Return-Path: <common-commits-return-53912-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 43032200B6D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 23 Aug 2016 23:46:26 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 416A0160A81; Tue, 23 Aug 2016 21:46:26 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 125D8160AAD
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 23 Aug 2016 23:46:24 +0200 (CEST)
Received: (qmail 86748 invoked by uid 500); 23 Aug 2016 21:46:24 -0000
Mailing-List: contact common-commits-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-commits-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-commits-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-commits@hadoop.apache.org>
List-Id: <common-commits.hadoop.apache.org>
Delivered-To: mailing list common-commits@hadoop.apache.org
Received: (qmail 86739 invoked by uid 99); 23 Aug 2016 21:46:24 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Aug 2016 21:46:24 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 156BEE0230; Tue, 23 Aug 2016 21:46:24 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: zhz@apache.org
To: common-commits@hadoop.apache.org
Message-Id: <e261b7f55b5f460a9b5aa5e156ec71ba@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: hadoop git commit: HADOOP-12765. HttpServer2 should switch to using
 the non-blocking SslSelectChannelConnector to prevent performance degradation
 when handling SSL connections. Contributed by Min Shen. Branch-2 patch
 contributed by Wei-Chiu Chuang.
Date: Tue, 23 Aug 2016 21:46:24 +0000 (UTC)
archived-at: Tue, 23 Aug 2016 21:46:26 -0000

Repository: hadoop
Updated Branches:
  refs/heads/branch-2 5fa241daa -> dfcbc1202


HADOOP-12765. HttpServer2 should switch to using the non-blocking SslSelectChannelConnector to prevent performance degradation when handling SSL connections. Contributed by Min Shen. Branch-2 patch contributed by Wei-Chiu Chuang.


Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/dfcbc120
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/dfcbc120
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/dfcbc120

Branch: refs/heads/branch-2
Commit: dfcbc12026b591745a7d7279f2b840152cb53a91
Parents: 5fa241d
Author: Zhe Zhang <zhz@apache.org>
Authored: Tue Aug 23 14:46:08 2016 -0700
Committer: Zhe Zhang <zhz@apache.org>
Committed: Tue Aug 23 14:46:08 2016 -0700

----------------------------------------------------------------------
 hadoop-common-project/hadoop-common/pom.xml     |  5 ++
 .../org/apache/hadoop/http/HttpServer2.java     | 76 +++++++++++---------
 .../ssl/SslSelectChannelConnectorSecure.java    | 58 +++++++++++++++
 .../security/ssl/SslSocketConnectorSecure.java  | 58 ---------------
 .../hadoop/crypto/key/kms/server/MiniKMS.java   |  9 +--
 .../org/apache/hadoop/test/TestJettyHelper.java |  6 +-
 hadoop-project/pom.xml                          |  5 ++
 7 files changed, 118 insertions(+), 99 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/pom.xml
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml
index 09f630c..b35a40e 100644
--- a/hadoop-common-project/hadoop-common/pom.xml
+++ b/hadoop-common-project/hadoop-common/pom.xml
@@ -106,6 +106,11 @@
     </dependency>
 
     <dependency>
+      <groupId>org.mortbay.jetty</groupId>
+      <artifactId>jetty-sslengine</artifactId>
+      <scope>compile</scope>
+    </dependency>
+    <dependency>
       <groupId>javax.servlet.jsp</groupId>
       <artifactId>jsp-api</artifactId>
       <scope>runtime</scope>

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
index c179bd0..62fb4b6 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java
@@ -56,7 +56,7 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.CommonConfigurationKeys;
 import org.apache.hadoop.security.AuthenticationFilterInitializer;
 import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
-import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
+import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
 import org.apache.hadoop.jmx.JMXJsonServlet;
 import org.apache.hadoop.log.LogLevel;
 import org.apache.hadoop.metrics.MetricsServlet;
@@ -78,7 +78,7 @@ import org.mortbay.jetty.handler.ContextHandlerCollection;
 import org.mortbay.jetty.handler.HandlerCollection;
 import org.mortbay.jetty.handler.RequestLogHandler;
 import org.mortbay.jetty.nio.SelectChannelConnector;
-import org.mortbay.jetty.security.SslSocketConnector;
+import org.mortbay.jetty.security.SslSelectChannelConnector;
 import org.mortbay.jetty.servlet.AbstractSessionManager;
 import org.mortbay.jetty.servlet.Context;
 import org.mortbay.jetty.servlet.DefaultServlet;
@@ -333,29 +333,7 @@ public final class HttpServer2 implements FilterContainer {
         if ("http".equals(scheme)) {
           listener = HttpServer2.createDefaultChannelConnector();
         } else if ("https".equals(scheme)) {
-          SslSocketConnector c = new SslSocketConnectorSecure();
-          c.setHeaderBufferSize(1024*64);
-          c.setNeedClientAuth(needsClientAuth);
-          c.setKeyPassword(keyPassword);
-
-          if (keyStore != null) {
-            c.setKeystore(keyStore);
-            c.setKeystoreType(keyStoreType);
-            c.setPassword(keyStorePassword);
-          }
-
-          if (trustStore != null) {
-            c.setTruststore(trustStore);
-            c.setTruststoreType(trustStoreType);
-            c.setTrustPassword(trustStorePassword);
-          }
-
-          if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
-            c.setExcludeCipherSuites(excludeCiphers.split(","));
-            LOG.info("Excluded Cipher List:" + excludeCiphers);
-          }
-
-          listener = c;
+          listener = createHttpsChannelConnector();
 
         } else {
           throw new HadoopIllegalArgumentException(
@@ -368,6 +346,32 @@ public final class HttpServer2 implements FilterContainer {
       server.loadListeners();
       return server;
     }
+
+    private Connector createHttpsChannelConnector() {
+      SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
+      configureChannelConnector(c);
+
+      c.setNeedClientAuth(needsClientAuth);
+      c.setKeyPassword(keyPassword);
+
+      if (keyStore != null) {
+        c.setKeystore(keyStore);
+        c.setKeystoreType(keyStoreType);
+        c.setPassword(keyStorePassword);
+      }
+
+      if (trustStore != null) {
+        c.setTruststore(trustStore);
+        c.setTruststoreType(trustStoreType);
+        c.setTrustPassword(trustStorePassword);
+      }
+
+      if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
+        c.setExcludeCipherSuites(excludeCiphers.split(","));
+        LOG.info("Excluded Cipher List:" + excludeCiphers);
+      }
+      return c;
+    }
   }
 
   private HttpServer2(final Builder b) throws IOException {
@@ -541,21 +545,25 @@ public final class HttpServer2 implements FilterContainer {
     }
   }
 
-  @InterfaceAudience.Private
-  public static Connector createDefaultChannelConnector() {
-    SelectChannelConnector ret = new SelectChannelConnectorWithSafeStartup();
-    ret.setLowResourceMaxIdleTime(10000);
-    ret.setAcceptQueueSize(128);
-    ret.setResolveNames(false);
-    ret.setUseDirectBuffers(false);
+  private static void configureChannelConnector(SelectChannelConnector c) {
+    c.setLowResourceMaxIdleTime(10000);
+    c.setAcceptQueueSize(128);
+    c.setResolveNames(false);
+    c.setUseDirectBuffers(false);
     if(Shell.WINDOWS) {
       // result of setting the SO_REUSEADDR flag is different on Windows
       // http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
       // without this 2 NN's can start on the same machine and listen on
       // the same port with indeterminate routing of incoming requests to them
-      ret.setReuseAddress(false);
+      c.setReuseAddress(false);
     }
-    ret.setHeaderBufferSize(1024*64);
+    c.setHeaderBufferSize(1024*64);
+  }
+
+  @InterfaceAudience.Private
+  public static Connector createDefaultChannelConnector() {
+    SelectChannelConnector ret = new SelectChannelConnectorWithSafeStartup();
+    configureChannelConnector(ret);
     return ret;
   }
 

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java
new file mode 100644
index 0000000..7de689b
--- /dev/null
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.security.ssl;
+
+import java.io.IOException;
+import java.util.ArrayList;
+
+import javax.net.ssl.SSLEngine;
+
+import org.apache.hadoop.classification.InterfaceAudience;
+import org.mortbay.jetty.security.SslSelectChannelConnector;
+
+/**
+ * This subclass of the Jetty SslSelectChannelConnector exists solely to
+ * control the TLS protocol versions allowed.  This is fallout from the
+ * POODLE vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
+ * Only TLS 1.0 and later protocols are allowed.
+ */
+@InterfaceAudience.Private
+public class SslSelectChannelConnectorSecure extends SslSelectChannelConnector {
+
+  public SslSelectChannelConnectorSecure() {
+    super();
+  }
+
+  /**
+   * Disable SSLv3 protocol.
+   */
+  @Override
+  protected SSLEngine createSSLEngine() throws IOException {
+    SSLEngine engine = super.createSSLEngine();
+    ArrayList<String> nonSSLProtocols = new ArrayList<String>();
+    for (String p : engine.getEnabledProtocols()) {
+      if (!p.contains("SSLv3")) {
+        nonSSLProtocols.add(p);
+      }
+    }
+    engine.setEnabledProtocols(nonSSLProtocols.toArray(
+        new String[nonSSLProtocols.size()]));
+    return engine;
+  }
+}

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
deleted file mode 100644
index 52ab7ad..0000000
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java
+++ /dev/null
@@ -1,58 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.hadoop.security.ssl;
-
-import org.mortbay.jetty.security.SslSocketConnector;
-
-import javax.net.ssl.SSLServerSocket;
-import java.io.IOException;
-import java.net.ServerSocket;
-import java.util.ArrayList;
-
-/**
- * This subclass of the Jetty SslSocketConnector exists solely to control
- * the TLS protocol versions allowed.  This is fallout from the POODLE
- * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
- * Only TLS 1.0 and later protocols are allowed.
- */
-public class SslSocketConnectorSecure extends SslSocketConnector {
-
-  public SslSocketConnectorSecure() {
-    super();
-  }
-
-  /**
-   * Create a new ServerSocket that will not accept SSLv3 connections,
-   * but will accept TLSv1.x connections.
-   */
-  protected ServerSocket newServerSocket(String host, int port,int backlog)
-          throws IOException {
-    SSLServerSocket socket = (SSLServerSocket)
-            super.newServerSocket(host, port, backlog);
-    ArrayList<String> nonSSLProtocols = new ArrayList<String>();
-    for (String p : socket.getEnabledProtocols()) {
-      if (!p.contains("SSLv3")) {
-        nonSSLProtocols.add(p);
-      }
-    }
-    socket.setEnabledProtocols(nonSSLProtocols.toArray(
-            new String[nonSSLProtocols.size()]));
-    return socket;
-  }
-}

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
----------------------------------------------------------------------
diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
index eb640bb..6da6500 100644
--- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
+++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java
@@ -18,14 +18,15 @@
 package org.apache.hadoop.crypto.key.kms.server;
 
 import com.google.common.base.Preconditions;
+
 import org.apache.commons.io.IOUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
+import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Server;
-import org.mortbay.jetty.security.SslSocketConnector;
+import org.mortbay.jetty.security.SslSelectChannelConnector;
 import org.mortbay.jetty.webapp.WebAppContext;
 
 import java.io.File;
@@ -52,7 +53,7 @@ public class MiniKMS {
       if (!ssl) {
         server.getConnectors()[0].setHost(host);
       } else {
-        SslSocketConnector c = new SslSocketConnectorSecure();
+        SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
         c.setHost(host);
         c.setNeedClientAuth(false);
         c.setKeystore(keyStore);
@@ -69,7 +70,7 @@ public class MiniKMS {
 
   private static URL getJettyURL(Server server) {
     boolean ssl = server.getConnectors()[0].getClass()
-        == SslSocketConnectorSecure.class;
+        == SslSelectChannelConnectorSecure.class;
     try {
       String scheme = (ssl) ? "https" : "http";
       return new URL(scheme + "://" +

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
----------------------------------------------------------------------
diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
index 177563d..7097803 100644
--- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
+++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java
@@ -24,14 +24,14 @@ import java.net.ServerSocket;
 import java.net.URL;
 import java.net.UnknownHostException;
 
-import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
+import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
 import org.junit.Test;
 import org.junit.rules.MethodRule;
 import org.junit.runners.model.FrameworkMethod;
 import org.junit.runners.model.Statement;
 import org.mortbay.jetty.Connector;
 import org.mortbay.jetty.Server;
-import org.mortbay.jetty.security.SslSocketConnector;
+import org.mortbay.jetty.security.SslSelectChannelConnector;
 
 public class TestJettyHelper implements MethodRule {
   private boolean ssl;
@@ -93,7 +93,7 @@ public class TestJettyHelper implements MethodRule {
         server.getConnectors()[0].setHost(host);
         server.getConnectors()[0].setPort(port);
       } else {
-        SslSocketConnector c = new SslSocketConnectorSecure();
+        SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
         c.setHost(host);
         c.setPort(port);
         c.setNeedClientAuth(false);

http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-project/pom.xml
----------------------------------------------------------------------
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index ebd1986..bb635d2 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -499,6 +499,11 @@
         <version>${jetty.version}</version>
       </dependency>
       <dependency>
+        <groupId>org.mortbay.jetty</groupId>
+        <artifactId>jetty-sslengine</artifactId>
+        <version>${jetty.version}</version>
+      </dependency>
+      <dependency>
         <groupId>org.apache.tomcat.embed</groupId>
         <artifactId>tomcat-embed-core</artifactId>
         <version>7.0.55</version>


---------------------------------------------------------------------
To unsubscribe, e-mail: common-commits-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-commits-help@hadoop.apache.org