This is an automated email from the ASF dual-hosted git repository.
gavinchou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 06466c891bf [fix](auth)fix be enable http auth, some request link
never return. (#44959)
06466c891bf is described below
commit 06466c891bf3fe86bd02e99a4f5cdd4895d4c8f5
Author: daidai <[email protected]>
AuthorDate: Wed Dec 4 14:51:26 2024 +0800
[fix](auth)fix be enable http auth, some request link never return. (#44959)
if you `enable_all_http_auth = true` in be.conf, then restart be, and
keep using `curl -u "xxxx:xxxx" http://127.0.0.1:8040/api/health` while
be is starting. You may encounter a situation where the link does not
return.
Reason:
When be is still starting, there is no information about fe master. When
you make an api request to be http port, be needs to request
authentication information from fe, which will cause it to request a
machine with empty ip and port 0. This rpc call will definitely fail
(this is not equivalent to a password error). After receiving this
failure, be does not `send_reply` to the api requester, so this api
request cannot be returned.
---
be/src/http/http_handler_with_auth.cpp | 11 +++++++++++
be/test/http/http_client_test.cpp | 8 ++++----
2 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/be/src/http/http_handler_with_auth.cpp
b/be/src/http/http_handler_with_auth.cpp
index 518b9868de1..ae5c024e76d 100644
--- a/be/src/http/http_handler_with_auth.cpp
+++ b/be/src/http/http_handler_with_auth.cpp
@@ -35,6 +35,7 @@ HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env,
TPrivilegeHier::type
: _exec_env(exec_env), _hier(hier), _type(type) {}
int HttpHandlerWithAuth::on_header(HttpRequest* req) {
+ //if u return value isn't 0,u should `send_reply`,Avoid requesting links
that never return.
TCheckAuthRequest auth_request;
TCheckAuthResult auth_result;
AuthInfo auth_info;
@@ -83,6 +84,11 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
#ifndef BE_TEST
TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
+ if (master_addr.hostname.empty() || master_addr.port == 0) {
+ LOG(WARNING) << "Not found master fe, Can't auth API request: " <<
req->debug_string();
+ HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
+ return -1;
+ }
{
auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
master_addr.hostname, master_addr.port,
@@ -90,6 +96,10 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
client->checkAuth(auth_result, auth_request);
});
if (!status) {
+ LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
+ << ", Fe port:" << master_addr.port << ".Status:" <<
status.to_string()
+ << ".Request: " << req->debug_string();
+ HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
return -1;
}
}
@@ -98,6 +108,7 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
auth_result.status.status_code = TStatusCode::type::OK;
auth_result.status.error_msgs.clear();
} else {
+ HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
return -1;
}
#endif
diff --git a/be/test/http/http_client_test.cpp
b/be/test/http/http_client_test.cpp
index d42e0a6775e..c98328d7c8e 100644
--- a/be/test/http/http_client_test.cpp
+++ b/be/test/http/http_client_test.cpp
@@ -413,7 +413,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
EXPECT_TRUE(!st.ok());
std::cout << "response = " << response << "\n";
std::cout << "st.msg() = " << st.msg() << "\n";
- EXPECT_TRUE(st.msg().find("Operation timed out after") !=
std::string::npos);
+ EXPECT_TRUE(st.msg().find("403") != std::string::npos);
}
{
@@ -474,7 +474,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
EXPECT_TRUE(!st.ok());
std::cout << "response = " << response << "\n";
std::cout << "st.msg() = " << st.msg() << "\n";
- EXPECT_TRUE(st.msg().find("Operation timed out after") !=
std::string::npos);
+ EXPECT_TRUE(st.msg().find("403") != std::string::npos);
}
// valid token
@@ -521,7 +521,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
EXPECT_TRUE(!st.ok());
std::cout << "response = " << response << "\n";
std::cout << "st.msg() = " << st.msg() << "\n";
- EXPECT_TRUE(st.msg().find("Operation timed out after") !=
std::string::npos);
+ EXPECT_TRUE(st.msg().find("403") != std::string::npos);
}
std::vector<std::string> check_get_list = {"/api/clear_cache/aa",
@@ -566,7 +566,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
EXPECT_TRUE(!st.ok());
std::cout << "response = " << response << "\n";
std::cout << "st.msg() = " << st.msg() << "\n";
- EXPECT_TRUE(st.msg().find("Operation timed out after") !=
std::string::npos);
+ EXPECT_TRUE(st.msg().find("403") != std::string::npos);
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
