This is an automated email from the ASF dual-hosted git repository.

yiguolei pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git


The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 0c3bc1bcd07 [fix](auth)fix be enable http auth, some request link 
never return. (#44959) (#45063)
0c3bc1bcd07 is described below

commit 0c3bc1bcd07a2877ab581d9e981e6f9b2cf3c551
Author: daidai <changyu...@selectdb.com>
AuthorDate: Fri Dec 6 09:39:13 2024 +0800

    [fix](auth)fix be enable http auth, some request link never return. 
(#44959) (#45063)
    
    bp #44959
    
    if you `enable_all_http_auth = true` in be.conf, then restart be, and
    keep using `curl -u "xxxx:xxxx" http://127.0.0.1:8040/api/health` while
    be is starting. You may encounter a situation where the link does not
    return.
    Reason:
    When be is still starting, there is no information about fe master. When
    you make an api request to be http port, be needs to request
    authentication information from fe, which will cause it to request a
    machine with empty ip and port 0. This rpc call will definitely fail
    (this is not equivalent to a password error). After receiving this
    failure, be does not `send_reply` to the api requester, so this api
    request cannot be returned.
---
 be/src/http/http_handler_with_auth.cpp | 10 ++++++++++
 be/test/http/http_client_test.cpp      |  1 -
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/be/src/http/http_handler_with_auth.cpp 
b/be/src/http/http_handler_with_auth.cpp
index 6a4b28beb27..0fd9a6b4b05 100644
--- a/be/src/http/http_handler_with_auth.cpp
+++ b/be/src/http/http_handler_with_auth.cpp
@@ -35,6 +35,7 @@ HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, 
TPrivilegeHier::type
         : _exec_env(exec_env), _hier(hier), _type(type) {}
 
 int HttpHandlerWithAuth::on_header(HttpRequest* req) {
+    //if u return value isn't 0,u should `send_reply`,Avoid requesting links 
that never return.
     TCheckAuthRequest auth_request;
     TCheckAuthResult auth_result;
     AuthInfo auth_info;
@@ -64,6 +65,11 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
 
 #ifndef BE_TEST
     TNetworkAddress master_addr = _exec_env->master_info()->network_address;
+    if (master_addr.hostname.empty() || master_addr.port == 0) {
+        LOG(WARNING) << "Not found master fe, Can't auth API request: " << 
req->debug_string();
+        HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
+        return -1;
+    }
     {
         auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
                 master_addr.hostname, master_addr.port,
@@ -71,6 +77,10 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
                     client->checkAuth(auth_result, auth_request);
                 });
         if (!status) {
+            LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
+                         << ", Fe port:" << master_addr.port << ".Status:" << 
status.to_string()
+                         << ".Request: " << req->debug_string();
+            HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
             return -1;
         }
     }
diff --git a/be/test/http/http_client_test.cpp 
b/be/test/http/http_client_test.cpp
index 00b3288d2e9..9e04a7e725d 100644
--- a/be/test/http/http_client_test.cpp
+++ b/be/test/http/http_client_test.cpp
@@ -340,5 +340,4 @@ TEST_F(HttpClientTest, escape_url) {
     std::string output_G = hostname + 
"/download_file?key=0x2E&key=%252E#section";
     ASSERT_TRUE(check_result(input_G, output_G));
 }
-
 } // namespace doris


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to