impala-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Brown (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (IMPALA-5263) support CA bundles when running stress test against SSL'd Impala
Date Wed, 14 Jun 2017 16:23:00 GMT

     [ https://issues.apache.org/jira/browse/IMPALA-5263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Brown resolved IMPALA-5263.
-----------------------------------
       Resolution: Fixed
    Fix Version/s:     (was: Product Backlog)
                   Impala 2.10.0

{noformat}
commit 428b5a1bfe5e8a533db95c98f8ffbc1f825cdcef
Author: Michael Brown <mikeb@cloudera.com>
Date:   Sat Jun 10 16:35:00 2017 -0700

    IMPALA-5263: test infra: support CA bundles with secure clusters

    This patch adds the command line option --ca_cert to the common test
    infra CLI options for use alongside --use-ssl. This is useful when
    testing against a secured Impala cluster in which the SSL certs are
    self-signed. This will allow the SSL request to be validated. Using this
    option will also suppress noisy console warnings like:

      InsecureRequestWarning: Unverified HTTPS request is being made. Adding
      certificate verification is strongly advised. See:
      https://urllib3.readthedocs.org/en/latest/security.html

    We also go further in this patch and use the warnings module to print
    these SSL-related warnings once and only once, instead of all over the
    place. In the case of the stress test, this greatly reduces the noise in
    the console log.

    Testing:
    - quick concurrent_select.py calls with and without --ca_cert to observe
      that connections still get made and the test runs smoothly. Some of
      this testing occurred without warning suppression, so that I could be
      sure the InsecureRequestWarnings were not occurring when using
      --ca_cert anymore.
    - ensured warnings are printed once, not multiple times

    Change-Id: Ifb9e466e4b7cde704cdc4cf98159c068c0a400a9
    Reviewed-on: http://gerrit.cloudera.org:8080/7152
    Reviewed-by: David Knupp <dknupp@cloudera.com>
    Tested-by: Impala Public Jenkins
{noformat}

> support CA bundles when running stress test against SSL'd Impala
> ----------------------------------------------------------------
>
>                 Key: IMPALA-5263
>                 URL: https://issues.apache.org/jira/browse/IMPALA-5263
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Infrastructure
>    Affects Versions: Impala 2.9.0
>            Reporter: Michael Brown
>            Assignee: Michael Brown
>             Fix For: Impala 2.10.0
>
>
> When running the stress test against an SSL'd Impala cluster, if the cluster has self-signed
certificates the KerberosClient and requests library we use to query the Impala Web interface
will fail. To get around that, I've set verify=False for the request Session. However, requests
seems to support a CA bundle. If we can find a way to automate grabbing this CA bundle, we
can try to remove verify=False here and use the bundle instead.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message