You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by el...@apache.org on 2018/01/22 17:05:28 UTC
[6/6] hbase git commit: HBASE-17513 Thrift Server 1 uses different
QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so
there is no encryption when the operator expects it
HBASE-17513 Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so there is no encryption when the operator expects it
Signed-off-by: Chia-Ping Tsai <ch...@gmail.com>
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/46e199d9
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/46e199d9
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/46e199d9
Branch: refs/heads/branch-1.2
Commit: 46e199d9aa515c0cf867903c35655cf503eed82c
Parents: 45e99ff
Author: Reid Chan <re...@outlook.com>
Authored: Mon Jan 22 16:18:29 2018 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Mon Jan 22 11:58:41 2018 -0500
----------------------------------------------------------------------
.../hadoop/hbase/thrift/ThriftServerRunner.java | 10 ++++++++
.../hbase/thrift/TestThriftHttpServer.java | 27 ++++++++++++++++++--
2 files changed, 35 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/46e199d9/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index dc9e71d..b25d5bf 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -342,6 +342,7 @@ public class ThriftServerRunner implements Runnable {
QualityOfProtection.INTEGRITY.name(),
QualityOfProtection.PRIVACY.name()));
}
+ checkHttpSecurity(qop, conf);
if (!securityEnabled) {
throw new IOException("Thrift server must"
+ " run in secure mode to support authentication");
@@ -349,6 +350,15 @@ public class ThriftServerRunner implements Runnable {
}
}
+ private void checkHttpSecurity(QualityOfProtection qop, Configuration conf) {
+ if (qop == QualityOfProtection.PRIVACY &&
+ conf.getBoolean(USE_HTTP_CONF_KEY, false) &&
+ !conf.getBoolean(THRIFT_SSL_ENABLED, false)) {
+ throw new IllegalArgumentException("Thrift HTTP Server's QoP is privacy, but " +
+ THRIFT_SSL_ENABLED + " is false");
+ }
+ }
+
/*
* Runs the Thrift server
*/
http://git-wip-us.apache.org/repos/asf/hbase/blob/46e199d9/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
index 8e8e9f9..cf14e87 100644
--- a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
+++ b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
@@ -18,11 +18,16 @@
*/
package org.apache.hadoop.hbase.thrift;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.testclassification.LargeTests;
@@ -38,8 +43,6 @@ import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
import org.junit.Rule;
import org.junit.rules.ExpectedException;
@@ -83,6 +86,26 @@ public class TestThriftHttpServer {
EnvironmentEdgeManager.reset();
}
+ @Test
+ public void testExceptionThrownWhenMisConfigured() throws Exception {
+ Configuration conf = new Configuration(TEST_UTIL.getConfiguration());
+ conf.set("hbase.thrift.security.qop", "privacy");
+ conf.setBoolean("hbase.thrift.ssl.enabled", false);
+
+ ThriftServerRunner runner = null;
+ ExpectedException thrown = ExpectedException.none();
+ try {
+ thrown.expect(IllegalArgumentException.class);
+ thrown.expectMessage("Thrift HTTP Server's QoP is privacy, " +
+ "but hbase.thrift.ssl.enabled is false");
+ runner = new ThriftServerRunner(conf);
+ fail("Thrift HTTP Server starts up even with wrong security configurations.");
+ } catch (Exception e) {
+ }
+
+ assertNull(runner);
+ }
+
private void startHttpServerThread(final String[] args) {
LOG.info("Starting HBase Thrift server with HTTP server: " + Joiner.on(" ").join(args));