You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@impala.apache.org by "Henry Robinson (Code Review)" <ge...@cloudera.org> on 2017/08/15 03:33:40 UTC
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Henry Robinson has uploaded a new change for review.
http://gerrit.cloudera.org:8080/7675
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.
SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.
Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster.
Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 25 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/1
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has submitted this change and it was merged.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.
SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.
Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster. Confirmed that the test is correctly
skipped on machines with an old version of OpenSSL that does not support
TLSv1.2.
Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Reviewed-on: http://gerrit.cloudera.org:8080/7675
Reviewed-by: Tim Armstrong <ta...@cloudera.com>
Tested-by: Impala Public Jenkins
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 41 insertions(+), 2 deletions(-)
Approvals:
Impala Public Jenkins: Verified
Tim Armstrong: Looks good to me, approved
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 4
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.
Tim Armstrong has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 3: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.
Henry Robinson has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 2:
(2 comments)
http://gerrit.cloudera.org:8080/#/c/7675/2/shell/TSSLSocketWithWildcardSAN.py
File shell/TSSLSocketWithWildcardSAN.py:
Line 50: self.SSL_VERSION = ssl.PROTOCOL_SSLv23
> Maybe mention that TSSLSocket forwards self.SSL_VERSION to the wrap_socket
Done
http://gerrit.cloudera.org:8080/#/c/7675/2/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:
Line 108: @pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")
> Can we xfail this more selectively if it's just an OS version issue? E.g. G
I believe that we can skip based on the version of OpenSSL found, so I've changed the tests to do that.
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.
Hello Sailesh Mukil,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/7675
to look at the new patch set (#3).
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.
SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.
Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster. Confirmed that the test is correctly
skipped on machines with an old version of OpenSSL that does not support
TLSv1.2.
Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 41 insertions(+), 2 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/3
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 3: Verified-1
Build failed: https://jenkins.impala.io/job/gerrit-verify-dryrun/1065/
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Sailesh Mukil (Code Review)" <ge...@cloudera.org>.
Sailesh Mukil has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 1: Code-Review+1
(1 comment)
http://gerrit.cloudera.org:8080/#/c/7675/1/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:
Line 103:
Add:
@pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")
Certain wildcard certs don't work on CentOS 6.
It still runs and passes on other platforms.
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.
Hello Sailesh Mukil,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/7675
to look at the new patch set (#2).
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
The shell uses Thrift's TSSLSocket to negotiate secure connections to
Impala. This socket uses a variable SSL_VERSION to determine which SSL
and TLS protocol versions it will connect to.
SSL_VERSION was hardcoded to be PROTOCOL_TLSv1, which only supports
TLSv1 servers and no other protocol version. Change the allowed version
to be PROTOCOL_SSLv23, which supports any TLS or SSL protocol. We rely
on the server not to allow SSLv2 or v3 connections.
Testing: Added a new custom cluster test to confirm that the shell can
connect to a TLSv1.2 cluster.
Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
---
M shell/TSSLSocketWithWildcardSAN.py
M tests/custom_cluster/test_client_ssl.py
M tests/util/thrift_util.py
3 files changed, 26 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/75/7675/2
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 3:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1067/
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Tim Armstrong (Code Review)" <ge...@cloudera.org>.
Tim Armstrong has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 2:
(2 comments)
Looks good, just had minor comments.
http://gerrit.cloudera.org:8080/#/c/7675/2/shell/TSSLSocketWithWildcardSAN.py
File shell/TSSLSocketWithWildcardSAN.py:
Line 50: self.SSL_VERSION = ssl.PROTOCOL_SSLv23
Maybe mention that TSSLSocket forwards self.SSL_VERSION to the wrap_socket argument of wrap_socket()? I guess it's implied but setting a "constant" is a bit of weird API so it took me a while to convince myself it worked.
FWIW it looks like they cleaned it up in THRIFT-3505 (Thrift 0.10.0)
http://gerrit.cloudera.org:8080/#/c/7675/2/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:
Line 108: @pytest.mark.xfail(run=True, reason="IMPALA-4295 on Centos6")
Can we xfail this more selectively if it's just an OS version issue? E.g. GVO runs on ubuntu 16 now.
This seems ok if a fix is imminent but otherwise the risk is that we never remove it from xfail.
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 2
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 3: Verified+1
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Henry Robinson (Code Review)" <ge...@cloudera.org>.
Henry Robinson has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 1:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/7675/1/tests/custom_cluster/test_client_ssl.py
File tests/custom_cluster/test_client_ssl.py:
Line 103:
> Add:
Done
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 1
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
Posted by "Impala Public Jenkins (Code Review)" <ge...@cloudera.org>.
Impala Public Jenkins has posted comments on this change.
Change subject: IMPALA-5775: Allow shell to support TLSv1, v1.1 and v1.2
......................................................................
Patch Set 3:
Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/1065/
--
To view, visit http://gerrit.cloudera.org:8080/7675
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I5487f82d110676b9c3c7a5305931da00c7f68ca0
Gerrit-PatchSet: 3
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-Owner: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Henry Robinson <he...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Sailesh Mukil <sa...@cloudera.com>
Gerrit-Reviewer: Tim Armstrong <ta...@cloudera.com>
Gerrit-HasComments: No