(hbase) branch branch-2.6 updated: HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a commit to branch branch-2.6 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-2.6 by this push: new ea1c057e0b1 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) ea1c057e0b1 is described below commit ea1c057e0b170ed846a2985cd0bcc6ec56924f59 Author: Duo Zhang AuthorDate: Mon Feb 19 21:36:18 2024 +0800 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) Signed-off-by: Bryan Beaudreault (cherry picked from commit 7bc07a6563e631a1ae1ec464c619ca0e921d8945) --- .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../hbase/security/AbstractTestSecureIPC.java | 102 + 3 files changed, 90 insertions(+), 21 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java index 7f0b2a52f6a..e38246b5a69 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java @@ -546,6 +546,7 @@ class BlockingRpcConnection extends RpcConnection implements Runnable { // fall back to simple auth because server told us so. // do not change authMethod and useSasl here, we should start from secure when // reconnecting because regionserver may change its sasl config after restart. +saslRpcClient = null; } } createStreams(inStream, outStream); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java index 0394bb0f2a3..ace1c38ab22 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java @@ -32,6 +32,7 @@ import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES; +import org.apache.hadoop.hbase.ipc.FallbackDisallowedException; import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.ipc.RemoteException; @@ -107,12 +108,9 @@ public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient { int len = inStream.readInt(); if (len == SaslUtil.SWITCH_TO_SIMPLE_AUTH) { if (!fallbackAllowed) { -throw new IOException("Server asks us to fall back to SIMPLE auth, " - + "but this client is configured to only allow secure connections."); - } - if (LOG.isDebugEnabled()) { -LOG.debug("Server asks us to fall back to simple auth."); +throw new FallbackDisallowedException(); } + LOG.debug("Server asks us to fall back to simple auth."); dispose(); return false; } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java index afd0122af73..15a26185f0c 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java @@ -24,17 +24,22 @@ import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalFo import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.loginKerberosPrincipal; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.setSecuredConfiguration; import static org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProviders.SELECTOR_KEY; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.either; +import static org.hamcrest.Matchers.instanceOf; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertThrows; import static org.junit.Assert.fail; +import java.io.EOFException; import java.io.File; import java.io.IOException; import java.lang.reflect.Field; import java.net.InetAddress; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collections; import java.util.Map; @@ -44,12 +49,13 @@ import org.apache.commons.lang3.RandomStringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtilit
(hbase) branch branch-2 updated: HBASE-28370 Default user quotas are refreshing too frequently (#5686)
This is an automated email from the ASF dual-hosted git repository. bbeaudreault pushed a commit to branch branch-2 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-2 by this push: new 52c65418d0f HBASE-28370 Default user quotas are refreshing too frequently (#5686) 52c65418d0f is described below commit 52c65418d0f8ccbd297aa382da22ee6e9e62e059 Author: Ray Mattingly AuthorDate: Mon Feb 19 15:32:00 2024 -0500 HBASE-28370 Default user quotas are refreshing too frequently (#5686) Signed-off-by: Bryan Beaudreault --- .../org/apache/hadoop/hbase/quotas/QuotaCache.java | 12 ++- .../org/apache/hadoop/hbase/quotas/QuotaUtil.java | 6 +- .../apache/hadoop/hbase/quotas/TestQuotaCache.java | 89 ++ .../hadoop/hbase/quotas/ThrottleQuotaTestUtil.java | 12 +++ 4 files changed, 115 insertions(+), 4 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java index 67b2aecc544..9b3498ff894 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java @@ -71,6 +71,8 @@ public class QuotaCache implements Stoppable { // for testing purpose only, enforce the cache to be always refreshed static boolean TEST_FORCE_REFRESH = false; + // for testing purpose only, block cache refreshes to reliably verify state + static boolean TEST_BLOCK_REFRESH = false; private final ConcurrentMap namespaceQuotaCache = new ConcurrentHashMap<>(); private final ConcurrentMap tableQuotaCache = new ConcurrentHashMap<>(); @@ -138,7 +140,7 @@ public class QuotaCache implements Stoppable { */ public UserQuotaState getUserQuotaState(final UserGroupInformation ugi) { return computeIfAbsent(userQuotaCache, getQuotaUserName(ugi), - () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration()), + () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration(), 0L), this::triggerCacheRefresh); } @@ -239,6 +241,14 @@ public class QuotaCache implements Stoppable { @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "GC_UNRELATED_TYPES", justification = "I do not understand why the complaints, it looks good to me -- FIX") protected void chore() { + while (TEST_BLOCK_REFRESH) { +LOG.info("TEST_BLOCK_REFRESH=true, so blocking QuotaCache refresh until it is false"); +try { + Thread.sleep(10); +} catch (InterruptedException e) { + throw new RuntimeException(e); +} + } // Prefetch online tables/namespaces for (TableName table : ((HRegionServer) QuotaCache.this.rsServices).getOnlineTables()) { if (table.isSystemTable()) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java index 831c0297785..8ced76e3963 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java @@ -333,7 +333,7 @@ public class QuotaUtil extends QuotaTableUtil { String user = getUserFromRowKey(key); if (results[i].isEmpty()) { -userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration())); +userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration(), nowTs)); continue; } @@ -373,7 +373,7 @@ public class QuotaUtil extends QuotaTableUtil { return userQuotas; } - protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf) { + protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf, long nowTs) { QuotaProtos.Throttle.Builder throttleBuilder = QuotaProtos.Throttle.newBuilder(); buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_READ_NUM) @@ -389,7 +389,7 @@ public class QuotaUtil extends QuotaTableUtil { buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_WRITE_SIZE) .ifPresent(throttleBuilder::setWriteSize); -UserQuotaState state = new UserQuotaState(); +UserQuotaState state = new UserQuotaState(nowTs); QuotaProtos.Quotas defaultQuotas = QuotaProtos.Quotas.newBuilder().setThrottle(throttleBuilder.build()).build(); state.setQuotas(defaultQuotas); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java new file mode 100644 index 000..1c431858291 --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor lice
(hbase) branch branch-3 updated: HBASE-28370 Default user quotas are refreshing too frequently (#5686)
This is an automated email from the ASF dual-hosted git repository. bbeaudreault pushed a commit to branch branch-3 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-3 by this push: new 94651e3bd99 HBASE-28370 Default user quotas are refreshing too frequently (#5686) 94651e3bd99 is described below commit 94651e3bd997182a7a529ab13ab82959a2af7092 Author: Ray Mattingly AuthorDate: Mon Feb 19 15:32:00 2024 -0500 HBASE-28370 Default user quotas are refreshing too frequently (#5686) Signed-off-by: Bryan Beaudreault --- .../org/apache/hadoop/hbase/quotas/QuotaCache.java | 12 ++- .../org/apache/hadoop/hbase/quotas/QuotaUtil.java | 6 +- .../apache/hadoop/hbase/quotas/TestQuotaCache.java | 89 ++ .../hadoop/hbase/quotas/ThrottleQuotaTestUtil.java | 12 +++ 4 files changed, 115 insertions(+), 4 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java index 67b2aecc544..9b3498ff894 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java @@ -71,6 +71,8 @@ public class QuotaCache implements Stoppable { // for testing purpose only, enforce the cache to be always refreshed static boolean TEST_FORCE_REFRESH = false; + // for testing purpose only, block cache refreshes to reliably verify state + static boolean TEST_BLOCK_REFRESH = false; private final ConcurrentMap namespaceQuotaCache = new ConcurrentHashMap<>(); private final ConcurrentMap tableQuotaCache = new ConcurrentHashMap<>(); @@ -138,7 +140,7 @@ public class QuotaCache implements Stoppable { */ public UserQuotaState getUserQuotaState(final UserGroupInformation ugi) { return computeIfAbsent(userQuotaCache, getQuotaUserName(ugi), - () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration()), + () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration(), 0L), this::triggerCacheRefresh); } @@ -239,6 +241,14 @@ public class QuotaCache implements Stoppable { @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "GC_UNRELATED_TYPES", justification = "I do not understand why the complaints, it looks good to me -- FIX") protected void chore() { + while (TEST_BLOCK_REFRESH) { +LOG.info("TEST_BLOCK_REFRESH=true, so blocking QuotaCache refresh until it is false"); +try { + Thread.sleep(10); +} catch (InterruptedException e) { + throw new RuntimeException(e); +} + } // Prefetch online tables/namespaces for (TableName table : ((HRegionServer) QuotaCache.this.rsServices).getOnlineTables()) { if (table.isSystemTable()) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java index 44357c88d2d..0da1aa66165 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java @@ -334,7 +334,7 @@ public class QuotaUtil extends QuotaTableUtil { String user = getUserFromRowKey(key); if (results[i].isEmpty()) { -userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration())); +userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration(), nowTs)); continue; } @@ -374,7 +374,7 @@ public class QuotaUtil extends QuotaTableUtil { return userQuotas; } - protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf) { + protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf, long nowTs) { QuotaProtos.Throttle.Builder throttleBuilder = QuotaProtos.Throttle.newBuilder(); buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_READ_NUM) @@ -390,7 +390,7 @@ public class QuotaUtil extends QuotaTableUtil { buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_WRITE_SIZE) .ifPresent(throttleBuilder::setWriteSize); -UserQuotaState state = new UserQuotaState(); +UserQuotaState state = new UserQuotaState(nowTs); QuotaProtos.Quotas defaultQuotas = QuotaProtos.Quotas.newBuilder().setThrottle(throttleBuilder.build()).build(); state.setQuotas(defaultQuotas); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java new file mode 100644 index 000..89c77f43b35 --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor lice
(hbase) branch master updated: HBASE-28370 Default user quotas are refreshing too frequently (#5686)
This is an automated email from the ASF dual-hosted git repository. bbeaudreault pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/master by this push: new 7be588e0d46 HBASE-28370 Default user quotas are refreshing too frequently (#5686) 7be588e0d46 is described below commit 7be588e0d46f3ae82d526d9625b926fc8b45bc2d Author: Ray Mattingly AuthorDate: Mon Feb 19 15:32:00 2024 -0500 HBASE-28370 Default user quotas are refreshing too frequently (#5686) Signed-off-by: Bryan Beaudreault --- .../org/apache/hadoop/hbase/quotas/QuotaCache.java | 12 ++- .../org/apache/hadoop/hbase/quotas/QuotaUtil.java | 6 +- .../apache/hadoop/hbase/quotas/TestQuotaCache.java | 89 ++ .../hadoop/hbase/quotas/ThrottleQuotaTestUtil.java | 12 +++ 4 files changed, 115 insertions(+), 4 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java index 67b2aecc544..9b3498ff894 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaCache.java @@ -71,6 +71,8 @@ public class QuotaCache implements Stoppable { // for testing purpose only, enforce the cache to be always refreshed static boolean TEST_FORCE_REFRESH = false; + // for testing purpose only, block cache refreshes to reliably verify state + static boolean TEST_BLOCK_REFRESH = false; private final ConcurrentMap namespaceQuotaCache = new ConcurrentHashMap<>(); private final ConcurrentMap tableQuotaCache = new ConcurrentHashMap<>(); @@ -138,7 +140,7 @@ public class QuotaCache implements Stoppable { */ public UserQuotaState getUserQuotaState(final UserGroupInformation ugi) { return computeIfAbsent(userQuotaCache, getQuotaUserName(ugi), - () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration()), + () -> QuotaUtil.buildDefaultUserQuotaState(rsServices.getConfiguration(), 0L), this::triggerCacheRefresh); } @@ -239,6 +241,14 @@ public class QuotaCache implements Stoppable { @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "GC_UNRELATED_TYPES", justification = "I do not understand why the complaints, it looks good to me -- FIX") protected void chore() { + while (TEST_BLOCK_REFRESH) { +LOG.info("TEST_BLOCK_REFRESH=true, so blocking QuotaCache refresh until it is false"); +try { + Thread.sleep(10); +} catch (InterruptedException e) { + throw new RuntimeException(e); +} + } // Prefetch online tables/namespaces for (TableName table : ((HRegionServer) QuotaCache.this.rsServices).getOnlineTables()) { if (table.isSystemTable()) { diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java index 44357c88d2d..0da1aa66165 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/quotas/QuotaUtil.java @@ -334,7 +334,7 @@ public class QuotaUtil extends QuotaTableUtil { String user = getUserFromRowKey(key); if (results[i].isEmpty()) { -userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration())); +userQuotas.put(user, buildDefaultUserQuotaState(connection.getConfiguration(), nowTs)); continue; } @@ -374,7 +374,7 @@ public class QuotaUtil extends QuotaTableUtil { return userQuotas; } - protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf) { + protected static UserQuotaState buildDefaultUserQuotaState(Configuration conf, long nowTs) { QuotaProtos.Throttle.Builder throttleBuilder = QuotaProtos.Throttle.newBuilder(); buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_READ_NUM) @@ -390,7 +390,7 @@ public class QuotaUtil extends QuotaTableUtil { buildDefaultTimedQuota(conf, QUOTA_DEFAULT_USER_MACHINE_WRITE_SIZE) .ifPresent(throttleBuilder::setWriteSize); -UserQuotaState state = new UserQuotaState(); +UserQuotaState state = new UserQuotaState(nowTs); QuotaProtos.Quotas defaultQuotas = QuotaProtos.Quotas.newBuilder().setThrottle(throttleBuilder.build()).build(); state.setQuotas(defaultQuotas); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java new file mode 100644 index 000..89c77f43b35 --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/quotas/TestQuotaCache.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license
(hbase) branch branch-3 updated: HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a commit to branch branch-3 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-3 by this push: new 6377e4c63dc HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) 6377e4c63dc is described below commit 6377e4c63dc6d8d202b68b2fa7a0ccb8f3d26e49 Author: Duo Zhang AuthorDate: Mon Feb 19 21:36:18 2024 +0800 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) Signed-off-by: Bryan Beaudreault (cherry picked from commit 7bc07a6563e631a1ae1ec464c619ca0e921d8945) --- .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../hbase/security/AbstractTestSecureIPC.java | 102 + 3 files changed, 90 insertions(+), 21 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java index 0478000a237..3f1418aa984 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java @@ -499,6 +499,7 @@ class BlockingRpcConnection extends RpcConnection implements Runnable { // fall back to simple auth because server told us so. // do not change authMethod and useSasl here, we should start from secure when // reconnecting because regionserver may change its sasl config after restart. +saslRpcClient = null; } } createStreams(inStream, outStream); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java index 0394bb0f2a3..ace1c38ab22 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java @@ -32,6 +32,7 @@ import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES; +import org.apache.hadoop.hbase.ipc.FallbackDisallowedException; import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.ipc.RemoteException; @@ -107,12 +108,9 @@ public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient { int len = inStream.readInt(); if (len == SaslUtil.SWITCH_TO_SIMPLE_AUTH) { if (!fallbackAllowed) { -throw new IOException("Server asks us to fall back to SIMPLE auth, " - + "but this client is configured to only allow secure connections."); - } - if (LOG.isDebugEnabled()) { -LOG.debug("Server asks us to fall back to simple auth."); +throw new FallbackDisallowedException(); } + LOG.debug("Server asks us to fall back to simple auth."); dispose(); return false; } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java index 26405f4446b..998896c9468 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java @@ -24,17 +24,22 @@ import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalFo import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.loginKerberosPrincipal; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.setSecuredConfiguration; import static org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProviders.SELECTOR_KEY; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.either; +import static org.hamcrest.Matchers.instanceOf; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertThrows; import static org.junit.Assert.fail; +import java.io.EOFException; import java.io.File; import java.io.IOException; import java.lang.reflect.Field; import java.net.InetAddress; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collections; import java.util.Map; @@ -44,12 +49,13 @@ import org.apache.commons.lang3.RandomStringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtil; imp
(hbase) branch branch-2 updated: HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a commit to branch branch-2 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-2 by this push: new adf8d9b7e16 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) adf8d9b7e16 is described below commit adf8d9b7e16cabc351e3a81f5e2be10c04cb4bc2 Author: Duo Zhang AuthorDate: Mon Feb 19 21:36:18 2024 +0800 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) Signed-off-by: Bryan Beaudreault (cherry picked from commit 7bc07a6563e631a1ae1ec464c619ca0e921d8945) --- .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../hbase/security/AbstractTestSecureIPC.java | 102 + 3 files changed, 90 insertions(+), 21 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java index 7f0b2a52f6a..e38246b5a69 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java @@ -546,6 +546,7 @@ class BlockingRpcConnection extends RpcConnection implements Runnable { // fall back to simple auth because server told us so. // do not change authMethod and useSasl here, we should start from secure when // reconnecting because regionserver may change its sasl config after restart. +saslRpcClient = null; } } createStreams(inStream, outStream); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java index 0394bb0f2a3..ace1c38ab22 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java @@ -32,6 +32,7 @@ import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES; +import org.apache.hadoop.hbase.ipc.FallbackDisallowedException; import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.ipc.RemoteException; @@ -107,12 +108,9 @@ public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient { int len = inStream.readInt(); if (len == SaslUtil.SWITCH_TO_SIMPLE_AUTH) { if (!fallbackAllowed) { -throw new IOException("Server asks us to fall back to SIMPLE auth, " - + "but this client is configured to only allow secure connections."); - } - if (LOG.isDebugEnabled()) { -LOG.debug("Server asks us to fall back to simple auth."); +throw new FallbackDisallowedException(); } + LOG.debug("Server asks us to fall back to simple auth."); dispose(); return false; } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java index afd0122af73..15a26185f0c 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/AbstractTestSecureIPC.java @@ -24,17 +24,22 @@ import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalFo import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.loginKerberosPrincipal; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.setSecuredConfiguration; import static org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProviders.SELECTOR_KEY; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.either; +import static org.hamcrest.Matchers.instanceOf; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertThrows; import static org.junit.Assert.fail; +import java.io.EOFException; import java.io.File; import java.io.IOException; import java.lang.reflect.Field; import java.net.InetAddress; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collections; import java.util.Map; @@ -44,12 +49,13 @@ import org.apache.commons.lang3.RandomStringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseTestingUtility;
(hbase) branch branch-2.5 updated: HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a commit to branch branch-2.5 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-2.5 by this push: new 49d015c6702 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) 49d015c6702 is described below commit 49d015c67028a63485f1fc3bce80a39957a27011 Author: Duo Zhang AuthorDate: Mon Feb 19 21:36:18 2024 +0800 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) Signed-off-by: Bryan Beaudreault (cherry picked from commit 7bc07a6563e631a1ae1ec464c619ca0e921d8945) --- .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../apache/hadoop/hbase/zookeeper/ZKConfig.java| 1 - .../hadoop/hbase/security/TestSecureIPC.java | 101 + 4 files changed, 89 insertions(+), 22 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java index 87af79f4c8c..ce5bf0d01f6 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java @@ -539,6 +539,7 @@ class BlockingRpcConnection extends RpcConnection implements Runnable { // fall back to simple auth because server told us so. // do not change authMethod and useSasl here, we should start from secure when // reconnecting because regionserver may change its sasl config after restart. +saslRpcClient = null; } } this.in = new DataInputStream(new BufferedInputStream(inStream)); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java index 0394bb0f2a3..ace1c38ab22 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java @@ -32,6 +32,7 @@ import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES; +import org.apache.hadoop.hbase.ipc.FallbackDisallowedException; import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.ipc.RemoteException; @@ -107,12 +108,9 @@ public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient { int len = inStream.readInt(); if (len == SaslUtil.SWITCH_TO_SIMPLE_AUTH) { if (!fallbackAllowed) { -throw new IOException("Server asks us to fall back to SIMPLE auth, " - + "but this client is configured to only allow secure connections."); - } - if (LOG.isDebugEnabled()) { -LOG.debug("Server asks us to fall back to simple auth."); +throw new FallbackDisallowedException(); } + LOG.debug("Server asks us to fall back to simple auth."); dispose(); return false; } diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKConfig.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKConfig.java index d70fa0178a5..5c24418214b 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKConfig.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKConfig.java @@ -21,7 +21,6 @@ import java.io.IOException; import java.util.List; import java.util.Map.Entry; import java.util.Properties; -import java.util.Set; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HConstants; import org.apache.hadoop.util.StringUtils; diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java index 67d9803bf29..22f44edc70b 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java @@ -23,17 +23,22 @@ import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getKeytabFileF import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalForTesting; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.setSecuredConfiguration; import static org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProviders.SELECTOR_KEY; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.either; +import static org.hamcrest.Matchers.ins
(hbase) branch branch-2.4 updated: HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a commit to branch branch-2.4 in repository https://gitbox.apache.org/repos/asf/hbase.git The following commit(s) were added to refs/heads/branch-2.4 by this push: new 2b71b56bc09 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) 2b71b56bc09 is described below commit 2b71b56bc09b7d3fbae6aec3d7ed4cfd9b78e792 Author: Duo Zhang AuthorDate: Mon Feb 19 23:08:45 2024 +0800 HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) Signed-off-by: Bryan Beaudreault (cherry picked from commit 7bc07a6563e631a1ae1ec464c619ca0e921d8945) --- .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../hadoop/hbase/security/TestSecureIPC.java | 112 - 3 files changed, 92 insertions(+), 29 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java index 977a969cd47..f291f9185dc 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/BlockingRpcConnection.java @@ -538,6 +538,7 @@ class BlockingRpcConnection extends RpcConnection implements Runnable { // fall back to simple auth because server told us so. // do not change authMethod and useSasl here, we should start from secure when // reconnecting because regionserver may change its sasl config after restart. +saslRpcClient = null; } } this.in = new DataInputStream(new BufferedInputStream(inStream)); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java index 0394bb0f2a3..ace1c38ab22 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java @@ -32,6 +32,7 @@ import javax.security.sasl.Sasl; import javax.security.sasl.SaslException; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES; +import org.apache.hadoop.hbase.ipc.FallbackDisallowedException; import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider; import org.apache.hadoop.io.WritableUtils; import org.apache.hadoop.ipc.RemoteException; @@ -107,12 +108,9 @@ public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient { int len = inStream.readInt(); if (len == SaslUtil.SWITCH_TO_SIMPLE_AUTH) { if (!fallbackAllowed) { -throw new IOException("Server asks us to fall back to SIMPLE auth, " - + "but this client is configured to only allow secure connections."); - } - if (LOG.isDebugEnabled()) { -LOG.debug("Server asks us to fall back to simple auth."); +throw new FallbackDisallowedException(); } + LOG.debug("Server asks us to fall back to simple auth."); dispose(); return false; } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java index 4eb0d38d421..746cc88dd69 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestSecureIPC.java @@ -22,14 +22,20 @@ import static org.apache.hadoop.hbase.ipc.TestProtobufRpcServiceImpl.newBlocking import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getKeytabFileForTesting; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getPrincipalForTesting; import static org.apache.hadoop.hbase.security.HBaseKerberosUtils.getSecuredConfiguration; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.either; +import static org.hamcrest.Matchers.instanceOf; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertSame; +import static org.junit.Assert.assertThrows; import static org.junit.Assert.fail; +import java.io.EOFException; import java.io.File; import java.io.IOException; import java.net.InetSocketAddress; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -42,7 +48,9 @@ import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.hbase.HBaseClassTestRule; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.HConstants; +import org.apache.hado
(hbase-site) branch asf-site updated: INFRA-10751 Empty commit
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/hbase-site.git The following commit(s) were added to refs/heads/asf-site by this push: new a225412791f INFRA-10751 Empty commit a225412791f is described below commit a225412791f21c0498da1ecc12b6dc4118727f44 Author: jenkins AuthorDate: Mon Feb 19 14:44:04 2024 + INFRA-10751 Empty commit
(hbase) branch master updated (5398b13bab9 -> 7bc07a6563e)
This is an automated email from the ASF dual-hosted git repository. zhangduo pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/hbase.git from 5398b13bab9 HBASE-28238 rpcservice should perform some important admin operation to priority ADMIN_QOS (#5558) add 7bc07a6563e HBASE-28377 Fallback to simple is broken for blocking rpc client (#5690) No new revisions were added by this update. Summary of changes: .../hadoop/hbase/ipc/BlockingRpcConnection.java| 1 + .../hadoop/hbase/security/HBaseSaslRpcClient.java | 8 +- .../hbase/security/AbstractTestSecureIPC.java | 102 + 3 files changed, 90 insertions(+), 21 deletions(-)