[ https://issues.apache.org/jira/browse/HBASE-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16333555#comment-16333555 ]
Hadoop QA commented on HBASE-17513: ----------------------------------- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 1m 53s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Findbugs executables are not available. {color} | | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 40s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 48s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 31s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 5m 14s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 44s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 46s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 48s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 29s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 42s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 20m 35s{color} | {color:green} Patch does not cause any errors with Hadoop 2.6.5 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 42s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 21s{color} | {color:green} hbase-thrift in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 9s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 43m 20s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:eee3b01 | | JIRA Issue | HBASE-17513 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12907004/HBASE-17513.master.001.patch | | Optional Tests | asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux db8814d120ac 3.13.0-133-generic #182-Ubuntu SMP Tue Sep 19 15:49:21 UTC 2017 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 27d00f5861 | | maven | version: Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T07:58:13Z) | | Default Java | 1.8.0_151 | | Test Results | https://builds.apache.org/job/PreCommit-HBASE-Build/11145/testReport/ | | modules | C: hbase-thrift U: hbase-thrift | | Console output | https://builds.apache.org/job/PreCommit-HBASE-Build/11145/console | | Powered by | Apache Yetus 0.6.0 http://yetus.apache.org | This message was automatically generated. > Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and > can easily be misconfigured so there is no encryption when the operator > expects it. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HBASE-17513 > URL: https://issues.apache.org/jira/browse/HBASE-17513 > Project: HBase > Issue Type: Bug > Components: documentation, security, Thrift, Usability > Affects Versions: 2.0.0, 1.2.0, 1.3.0, 0.98.15, 1.0.3, 1.1.3 > Reporter: Sean Busbey > Assignee: Reid Chan > Priority: Critical > Fix For: 2.0.0, 1.3.2, 1.4.1, 1.2.8 > > Attachments: HBASE-17513.master.001.patch, > HBASE-17513.master.002.patch, HBASE-17513.master.003.patch > > > As of HBASE-14400 the setting {{hbase.thrift.security.qop}} was unified to > behave the same as the general HBase RPC protection. However, this only > happened for the Thrift2 server. The Thrift server found in the thrift > package (aka Thrift Server 1) still hard codes the old configs of 'auth', > 'auth-int', and 'auth-conf'. > Additionally, these Quality of Protection (qop) settings are used only by the > SASL transport. If a user configures the HBase Thrift Server to make use of > the HTTP transport (to enable doAs proxying e.g. for Hue) then a QOP setting > of 'privacy' or 'auth-conf' won't get them encryption as expected. > We should > 1) update {{hbase-thrift/src/main/.../thrift/ThriftServerRunner}} to rely on > {{SaslUtil}} to use the same 'authentication', 'integrity', 'privacy' configs > in a backward compatible way > 2) also have ThriftServerRunner warn when both {{hbase.thrift.security.qop}} > and {{hbase.regionserver.thrift.http}} are set, since the latter will cause > the former to be ignored. (users should be directed to > {{hbase.thrift.ssl.enabled}} and related configs to ensure their transport is > encrypted when using the HTTP transport.) -- This message was sent by Atlassian JIRA (v7.6.3#76005)