Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-17513

Thrift Server 1 uses different QOP settings than RPC and Thrift Server 2 and can easily be misconfigured so there is no encryption when the operator expects it.

    XMLWordPrintableJSON

    Details

    • Hadoop Flags:
      Reviewed
    • Release Note:
      This change fixes an issue where users could have unintentionally configured the HBase Thrift1 server to run without wire-encryption, when they believed they had configured the Thrift1 server to do so.

      Description

      As of HBASE-14400 the setting hbase.thrift.security.qop was unified to behave the same as the general HBase RPC protection. However, this only happened for the Thrift2 server. The Thrift server found in the thrift package (aka Thrift Server 1) still hard codes the old configs of 'auth', 'auth-int', and 'auth-conf'.

      Additionally, these Quality of Protection (qop) settings are used only by the SASL transport. If a user configures the HBase Thrift Server to make use of the HTTP transport (to enable doAs proxying e.g. for Hue) then a QOP setting of 'privacy' or 'auth-conf' won't get them encryption as expected.

      We should

      1) update hbase-thrift/src/main/.../thrift/ThriftServerRunner to rely on SaslUtil to use the same 'authentication', 'integrity', 'privacy' configs in a backward compatible way
      2) also have ThriftServerRunner warn when both hbase.thrift.security.qop and hbase.regionserver.thrift.http are set, since the latter will cause the former to be ignored. (users should be directed to hbase.thrift.ssl.enabled and related configs to ensure their transport is encrypted when using the HTTP transport.)

        Attachments

        1. HBASE-17513.master.001.patch
          4 kB
          Reid Chan
        2. HBASE-17513.master.002.patch
          1 kB
          Reid Chan
        3. HBASE-17513.master.003.patch
          3 kB
          Reid Chan

          Activity

            People

            • Assignee:
              reidchan Reid Chan
              Reporter:
              busbey Sean Busbey
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: