Repository: hbase Updated Branches: refs/heads/branch-1 c191462ac -> ca544a155
HBASE-20004 Client is not able to execute REST queries in a secure cluster Signed-off-by: Ashish Singhi <ashishsin...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/ca544a15 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/ca544a15 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/ca544a15 Branch: refs/heads/branch-1 Commit: ca544a155c7053a09ec0fee4c494e770a209a38b Parents: c191462 Author: Ashish Singhi <ashishsin...@apache.org> Authored: Thu May 10 22:49:08 2018 +0530 Committer: Ashish Singhi <ashishsin...@apache.org> Committed: Thu May 10 22:49:08 2018 +0530 ---------------------------------------------------------------------- .../org/apache/hadoop/hbase/rest/RESTServer.java | 7 ++++++- .../hbase/rest/HBaseRESTTestingUtility.java | 2 +- .../apache/hadoop/hbase/util/HttpServerUtil.java | 19 ++++++++++++------- .../hadoop/hbase/thrift/ThriftServerRunner.java | 6 +++++- 4 files changed, 24 insertions(+), 10 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/ca544a15/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java ---------------------------------------------------------------------- diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java index d25af1e..be4b130 100644 --- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java +++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java @@ -79,6 +79,10 @@ public class RESTServer implements Constants { static String REST_CSRF_CUSTOM_HEADER_DEFAULT = "X-XSRF-HEADER"; static String REST_CSRF_METHODS_TO_IGNORE_KEY = "hbase.rest.csrf.methods.to.ignore"; static String REST_CSRF_METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE"; + static String REST_HTTP_ALLOW_OPTIONS_METHOD = "hbase.rest.http.allow.options.method"; + // HTTP OPTIONS method is commonly used in REST APIs for negotiation. It is disabled by default to + // maintain backward incompatibility + private static boolean REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT = false; private static void printUsageAndExit(Options options, int exitCode) { HelpFormatter formatter = new HelpFormatter(); @@ -294,7 +298,8 @@ public class RESTServer implements Constants { context.addFilter(Class.forName(filter), "/*", 0); } addCSRFFilter(context, conf); - HttpServerUtil.constrainHttpMethods(context); + HttpServerUtil.constrainHttpMethods(context, servlet.getConfiguration() + .getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT)); // Put up info server. int port = conf.getInt("hbase.rest.info.port", 8085); http://git-wip-us.apache.org/repos/asf/hbase/blob/ca544a15/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java ---------------------------------------------------------------------- diff --git a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java index e319704..200c519 100644 --- a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java +++ b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java @@ -79,7 +79,7 @@ public class HBaseRESTTestingUtility { } conf.set(RESTServer.REST_CSRF_BROWSER_USERAGENTS_REGEX_KEY, ".*"); RESTServer.addCSRFFilter(context, conf); - HttpServerUtil.constrainHttpMethods(context); + HttpServerUtil.constrainHttpMethods(context, false); LOG.info("Loaded filter classes :" + Arrays.toString(filterClasses)); // start the server server.start(); http://git-wip-us.apache.org/repos/asf/hbase/blob/ca544a15/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java ---------------------------------------------------------------------- diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java index a66251f..1811bac 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/util/HttpServerUtil.java @@ -29,8 +29,9 @@ public class HttpServerUtil { /** * Add constraints to a Jetty Context to disallow undesirable Http methods. * @param context The context to modify + * @param allowOptionsMethod if true then OPTIONS method will not be set in constraint mapping */ - public static void constrainHttpMethods(Context context) { + public static void constrainHttpMethods(Context context, boolean allowOptionsMethod) { Constraint c = new Constraint(); c.setAuthenticate(true); @@ -39,13 +40,17 @@ public class HttpServerUtil { cmt.setMethod("TRACE"); cmt.setPathSpec("/*"); - ConstraintMapping cmo = new ConstraintMapping(); - cmo.setConstraint(c); - cmo.setMethod("OPTIONS"); - cmo.setPathSpec("/*"); - SecurityHandler sh = new SecurityHandler(); - sh.setConstraintMappings(new ConstraintMapping[]{ cmt, cmo }); + + if (!allowOptionsMethod) { + ConstraintMapping cmo = new ConstraintMapping(); + cmo.setConstraint(c); + cmo.setMethod("OPTIONS"); + cmo.setPathSpec("/*"); + sh.setConstraintMappings(new ConstraintMapping[] { cmt, cmo }); + } else { + sh.setConstraintMappings(new ConstraintMapping[] { cmt }); + } context.addHandler(sh); } http://git-wip-us.apache.org/repos/asf/hbase/blob/ca544a15/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java ---------------------------------------------------------------------- diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java index 8292e91..71186d5 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java @@ -206,6 +206,9 @@ public class ThriftServerRunner implements Runnable { private final JvmPauseMonitor pauseMonitor; + static String THRIFT_HTTP_ALLOW_OPTIONS_METHOD = "hbase.thrift.http.allow.options.method"; + private static boolean THRIFT_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT = false; + /** An enum of server implementation selections */ enum ImplType { HS_HA("hsha", true, THsHaServer.class, true), @@ -423,7 +426,8 @@ public class ThriftServerRunner implements Runnable { String httpPath = "/*"; httpServer.setHandler(context); context.addServlet(new ServletHolder(thriftHttpServlet), httpPath); - HttpServerUtil.constrainHttpMethods(context); + HttpServerUtil.constrainHttpMethods(context, + conf.getBoolean(THRIFT_HTTP_ALLOW_OPTIONS_METHOD, THRIFT_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT)); // set up Jetty and run the embedded server Connector connector = new SelectChannelConnector();