You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2019/06/03 16:35:56 UTC

[impala] 04/06: IMPALA-8595: Support TLSv1.2 with Python < 2.7.9 in shell

This is an automated email from the ASF dual-hosted git repository.

tarmstrong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit d5673bf241ed60ffe7aa0bcdf952bca1e9cc7631
Author: Robbie Zhang <rz...@cloudera.com>
AuthorDate: Wed May 29 06:22:26 2019 -0700

    IMPALA-8595: Support TLSv1.2 with Python < 2.7.9 in shell
    
    IMPALA-5690 replaced thrift 0.9.0 with 0.9.3 in which THRIFT-3505
    changed transport/TSSLSocket.py.
    In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket
    uses PROTOCOL_TLSv1 by default and the SSL version is passed to
    TSSLSocket as a paramter when calling TSSLSocket.__init__.
    Although TLSv1.2 is supported by Python from 2.7.9, Red Hat/CentOS
    support TLSv1.2 from 2.7.5 with upgraded python-libs. We need to get
    impala-shell support TLSv1.2 with Python 2.7.5 on Red Hat/CentOS.
    
    TESTING:
    impala-py.test tests/custom_cluster/test_client_ssl.py
    
    Change-Id: I3fb6510f4b556bd8c6b1e86380379aba8be4b805
    Reviewed-on: http://gerrit.cloudera.org:8080/13457
    Reviewed-by: Tim Armstrong <ta...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
---
 shell/TSSLSocketWithWildcardSAN.py      | 8 +++++---
 tests/common/environ.py                 | 8 ++++++++
 tests/custom_cluster/test_client_ssl.py | 8 +++++++-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/shell/TSSLSocketWithWildcardSAN.py b/shell/TSSLSocketWithWildcardSAN.py
index d021aba..88fc119 100755
--- a/shell/TSSLSocketWithWildcardSAN.py
+++ b/shell/TSSLSocketWithWildcardSAN.py
@@ -43,14 +43,16 @@ class TSSLSocketWithWildcardSAN(TSSLSocket.TSSLSocket):
       ca_certs=None,
       unix_socket=None):
     cert_reqs = ssl.CERT_REQUIRED if validate else ssl.CERT_NONE
-    TSSLSocket.TSSLSocket.__init__(self, host=host, port=port, cert_reqs=cert_reqs,
-                                   ca_certs=ca_certs, unix_socket=unix_socket)
     # Set client protocol choice to be very permissive, as we rely on servers to enforce
     # good protocol selection. This value is forwarded to the ssl.wrap_socket() API during
     # open(). See https://docs.python.org/2/library/ssl.html#socket-creation for a table
     # that shows a better option is not readily available for sockets that use
     # wrap_socket().
-    self.SSL_VERSION = ssl.PROTOCOL_SSLv23
+    # THRIFT-3505 changes transport/TSSLSocket.py. The SSL_VERSION is passed to TSSLSocket
+    # via a parameter.
+    TSSLSocket.TSSLSocket.__init__(self, host=host, port=port, cert_reqs=cert_reqs,
+                                   ca_certs=ca_certs, unix_socket=unix_socket,
+                                   ssl_version=ssl.PROTOCOL_SSLv23)
 
   def _validate_cert(self):
     cert = self.handle.getpeercert()
diff --git a/tests/common/environ.py b/tests/common/environ.py
index 30805e7..5f4e18a 100644
--- a/tests/common/environ.py
+++ b/tests/common/environ.py
@@ -20,6 +20,7 @@ import logging
 import os
 import re
 import requests
+import platform
 
 LOG = logging.getLogger('tests.common.environ')
 test_start_cluster_args = os.environ.get("TEST_START_CLUSTER_ARGS", "")
@@ -41,6 +42,13 @@ if os.path.isfile(IMPALA_LOCAL_VERSION_INFO):
   if IMPALA_LOCAL_BUILD_VERSION is None:
     raise Exception("Could not find VERSION in {0}".format(IMPALA_LOCAL_VERSION_INFO))
 
+# Check if it is Red Hat/CentOS Linux
+dist = platform.linux_distribution()[0].lower()
+if dist.find('centos') or dist.find('red hat'):
+  IS_REDHAT_DERIVATIVE = True
+else:
+  IS_REDHAT_DERIVATIVE = False
+
 # Find the likely BuildType of the running Impala. Assume it's found through the path
 # $IMPALA_HOME/be/build/latest as a fallback.
 build_type_arg_regex = re.compile(r'--build_type=(\w+)', re.I)
diff --git a/tests/custom_cluster/test_client_ssl.py b/tests/custom_cluster/test_client_ssl.py
index 6f8f91f..885e80c 100644
--- a/tests/custom_cluster/test_client_ssl.py
+++ b/tests/custom_cluster/test_client_ssl.py
@@ -26,6 +26,7 @@ import socket
 import sys
 import time
 
+from tests.common.environ import IS_REDHAT_DERIVATIVE
 from tests.common.custom_cluster_test_suite import CustomClusterTestSuite
 from tests.common.impala_service import ImpaladService
 from tests.common.test_dimensions import create_beeswax_dimension
@@ -33,7 +34,12 @@ from tests.shell.util import run_impala_shell_cmd, run_impala_shell_cmd_no_expec
     ImpalaShell
 
 REQUIRED_MIN_OPENSSL_VERSION = 0x10001000L
-REQUIRED_MIN_PYTHON_VERSION_FOR_TLSV12 = (2,7,9)
+# Python supports TLSv1.2 from 2.7.9 officially but on Red Hat/CentOS Python2.7.5
+# with newer python-libs (eg python-libs-2.7.5-77) supports TLSv1.2 already
+if IS_REDHAT_DERIVATIVE:
+  REQUIRED_MIN_PYTHON_VERSION_FOR_TLSV12 = (2, 7, 5)
+else:
+  REQUIRED_MIN_PYTHON_VERSION_FOR_TLSV12 = (2, 7, 9)
 _openssl_version_number = getattr(ssl, "OPENSSL_VERSION_NUMBER", None)
 if _openssl_version_number is None:
   SKIP_SSL_MSG = "Legacy OpenSSL module detected"