You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by zh...@apache.org on 2018/01/24 09:50:54 UTC
[12/34] hbase git commit: HBASE-17513 Thrift Server 1 uses different
QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so
there is no encryption when the operator expects it
HBASE-17513 Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so there is no encryption when the operator expects it
Signed-off-by: Chia-Ping Tsai <ch...@gmail.com>
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/9a45e0a9
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/9a45e0a9
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/9a45e0a9
Branch: refs/heads/HBASE-19064
Commit: 9a45e0a9ded094d18bdcbbcaf4cf3944e7faf6d9
Parents: c603599
Author: Reid Chan <re...@outlook.com>
Authored: Mon Jan 22 16:18:29 2018 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Mon Jan 22 11:28:00 2018 -0500
----------------------------------------------------------------------
.../hadoop/hbase/thrift/ThriftServerRunner.java | 10 +++++++++
.../hbase/thrift/TestThriftHttpServer.java | 23 ++++++++++++++++++++
2 files changed, 33 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/9a45e0a9/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index 583a9e9..ef89f25 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -362,6 +362,7 @@ public class ThriftServerRunner implements Runnable {
QualityOfProtection.INTEGRITY.name(),
QualityOfProtection.PRIVACY.name()));
}
+ checkHttpSecurity(qop, conf);
if (!securityEnabled) {
throw new IOException("Thrift server must"
+ " run in secure mode to support authentication");
@@ -369,6 +370,15 @@ public class ThriftServerRunner implements Runnable {
}
}
+ private void checkHttpSecurity(QualityOfProtection qop, Configuration conf) {
+ if (qop == QualityOfProtection.PRIVACY &&
+ conf.getBoolean(USE_HTTP_CONF_KEY, false) &&
+ !conf.getBoolean(THRIFT_SSL_ENABLED, false)) {
+ throw new IllegalArgumentException("Thrift HTTP Server's QoP is privacy, but " +
+ THRIFT_SSL_ENABLED + " is false");
+ }
+ }
+
/*
* Runs the Thrift server
*/
http://git-wip-us.apache.org/repos/asf/hbase/blob/9a45e0a9/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
index d69da6c..991a4cd 100644
--- a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
+++ b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
@@ -19,10 +19,13 @@
package org.apache.hadoop.hbase.thrift;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
import java.util.ArrayList;
import java.util.List;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.testclassification.ClientTests;
@@ -83,6 +86,26 @@ public class TestThriftHttpServer {
EnvironmentEdgeManager.reset();
}
+ @Test
+ public void testExceptionThrownWhenMisConfigured() throws Exception {
+ Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
+ conf.set("hbase.thrift.security.qop", "privacy");
+ conf.setBoolean("hbase.thrift.ssl.enabled", false);
+
+ ThriftServerRunner runner = null;
+ ExpectedException thrown = ExpectedException.none();
+ try {
+ thrown.expect(IllegalArgumentException.class);
+ thrown.expectMessage("Thrift HTTP Server's QoP is privacy, " +
+ "but hbase.thrift.ssl.enabled is false");
+ runner = new ThriftServerRunner(conf);
+ fail("Thrift HTTP Server starts up even with wrong security configurations.");
+ } catch (Exception e) {
+ }
+
+ assertNull(runner);
+ }
+
private void startHttpServerThread(final String[] args) {
LOG.info("Starting HBase Thrift server with HTTP server: " + Joiner.on(" ").join(args));