You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@hbase.apache.org by "Hudson (JIRA)" <ji...@apache.org> on 2018/12/14 00:39:02 UTC

[jira] [Commented] (HBASE-21275) Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http server (branch 1 only)

    [ https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16720794#comment-16720794 ] 

Hudson commented on HBASE-21275:
--------------------------------

SUCCESS: Integrated in Jenkins build HBase-1.3-IT #509 (See [https://builds.apache.org/job/HBase-1.3-IT/509/])
HBASE-21275 - Disable TRACE HTTP method for thrift http server (branch 1 (apurtell: rev 82f187efba6e476cd1b88bc6ae8b238e4c670288)
* (edit) hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
* (edit) hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java


> Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http server (branch 1 only)
> ------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-21275
>                 URL: https://issues.apache.org/jira/browse/HBASE-21275
>             Project: HBase
>          Issue Type: Bug
>          Components: Thrift
>            Reporter: Wellington Chevreuil
>            Assignee: Wellington Chevreuil
>            Priority: Minor
>             Fix For: 1.5.0, 1.3.3, 1.4.9
>
>         Attachments: HBASE-21275-branch-1.001.patch, HBASE-21275-branch-1.2.001.patch, HBASE-21275-branch-1.2.002.patch, HBASE-21275-branch-1.2.003.patch, HBASE-21275-branch-1.2.003.patch, HBASE-21275-branch-1.4.001.patch
>
>
> There's been a reasonable number of users running thrift http server on hbase 1.x suffering with security audit tests pointing thrift server allows TRACE requests.
> After doing some search, I can see HBASE-20406 added restrictions for TRACE/OPTIONS method when Thrift is running over http, but it relies on many other commits applied to thrift http server. This patch was later reverted from master. Then again later, HBASE-20004 had made TRACE/OPTIONS configurable via "*hbase.thrift.http.allow.options.method*" property, with both methods being disabled by default. This also seems to rely on many changes applied to thrift http server, and a branch 1 compatible patch does not seem feasible.
> A solution for branch 1 is pretty simple though, am proposing a patch that simply uses *WebAppContext*, instead of *Context*, as the context for the *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by default.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)