hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From els...@apache.org
Subject [6/6] hbase git commit: HBASE-17513 Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so there is no encryption when the operator expects it
Date Mon, 22 Jan 2018 17:05:28 GMT
HBASE-17513 Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and can
easily be misconfigured so there is no encryption when the operator expects it

Signed-off-by: Chia-Ping Tsai <chia7712@gmail.com>
Signed-off-by: Josh Elser <elserj@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/46e199d9
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/46e199d9
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/46e199d9

Branch: refs/heads/branch-1.2
Commit: 46e199d9aa515c0cf867903c35655cf503eed82c
Parents: 45e99ff
Author: Reid Chan <reidddchan@outlook.com>
Authored: Mon Jan 22 16:18:29 2018 +0800
Committer: Josh Elser <elserj@apache.org>
Committed: Mon Jan 22 11:58:41 2018 -0500

----------------------------------------------------------------------
 .../hadoop/hbase/thrift/ThriftServerRunner.java | 10 ++++++++
 .../hbase/thrift/TestThriftHttpServer.java      | 27 ++++++++++++++++++--
 2 files changed, 35 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/46e199d9/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index dc9e71d..b25d5bf 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -342,6 +342,7 @@ public class ThriftServerRunner implements Runnable {
                               QualityOfProtection.INTEGRITY.name(),
                               QualityOfProtection.PRIVACY.name()));
       }
+      checkHttpSecurity(qop, conf);
       if (!securityEnabled) {
         throw new IOException("Thrift server must"
           + " run in secure mode to support authentication");
@@ -349,6 +350,15 @@ public class ThriftServerRunner implements Runnable {
     }
   }
 
+  private void checkHttpSecurity(QualityOfProtection qop, Configuration conf) {
+    if (qop == QualityOfProtection.PRIVACY &&
+        conf.getBoolean(USE_HTTP_CONF_KEY, false) &&
+        !conf.getBoolean(THRIFT_SSL_ENABLED, false)) {
+      throw new IllegalArgumentException("Thrift HTTP Server's QoP is privacy, but " +
+          THRIFT_SSL_ENABLED + " is false");
+    }
+  }
+
   /*
    * Runs the Thrift server
    */

http://git-wip-us.apache.org/repos/asf/hbase/blob/46e199d9/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
index 8e8e9f9..cf14e87 100644
--- a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
+++ b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
@@ -18,11 +18,16 @@
  */
 package org.apache.hadoop.hbase.thrift;
 
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+
 import java.util.ArrayList;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.testclassification.LargeTests;
@@ -38,8 +43,6 @@ import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
 import org.junit.Rule;
 import org.junit.rules.ExpectedException;
 
@@ -83,6 +86,26 @@ public class TestThriftHttpServer {
     EnvironmentEdgeManager.reset();
   }
 
+  @Test
+  public void testExceptionThrownWhenMisConfigured() throws Exception {
+    Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
+    conf.set("hbase.thrift.security.qop", "privacy");
+    conf.setBoolean("hbase.thrift.ssl.enabled", false);
+
+    ThriftServerRunner runner = null;
+    ExpectedException thrown = ExpectedException.none();
+    try {
+      thrown.expect(IllegalArgumentException.class);
+      thrown.expectMessage("Thrift HTTP Server's QoP is privacy, " +
+          "but hbase.thrift.ssl.enabled is false");
+      runner = new ThriftServerRunner(conf);
+      fail("Thrift HTTP Server starts up even with wrong security configurations.");
+    } catch (Exception e) {
+    }
+
+    assertNull(runner);
+  }
+
   private void startHttpServerThread(final String[] args) {
     LOG.info("Starting HBase Thrift server with HTTP server: " + Joiner.on(" ").join(args));
 


Mime
View raw message