From 2657e02ebf246dfaeaa4b97ec16b8e2f24e732e5 Mon Sep 17 00:00:00 2001 From: Ashish Singhi Date: Wed, 9 May 2018 15:47:40 +0530 Subject: [PATCH] HBASE-20004 Client is not able to execute REST queries in a secure cluster --- .../org/apache/hadoop/hbase/http/HttpServerUtil.java | 20 +++++++++++++------- .../org/apache/hadoop/hbase/rest/RESTServer.java | 8 +++++++- .../hadoop/hbase/rest/HBaseRESTTestingUtility.java | 2 +- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServerUtil.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServerUtil.java index 777ced009b..e41daf3107 100644 --- a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServerUtil.java +++ b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServerUtil.java @@ -31,8 +31,10 @@ public final class HttpServerUtil { /** * Add constraints to a Jetty Context to disallow undesirable Http methods. * @param ctxHandler The context to modify + * @param allowOptionsMethod if true then OPTIONS method will not be set in constraint mapping */ - public static void constrainHttpMethods(ServletContextHandler ctxHandler) { + public static void constrainHttpMethods(ServletContextHandler ctxHandler, + boolean allowOptionsMethod) { Constraint c = new Constraint(); c.setAuthenticate(true); @@ -41,13 +43,17 @@ public final class HttpServerUtil { cmt.setMethod("TRACE"); cmt.setPathSpec("/*"); - ConstraintMapping cmo = new ConstraintMapping(); - cmo.setConstraint(c); - cmo.setMethod("OPTIONS"); - cmo.setPathSpec("/*"); - ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler(); - securityHandler.setConstraintMappings(new ConstraintMapping[]{ cmt, cmo }); + + if (!allowOptionsMethod) { + ConstraintMapping cmo = new ConstraintMapping(); + cmo.setConstraint(c); + cmo.setMethod("OPTIONS"); + cmo.setPathSpec("/*"); + securityHandler.setConstraintMappings(new ConstraintMapping[] { cmt, cmo }); + } else { + securityHandler.setConstraintMappings(new ConstraintMapping[] { cmt }); + } ctxHandler.setSecurityHandler(securityHandler); } diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java index 15c988f71b..e5cfe32021 100644 --- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java +++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/RESTServer.java @@ -95,6 +95,11 @@ public class RESTServer implements Constants { private static final String PATH_SPEC_ANY = "/*"; + static String REST_HTTP_ALLOW_OPTIONS_METHOD = "hbase.rest.http.allow.options.method"; + // HTTP OPTIONS method is commonly used in REST APIs for negotiation. It is disabled by default to + // maintain backward incompatibility + private static boolean REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT = false; + private static void printUsageAndExit(Options options, int exitCode) { HelpFormatter formatter = new HelpFormatter(); formatter.printHelp("hbase rest start", "", options, @@ -343,7 +348,8 @@ public class RESTServer implements Constants { ctxHandler.addFilter(filter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST)); } addCSRFFilter(ctxHandler, conf); - HttpServerUtil.constrainHttpMethods(ctxHandler); + HttpServerUtil.constrainHttpMethods(ctxHandler, servlet.getConfiguration() + .getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT)); // Put up info server. int port = conf.getInt("hbase.rest.info.port", 8085); diff --git a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java index 273010a334..52a6d65bd2 100644 --- a/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java +++ b/hbase-rest/src/test/java/org/apache/hadoop/hbase/rest/HBaseRESTTestingUtility.java @@ -93,7 +93,7 @@ public class HBaseRESTTestingUtility { conf.set(RESTServer.REST_CSRF_BROWSER_USERAGENTS_REGEX_KEY, ".*"); RESTServer.addCSRFFilter(ctxHandler, conf); - HttpServerUtil.constrainHttpMethods(ctxHandler); + HttpServerUtil.constrainHttpMethods(ctxHandler, false); // start the server server.start(); -- 2.15.1.windows.2