02:05 popai9527

修改appimage后是否有重新启动broker使其生效?

  1. 方法一 重启kuscia即可

  2. 方法二 删除KusciaDeployment后重新配置 Image kubectl delete KusciaDeployment xxx kubectl apply -f scql-image.yaml

注意:kubectl describe appimage xxx 检查下配置是否生效

看到你的配置文件中engine也配置了--security_compromise.group_by_threshold=1 engine是没有这个配置项的。 https://www.secretflow.org.cn/zh-CN/docs/scql/0.9.3b1/reference/p2p-deploy-config#configuration-options-of-scqlbroker

wangzul avatar May 08 '25 03:05 wangzul

@popai9527 这个问题解决了吗?

wangzul avatar May 09 '25 06:05 wangzul

@popai9527 这个问题解决了吗?

没有生效,还在排查原因

popai9527 avatar May 10 '25 06:05 popai9527

Stale issue message. Please comment to remove stale tag. Otherwise this issue will be closed soon.

github-actions[bot] avatar Jun 09 '25 09:06 github-actions[bot]