[ https://issues.apache.org/jira/browse/HBASE-17513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334054#comment-16334054 ]
Hadoop QA commented on HBASE-17513: ----------------------------------- | (/) *{color:green}+1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 2m 27s{color} | {color:blue} Docker mode activated. {color} | || || || || {color:brown} Prechecks {color} || | {color:blue}0{color} | {color:blue} findbugs {color} | {color:blue} 0m 0s{color} | {color:blue} Findbugs executables are not available. {color} | | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s{color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s{color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s{color} | {color:green} The patch appears to include 1 new or modified test files. {color} | || || || || {color:brown} master Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 10s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 39s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 23s{color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 4m 26s{color} | {color:green} branch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 33s{color} | {color:green} master passed {color} | || || || || {color:brown} Patch Compile Tests {color} || | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 4m 9s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 39s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 24s{color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s{color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} shadedjars {color} | {color:green} 3m 59s{color} | {color:green} patch has no errors when building our shaded downstream artifacts. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 17m 58s{color} | {color:green} Patch does not cause any errors with Hadoop 2.6.5 2.7.4 or 3.0.0. {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 35s{color} | {color:green} the patch passed {color} | || || || || {color:brown} Other Tests {color} || | {color:green}+1{color} | {color:green} unit {color} | {color:green} 2m 13s{color} | {color:green} hbase-thrift in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 7s{color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 38m 33s{color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Client=17.05.0-ce Server=17.05.0-ce Image:yetus/hbase:eee3b01 | | JIRA Issue | HBASE-17513 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12907067/HBASE-17513.master.001.patch | | Optional Tests | asflicense javac javadoc unit findbugs shadedjars hadoopcheck hbaseanti checkstyle compile | | uname | Linux 958bc21d1d34 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / f3c563fc00 | | maven | version: Apache Maven 3.5.2 (138edd61fd100ec658bfa2d307c43b76940a5d7d; 2017-10-18T07:58:13Z) | | Default Java | 1.8.0_151 | | Test Results | https://builds.apache.org/job/PreCommit-HBASE-Build/11151/testReport/ | | modules | C: hbase-thrift U: hbase-thrift | | Console output | https://builds.apache.org/job/PreCommit-HBASE-Build/11151/console | | Powered by | Apache Yetus 0.6.0 http://yetus.apache.org | This message was automatically generated. > Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and > can easily be misconfigured so there is no encryption when the operator > expects it. > ---------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HBASE-17513 > URL: https://issues.apache.org/jira/browse/HBASE-17513 > Project: HBase > Issue Type: Bug > Components: documentation, security, Thrift, Usability > Affects Versions: 2.0.0, 1.2.0, 1.3.0, 0.98.15, 1.0.3, 1.1.3 > Reporter: Sean Busbey > Assignee: Reid Chan > Priority: Critical > Fix For: 2.0.0, 1.3.2, 1.4.1, 1.2.8 > > Attachments: HBASE-17513.master.001.patch, > HBASE-17513.master.002.patch, HBASE-17513.master.003.patch > > > As of HBASE-14400 the setting {{hbase.thrift.security.qop}} was unified to > behave the same as the general HBase RPC protection. However, this only > happened for the Thrift2 server. The Thrift server found in the thrift > package (aka Thrift Server 1) still hard codes the old configs of 'auth', > 'auth-int', and 'auth-conf'. > Additionally, these Quality of Protection (qop) settings are used only by the > SASL transport. If a user configures the HBase Thrift Server to make use of > the HTTP transport (to enable doAs proxying e.g. for Hue) then a QOP setting > of 'privacy' or 'auth-conf' won't get them encryption as expected. > We should > 1) update {{hbase-thrift/src/main/.../thrift/ThriftServerRunner}} to rely on > {{SaslUtil}} to use the same 'authentication', 'integrity', 'privacy' configs > in a backward compatible way > 2) also have ThriftServerRunner warn when both {{hbase.thrift.security.qop}} > and {{hbase.regionserver.thrift.http}} are set, since the latter will cause > the former to be ignored. (users should be directed to > {{hbase.thrift.ssl.enabled}} and related configs to ensure their transport is > encrypted when using the HTTP transport.) -- This message was sent by Atlassian JIRA (v7.6.3#76005)