[ 
https://issues.apache.org/jira/browse/HBASE-25987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mate Szalay-Beko updated HBASE-25987:
-------------------------------------
    Description: 
We get the following exception, when trying to start Hbase Thrift Server in 
http mode (hbase.regionserver.thrift.http=true) and use non default (not "jks") 
keystore type:

 
{noformat}
2021-06-08 07:40:10,275 ERROR org.apache.hadoop.hbase.thrift.ThriftServer: 
Cannot run ThriftServer
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
        at 
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at 
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1197)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:321)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at 
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at 
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
        at 
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at 
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at org.eclipse.jetty.server.Server.doStart(Server.java:401)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer$2.run(ThriftServer.java:861)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:855)
        at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:882){noformat}

This problem appeared after we applied HBASE-25930 to our local HBase version. 
It looks, we never had a parameter to specify the keystore type for thrift http 
server. Before HBASE-25930, the keystore type used by the thrift http server 
was accidentally defined based on the InfoServer (web ui) configuration of 
"ssl.server.keystore.type". Before HBASE-25930, the InfoServer was started 
first and it set the keystore type in the global keystore manager, which 
setting propagated to the thrift http server too, without any override. In 
HBASE-25930 the startup order changed, and the thrift http server configuration 
happens before the InfoServer start, so we lack this accidental configuration 
change now.

Given that we have independent keystore file path / password parameters already 
for the thrift http server, the proper solution is to create a new parameter 
also for the keystore type of the thrift http server: 
*hbase.thrift.ssl.keystore.type* (defaulting to "jks").

  was:
We get the following exception, when trying to start Hbase Thrift Server in 
http mode (

hbase.regionserver.thrift.http=true) and use non default (not "jks") keystore 
type:

 
{noformat}
2021-06-08 07:40:10,275 ERROR org.apache.hadoop.hbase.thrift.ThriftServer: 
Cannot run ThriftServer
java.io.IOException: Invalid keystore format
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
        at 
sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
        at java.security.KeyStore.load(KeyStore.java:1445)
        at 
org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1197)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:321)
        at 
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at 
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at 
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at 
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
        at 
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at 
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at org.eclipse.jetty.server.Server.doStart(Server.java:401)
        at 
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer$2.run(ThriftServer.java:861)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:855)
        at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
        at 
org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:882){noformat}
This problem appeared after we applied HBASE-25930 to our local HBase version. 
It looks, we never had a parameter to specify the keystore type for thrift http 
server. Before HBASE-25930, the keystore type used by the thrift http server 
was accidentally defined based on the InfoServer (web ui) configuration of 
"ssl.server.keystore.type". Before HBASE-25930, the InfoServer was started 
first and it set the keystore type in the global keystore manager, which 
setting propagated to the thrift http server too, without any override. In 
HBASE-25930 the startup order changed, and the thrift http server configuration 
happens before the InfoServer start, so we lack this accidental configuration 
change now.

The proper solution is to create a new parameter to setup keystore type for the 
thrift http server: hbase.thrift.ssl.keystore.type (defaulting to "jks")


> Make SSL keystore type configurable for HBase ThriftServer
> ----------------------------------------------------------
>
>                 Key: HBASE-25987
>                 URL: https://issues.apache.org/jira/browse/HBASE-25987
>             Project: HBase
>          Issue Type: Improvement
>          Components: Thrift
>    Affects Versions: 2.4.4
>            Reporter: Mate Szalay-Beko
>            Assignee: Mate Szalay-Beko
>            Priority: Major
>
> We get the following exception, when trying to start Hbase Thrift Server in 
> http mode (hbase.regionserver.thrift.http=true) and use non default (not 
> "jks") keystore type:
>  
> {noformat}
> 2021-06-08 07:40:10,275 ERROR org.apache.hadoop.hbase.thrift.ThriftServer: 
> Cannot run ThriftServer
> java.io.IOException: Invalid keystore format
>         at 
> sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
>         at 
> sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
>         at 
> sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
>         at 
> sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
>         at java.security.KeyStore.load(KeyStore.java:1445)
>         at 
> org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1197)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:321)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
>         at 
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at 
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:401)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
>         at 
> org.apache.hadoop.hbase.thrift.ThriftServer$2.run(ThriftServer.java:861)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:360)
>         at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878)
>         at 
> org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:855)
>         at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
>         at 
> org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:882){noformat}
> This problem appeared after we applied HBASE-25930 to our local HBase 
> version. It looks, we never had a parameter to specify the keystore type for 
> thrift http server. Before HBASE-25930, the keystore type used by the thrift 
> http server was accidentally defined based on the InfoServer (web ui) 
> configuration of "ssl.server.keystore.type". Before HBASE-25930, the 
> InfoServer was started first and it set the keystore type in the global 
> keystore manager, which setting propagated to the thrift http server too, 
> without any override. In HBASE-25930 the startup order changed, and the 
> thrift http server configuration happens before the InfoServer start, so we 
> lack this accidental configuration change now.
> Given that we have independent keystore file path / password parameters 
> already for the thrift http server, the proper solution is to create a new 
> parameter also for the keystore type of the thrift http server: 
> *hbase.thrift.ssl.keystore.type* (defaulting to "jks").



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to