[ https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16643712#comment-16643712 ]
Wellington Chevreuil commented on HBASE-21275: ---------------------------------------------- Thanks [~apurtell], that's definitely a typo and wrong path. Checking further on this, I had observed that WebAppContext does need anything different than null as its ResourceBase, even if it does not really use it. If we don't call *setResourceBase*, it ends up facing a NPE during initialisation, which will cause both *testThriftServerHttpTraceDisabled* and *testRunThriftServer* to fail/error: {noformat} 2018-10-09 17:13:35,423 ERROR [ThriftServer-httpServer] mortbay.log (Slf4jLog.java:warn(87)) - Failed startup of context org.mortbay.jetty.webapp.WebAppContext@19c0d445{/,null} java.lang.NullPointerException at org.mortbay.resource.Resource.newResource(Resource.java:141) at org.mortbay.resource.Resource.newResource(Resource.java:121) at org.mortbay.jetty.webapp.WebAppContext.resolveWebApp(WebAppContext.java:924) at org.mortbay.jetty.webapp.WebAppContext.getWebInf(WebAppContext.java:832) at org.mortbay.jetty.webapp.WebInfConfiguration.configureClassLoader(WebInfConfiguration.java:62) at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:489) at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50) at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130) at org.mortbay.jetty.Server.doStart(Server.java:224) at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50) at org.apache.hadoop.hbase.thrift.ThriftServerRunner$1.run(ThriftServerRunner.java:374) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:360) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594) at org.apache.hadoop.hbase.thrift.ThriftServerRunner.run(ThriftServerRunner.java:368) at org.apache.hadoop.hbase.thrift.ThriftServer.doMain(ThriftServer.java:106) at org.apache.hadoop.hbase.thrift.TestThriftHttpServer$1.run(TestThriftHttpServer.java:120) at java.lang.Thread.run(Thread.java:748){noformat} Anyways, I don't think it really matters, as we are auto generating web.xml, but inspecting the jar structure, my guess is that correct path to be set would be *hbase-webapps/*: {noformat} 873 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/index.html 680 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/WEB-INF/web.xml 2997 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo.png 97339 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.min.css 1293 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/hbase.css 119892 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.css 17044 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap-theme.css 15220 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap-theme.min.css 3206 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_small.png 58458 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.js 93636 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/jquery.min.js 1347 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/tab.js 27726 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.min.js 3592 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_med.gif 16448 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/fonts/glyphicons-halflings-regular.woff 14079 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/fonts/glyphicons-halflings-regular.eot 29512 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/fonts/glyphicons-halflings-regular.ttf 63157 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/fonts/glyphicons-halflings-regular.svg {noformat} Am attaching another patch version, correcting this and the checkstyle issues. Please let me know on any thoughts/concerns. > Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http > server (branch 1 only) > ------------------------------------------------------------------------------------------------ > > Key: HBASE-21275 > URL: https://issues.apache.org/jira/browse/HBASE-21275 > Project: HBase > Issue Type: Bug > Components: Thrift > Reporter: Wellington Chevreuil > Assignee: Wellington Chevreuil > Priority: Minor > Fix For: 1.4.8, 1.2.7 > > Attachments: HBASE-21275-branch-1.2.001.patch, > HBASE-21275-branch-1.2.002.patch > > > There's been a reasonable number of users running thrift http server on hbase > 1.x suffering with security audit tests pointing thrift server allows TRACE > requests. > After doing some search, I can see HBASE-20406 added restrictions for > TRACE/OPTIONS method when Thrift is running over http, but it relies on many > other commits applied to thrift http server. This patch was later reverted > from master. Then again later, HBASE-20004 had made TRACE/OPTIONS > configurable via "*hbase.thrift.http.allow.options.method*" property, with > both methods being disabled by default. This also seems to rely on many > changes applied to thrift http server, and a branch 1 compatible patch does > not seem feasible. > A solution for branch 1 is pretty simple though, am proposing a patch that > simply uses *WebAppContext*, instead of *Context*, as the context for the > *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by > default. -- This message was sent by Atlassian JIRA (v7.6.3#76005)