This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git
The following commit(s) were added to refs/heads/master by this push:
new daefb0204f4 HBASE-29481 Make TLS protocols and cipher list
configurable for HTTPS InfoServer (#7178)
daefb0204f4 is described below
commit daefb0204f497142a64e590d2330f028ed0fe5f7
Author: Istvan Toth <[email protected]>
AuthorDate: Thu Jul 31 19:39:36 2025 +0200
HBASE-29481 Make TLS protocols and cipher list configurable for HTTPS
InfoServer (#7178)
Signed-off-by: Nihal Jain <[email protected]>
---
.../org/apache/hadoop/hbase/http/HttpServer.java | 40 ++++++++++++++++++++++
.../org/apache/hadoop/hbase/http/InfoServer.java | 11 ++++--
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git
a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
index 36a101b6ac7..6012b24ec54 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -228,7 +228,10 @@ public class HttpServer implements FilterContainer {
private String usernameConfKey;
private String keytabConfKey;
private boolean needsClientAuth;
+ private String includeCiphers;
private String excludeCiphers;
+ private String includeProtocols;
+ private String excludeProtocols;
private String hostName;
private String appDir = APP_DIR;
@@ -401,10 +404,32 @@ public class HttpServer implements FilterContainer {
return this;
}
+ @Deprecated
+ // Use setExcludeCiphers() which supports the fluent builder API
public void excludeCiphers(String excludeCiphers) {
this.excludeCiphers = excludeCiphers;
}
+ public Builder setExcludeCiphers(String excludeCiphers) {
+ this.excludeCiphers = excludeCiphers;
+ return this;
+ }
+
+ public Builder setIncludeCiphers(String includeCiphers) {
+ this.includeCiphers = includeCiphers;
+ return this;
+ }
+
+ public Builder setIncludeProtocols(String includeProtocols) {
+ this.includeProtocols = includeProtocols;
+ return this;
+ }
+
+ public Builder setExcludeProtocols(String excludeProtocols) {
+ this.excludeProtocols = excludeProtocols;
+ return this;
+ }
+
public HttpServer build() throws IOException {
// Do we still need to assert this non null name if it is deprecated?
@@ -466,6 +491,21 @@ public class HttpServer implements FilterContainer {
sslCtxFactory.setTrustStorePassword(trustStorePassword);
}
+ if (includeProtocols != null && !includeProtocols.trim().isEmpty()) {
+
sslCtxFactory.setIncludeProtocols(StringUtils.getTrimmedStrings(includeProtocols));
+ LOG.debug("Included TLS Protocol List:" + includeProtocols);
+ }
+
+ if (excludeProtocols != null && !excludeProtocols.trim().isEmpty()) {
+
sslCtxFactory.setExcludeProtocols(StringUtils.getTrimmedStrings(excludeProtocols));
+ LOG.debug("Excluded TLS Protocol List:" + excludeProtocols);
+ }
+
+ if (includeCiphers != null && !includeCiphers.trim().isEmpty()) {
+
sslCtxFactory.setIncludeCipherSuites(StringUtils.getTrimmedStrings(includeCiphers));
+ LOG.debug("Included SSL Cipher List:" + includeCiphers);
+ }
+
if (excludeCiphers != null && !excludeCiphers.trim().isEmpty()) {
sslCtxFactory.setExcludeCipherSuites(StringUtils.getTrimmedStrings(excludeCiphers));
LOG.debug("Excluded SSL Cipher List:" + excludeCiphers);
diff --git
a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
index aa25ef42762..6a08e21df97 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
@@ -67,6 +67,9 @@ public class InfoServer {
builder.setLogDir(logDir);
}
if (httpConfig.isSecure()) {
+ // We are using the Hadoop HTTP server config properties.
+ // This makes it easy to keep in sync with Hadoop's UI servers, but hard
to set this
+ // separately for HBase.
builder
.keyPassword(HBaseConfiguration.getPassword(c,
"ssl.server.keystore.keypassword", null))
.keyStore(c.get("ssl.server.keystore.location"),
@@ -74,8 +77,12 @@ public class InfoServer {
c.get("ssl.server.keystore.type", "jks"))
.trustStore(c.get("ssl.server.truststore.location"),
HBaseConfiguration.getPassword(c, "ssl.server.truststore.password",
null),
- c.get("ssl.server.truststore.type", "jks"));
- builder.excludeCiphers(c.get("ssl.server.exclude.cipher.list"));
+ c.get("ssl.server.truststore.type", "jks"))
+ // The ssl.server.*.protocols properties do not exist in Hadoop at the
time of writing.
+ .setIncludeProtocols(c.get("ssl.server.include.protocols"))
+ .setExcludeProtocols(c.get("ssl.server.exclude.protocols"))
+ .setIncludeCiphers(c.get("ssl.server.include.cipher.list"))
+ .setExcludeCiphers(c.get("ssl.server.exclude.cipher.list"));
}
final String httpAuthType = c.get(HttpServer.HTTP_UI_AUTHENTICATION,
"").toLowerCase();