[
https://issues.apache.org/jira/browse/HBASE-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16333765#comment-16333765
]
Josh Elser commented on HBASE-17513:
------------------------------------
Ya, known Yetus bug, [~reidchan]. There's a fix coming for that.
{code}
+ try {
+ thriftServer = new ThriftServer(conf);
+ } catch (Exception e) {
+ exception.expect(IOException.class);
+ exception.expectMessage("hbase.thrift.ssl.enabled is false");
+ }
{code}
Need to add a {{fail()}} after assigning {{thriftServer}}. Right now, if the
exception isn't thrown, the test would still succeed.
I can add that and commit it if you'd like, [~reidchan].
> Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and
> can easily be misconfigured so there is no encryption when the operator
> expects it.
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HBASE-17513
> URL: https://issues.apache.org/jira/browse/HBASE-17513
> Project: HBase
> Issue Type: Bug
> Components: documentation, security, Thrift, Usability
> Affects Versions: 2.0.0, 1.2.0, 1.3.0, 0.98.15, 1.0.3, 1.1.3
> Reporter: Sean Busbey
> Assignee: Reid Chan
> Priority: Critical
> Fix For: 2.0.0, 1.3.2, 1.4.1, 1.2.8
>
> Attachments: HBASE-17513.master.001.patch,
> HBASE-17513.master.002.patch, HBASE-17513.master.003.patch
>
>
> As of HBASE-14400 the setting {{hbase.thrift.security.qop}} was unified to
> behave the same as the general HBase RPC protection. However, this only
> happened for the Thrift2 server. The Thrift server found in the thrift
> package (aka Thrift Server 1) still hard codes the old configs of 'auth',
> 'auth-int', and 'auth-conf'.
> Additionally, these Quality of Protection (qop) settings are used only by the
> SASL transport. If a user configures the HBase Thrift Server to make use of
> the HTTP transport (to enable doAs proxying e.g. for Hue) then a QOP setting
> of 'privacy' or 'auth-conf' won't get them encryption as expected.
> We should
> 1) update {{hbase-thrift/src/main/.../thrift/ThriftServerRunner}} to rely on
> {{SaslUtil}} to use the same 'authentication', 'integrity', 'privacy' configs
> in a backward compatible way
> 2) also have ThriftServerRunner warn when both {{hbase.thrift.security.qop}}
> and {{hbase.regionserver.thrift.http}} are set, since the latter will cause
> the former to be ignored. (users should be directed to
> {{hbase.thrift.ssl.enabled}} and related configs to ensure their transport is
> encrypted when using the HTTP transport.)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
