You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@impala.apache.org by "Henry Robinson (Code Review)" <ge...@cloudera.org> on 2017/08/15 03:33:40 UTC

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Henry Robinson has uploaded a new change for review.

  http://gerrit.cloudera.org:8080/7675

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................

IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.

SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.

Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster.

Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 25 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/1
-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has submitted this change and it was merged.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.

SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.

Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster. Confirmed that the test is correctly
skipped on machines with an old version of OpenSSL that does not support
TLSv1.2.

Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Reviewed-on: http://gerrit.cloudera.org:8080/7675
Reviewed-by: Tim Armstrong <ta...@cloudera.com>
Tested-by: Impala Public Jenkins
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 41 insertions(+), 2 deletions(-)

Approvals:
  Impala Public Jenkins: Verified
  Tim Armstrong: Looks good to me, approved



-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 4
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.

Tim Armstrong has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 3: Code-Review+2

-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.

Henry Robinson has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 2:

(2 comments)

http://gerrit.cloudera.org:8080/#/c/7675/2/shell/TSSLSocketWithWildcardSAN.py
File shell/TSSLSocketWithWildcardSAN.py:

Line 50:     self.SSL_VERSION = ssl.PROTOCOL_SSLv23
> Maybe mention that TSSLSocket forwards self.SSL_VERSION to the wrap_socket 
Done


http://gerrit.cloudera.org:8080/#/c/7675/2/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:

Line 108:   @pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")
> Can we xfail this more selectively if it's just an OS version issue? E.g. G
I believe that we can skip based on the version of OpenSSL found, so I've changed the tests to do that.


-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.

Hello Sailesh Mukil,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/7675

to look at the new patch set (#3).

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................

IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.

SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.

Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster. Confirmed that the test is correctly
skipped on machines with an old version of OpenSSL that does not support
TLSv1.2.

Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 41 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/3
-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 3: Verified-1

Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/1065/

-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Sailesh Mukil (Code Review)" <ge...@cloudera.org>.

Sailesh Mukil has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 1: Code-Review+1

(1 comment)

http://gerrit.cloudera.org:8080/#/c/7675/1/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:

Line 103: 
Add:
@pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")

Certain wildcard certs don't work on CentOS 6.

It still runs and passes on other platforms.


-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.

Hello Sailesh Mukil,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/7675

to look at the new patch set (#2).

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................

IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.

SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.

Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster.

Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 26 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/2
-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1067/

-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.

Tim Armstrong has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 2:

(2 comments)

Looks good, just had minor comments.

http://gerrit.cloudera.org:8080/#/c/7675/2/shell/TSSLSocketWithWildcardSAN.py
File shell/TSSLSocketWithWildcardSAN.py:

Line 50:     self.SSL_VERSION = ssl.PROTOCOL_SSLv23
Maybe mention that TSSLSocket forwards self.SSL_VERSION to the wrap_socket argument of wrap_socket()? I guess it's implied but setting a "constant" is a bit of weird API so it took me a while to convince myself it worked.

FWIW it looks like they cleaned it up in THRIFT-3505 (Thrift 0.10.0)


http://gerrit.cloudera.org:8080/#/c/7675/2/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:

Line 108:   @pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")
Can we xfail this more selectively if it's just an OS version issue? E.g. GVO runs on ubuntu 16 now.

This seems ok if a fix is imminent but otherwise the risk is that we never remove it from xfail.


-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 3: Verified+1

-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.

Henry Robinson has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/7675/1/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:

Line 103: 
> Add:
Done


-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-HasComments: Yes

[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2

Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.

Impala Public Jenkins has posted comments on this change.

Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................


Patch Set 3:

Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1065/

-- 
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No