(hbase) branch master updated: HBASE-29481 Make TLS protocols and cipher list configurable for HTTPS InfoServer (#7178)

Thu, 31 Jul 2025 10:39:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/master by this push:
     new daefb0204f4 HBASE-29481 Make TLS protocols and cipher list 
configurable for HTTPS InfoServer (#7178)
daefb0204f4 is described below

commit daefb0204f497142a64e590d2330f028ed0fe5f7
Author: Istvan Toth <[email protected]>
AuthorDate: Thu Jul 31 19:39:36 2025 +0200

    HBASE-29481 Make TLS protocols and cipher list configurable for HTTPS 
InfoServer (#7178)
    
    Signed-off-by: Nihal Jain <[email protected]>
---
 .../org/apache/hadoop/hbase/http/HttpServer.java   | 40 ++++++++++++++++++++++
 .../org/apache/hadoop/hbase/http/InfoServer.java   | 11 ++++--
 2 files changed, 49 insertions(+), 2 deletions(-)

diff --git 
a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java 
b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
index 36a101b6ac7..6012b24ec54 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -228,7 +228,10 @@ public class HttpServer implements FilterContainer {
     private String usernameConfKey;
     private String keytabConfKey;
     private boolean needsClientAuth;
+    private String includeCiphers;
     private String excludeCiphers;
+    private String includeProtocols;
+    private String excludeProtocols;
 
     private String hostName;
     private String appDir = APP_DIR;
@@ -401,10 +404,32 @@ public class HttpServer implements FilterContainer {
       return this;
     }
 
+    @Deprecated
+    // Use setExcludeCiphers() which supports the fluent builder API
     public void excludeCiphers(String excludeCiphers) {
       this.excludeCiphers = excludeCiphers;
     }
 
+    public Builder setExcludeCiphers(String excludeCiphers) {
+      this.excludeCiphers = excludeCiphers;
+      return this;
+    }
+
+    public Builder setIncludeCiphers(String includeCiphers) {
+      this.includeCiphers = includeCiphers;
+      return this;
+    }
+
+    public Builder setIncludeProtocols(String includeProtocols) {
+      this.includeProtocols = includeProtocols;
+      return this;
+    }
+
+    public Builder setExcludeProtocols(String excludeProtocols) {
+      this.excludeProtocols = excludeProtocols;
+      return this;
+    }
+
     public HttpServer build() throws IOException {
 
       // Do we still need to assert this non null name if it is deprecated?
@@ -466,6 +491,21 @@ public class HttpServer implements FilterContainer {
             sslCtxFactory.setTrustStorePassword(trustStorePassword);
           }
 
+          if (includeProtocols != null && !includeProtocols.trim().isEmpty()) {
+            
sslCtxFactory.setIncludeProtocols(StringUtils.getTrimmedStrings(includeProtocols));
+            LOG.debug("Included TLS Protocol List:" + includeProtocols);
+          }
+
+          if (excludeProtocols != null && !excludeProtocols.trim().isEmpty()) {
+            
sslCtxFactory.setExcludeProtocols(StringUtils.getTrimmedStrings(excludeProtocols));
+            LOG.debug("Excluded TLS Protocol List:" + excludeProtocols);
+          }
+
+          if (includeCiphers != null && !includeCiphers.trim().isEmpty()) {
+            
sslCtxFactory.setIncludeCipherSuites(StringUtils.getTrimmedStrings(includeCiphers));
+            LOG.debug("Included SSL Cipher List:" + includeCiphers);
+          }
+
           if (excludeCiphers != null && !excludeCiphers.trim().isEmpty()) {
             
sslCtxFactory.setExcludeCipherSuites(StringUtils.getTrimmedStrings(excludeCiphers));
             LOG.debug("Excluded SSL Cipher List:" + excludeCiphers);
diff --git 
a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java 
b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
index aa25ef42762..6a08e21df97 100644
--- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
+++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java
@@ -67,6 +67,9 @@ public class InfoServer {
       builder.setLogDir(logDir);
     }
     if (httpConfig.isSecure()) {
+      // We are using the Hadoop HTTP server config properties.
+      // This makes it easy to keep in sync with Hadoop's UI servers, but hard 
to set this
+      // separately for HBase.
       builder
         .keyPassword(HBaseConfiguration.getPassword(c, 
"ssl.server.keystore.keypassword", null))
         .keyStore(c.get("ssl.server.keystore.location"),
@@ -74,8 +77,12 @@ public class InfoServer {
           c.get("ssl.server.keystore.type", "jks"))
         .trustStore(c.get("ssl.server.truststore.location"),
           HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", 
null),
-          c.get("ssl.server.truststore.type", "jks"));
-      builder.excludeCiphers(c.get("ssl.server.exclude.cipher.list"));
+          c.get("ssl.server.truststore.type", "jks"))
+        // The ssl.server.*.protocols properties do not exist in Hadoop at the 
time of writing.
+        .setIncludeProtocols(c.get("ssl.server.include.protocols"))
+        .setExcludeProtocols(c.get("ssl.server.exclude.protocols"))
+        .setIncludeCiphers(c.get("ssl.server.include.cipher.list"))
+        .setExcludeCiphers(c.get("ssl.server.exclude.cipher.list"));
     }
 
     final String httpAuthType = c.get(HttpServer.HTTP_UI_AUTHENTICATION, 
"").toLowerCase();

Reply via email to