nsivarajan commented on code in PR #64697:
URL: https://github.com/apache/doris/pull/64697#discussion_r3540946517
##########
fe/fe-core/src/main/java/org/apache/doris/plugin/audit/AuditStreamLoader.java:
##########
@@ -34,30 +37,35 @@
import java.net.URL;
import java.util.Calendar;
import java.util.stream.Collectors;
+import javax.net.ssl.HttpsURLConnection;
public class AuditStreamLoader {
private static final Logger LOG =
LogManager.getLogger(AuditStreamLoader.class);
- private static String loadUrlPattern = "http://%s/api/%s/%s/_stream_load?";
// timeout for both connection and read. 10 seconds is long enough.
private static final int HTTP_TIMEOUT_MS = 10000;
- private String hostPort;
private String db;
private String auditLogTbl;
private String auditLogLoadUrlStr;
private String feIdentity;
public AuditStreamLoader() {
- this.hostPort = "127.0.0.1:" + Config.http_port;
this.db = FeConstants.INTERNAL_DB_NAME;
this.auditLogTbl = AuditLoader.AUDIT_LOG_TABLE;
- this.auditLogLoadUrlStr = String.format(loadUrlPattern, hostPort, db,
auditLogTbl);
+ String scheme = Config.enable_https ? "https" : "http";
Review Comment:
Fixed. RestBaseController.buildRedirectUrl() was inheriting
request.getScheme() for every redirect, including BE-bound ones — exactly the
failure mode described here, and not actually audit-specific: any
stream-load client hitting the FE over HTTPS would get the same broken
https://be:8040/... redirect.
Added buildRedirectUrlToBackend() / redirectToBackend() in
RestBaseController, which build the redirect with a hardcoded "http" scheme
regardless of the inbound request's scheme, since BE's stream-load
EvHttpServer never terminates TLS. Routed all three BE-facing redirect call
sites in LoadAction (executeStreamLoad2PC, createRedirectResponse,
redirectToStreamLoadForward) through these new methods. The original
scheme-preserving buildRedirectUrl()/redirectTo() are left untouched for the
one legitimate FE-to-FE case (redirectToMasterOrException).
Added
RestBaseControllerTest#testBuildRedirectUrlToBackendForcesHttpEvenWhenRequestIsHttps
to cover it directly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]