You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Mate Szalay-Beko (Jira)" <ji...@apache.org> on 2021/06/09 08:26:00 UTC

[jira] [Work started] (HBASE-25987) Make SSL keystore type configurable for HBase ThriftServer

     [ https://issues.apache.org/jira/browse/HBASE-25987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Work on HBASE-25987 started by Mate Szalay-Beko.
------------------------------------------------
> Make SSL keystore type configurable for HBase ThriftServer
> ----------------------------------------------------------
>
>                 Key: HBASE-25987
>                 URL: https://issues.apache.org/jira/browse/HBASE-25987
>             Project: HBase
>          Issue Type: Improvement
>          Components: Thrift
>    Affects Versions: 2.4.4
>            Reporter: Mate Szalay-Beko
>            Assignee: Mate Szalay-Beko
>            Priority: Major
>
> We get the following exception, when trying to start Hbase Thrift Server in http mode (
> hbase.regionserver.thrift.http=true) and use non default (not "jks") keystore type:
>  
> {noformat}
> 2021-06-08 07:40:10,275 ERROR org.apache.hadoop.hbase.thrift.ThriftServer: Cannot run ThriftServer
> java.io.IOException: Invalid keystore format
>         at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
>         at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
>         at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
>         at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
>         at java.security.KeyStore.load(KeyStore.java:1445)
>         at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1197)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:321)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
>         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:401)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at org.apache.hadoop.hbase.thrift.ThriftServer$2.run(ThriftServer.java:861)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:360)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
>         at org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:855)
>         at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
>         at org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:882){noformat}
> This problem appeared after we applied HBASE-25930 to our local HBase version. It looks, we never had a parameter to specify the keystore type for thrift http server. Before HBASE-25930, the keystore type used by the thrift http server was accidentally defined based on the InfoServer (web ui) configuration of "ssl.server.keystore.type". Before HBASE-25930, the InfoServer was started first and it set the keystore type in the global keystore manager, which setting propagated to the thrift http server too, without any override. In HBASE-25930 the startup order changed, and the thrift http server configuration happens before the InfoServer start, so we lack this accidental configuration change now.
> The proper solution is to create a new parameter to setup keystore type for the thrift http server: hbase.thrift.ssl.keystore.type (defaulting to "jks")



--
This message was sent by Atlassian Jira
(v8.3.4#803005)