Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-8595

THRIFT-3505 breaks IMPALA-5775

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Impala 3.1.0
    • Fix Version/s: Impala 3.3.0
    • Component/s: None
    • Labels:
      None
    • Epic Color:
      ghx-label-1

      Description

      IMPALA-5690 replaced thrift  0.9.0 with 0.9.3 in which THRIFT-3505 changed transport/TSSLSocket.py. 

      In thrift 0.9.3, if the python version is lower than 2.7.9, TSSLSocket uses PROTOCOL_TLSv1 by default:

        # For pythoon >= 2.7.9, use latest TLS that both client and server supports.
        # SSL 2.0 and 3.0 are disabled via ssl.OP_NO_SSLv2 and ssl.OP_NO_SSLv3.
        # For pythoon < 2.7.9, use TLS 1.0 since TLSv1_X nare OP_NO_SSLvX are unavailable.
        _default_protocol = ssl.PROTOCOL_SSLv23 if _has_ssl_context else ssl.PROTOCOL_TLSv1
      

      And the SSL version should be passed as an argument to TSSLSocket._init_ instead of overriding self.SSL_VERSION in TSSLSocketWithWildcardSAN._init_. The fix for IMPALA-5775 doesn't work against thrift 0.9.3. So if we use python lower than 2.7.9 (for example, it's python2.7.5 on Red Hat/CentOS 7.5) and set ssl_minimum_version to tlsv1.2, impala-shell command can't connect to impalad:

       

      # impala-shell -i impalad01.example.com
       -k --ssl --ca_cert=/etc/cdep-ssl-conf/CA_STANDARD/truststore.pem
      SSL is enabled
      No handlers could be found for logger "thrift.transport.TSSLSocket"
      Error connecting: TTransportException, Could not connect to impalad01.example.com:21000: EOF occurred in violation of protocol (_ssl.c:579)
      

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                robbiezhang Robbie Zhang
                Reporter:
                robbiezhang Robbie Zhang
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: