IMPALA-5743: Support TLS version configuration for Thrift servers * Add --ssl_minimum_version which controls the minimum SSL/TLS version that clients and servers will use when negotiating a secure connection. * Two kinds of version specification are allowed: 'TLSv1.1' enables TLSv1.1 and all subsequent verisons. 'TLSv1.1_only' enables only TLSv1.1. The latter is not exposed in user-facing text as it is typically only used for testing. * Handle case where platform may not support TLSv1.1 or v1.2 by checking OpenSSL version number. * Bump Thrift toolchain version to -p10.
Testing: * New tests in thrift-server-test.cc. In particular, test all 36 configurations of client and server protocol versions, and ensure that the expected successes or failures are seen. Change-Id: I4c68a6c9658ddbfbe8025f2021fd5ed7a9dec5a5 Reviewed-on: http://gerrit.cloudera.org:8080/7606 Reviewed-by: Henry Robinson <[email protected]> Tested-by: Impala Public Jenkins Project: http://git-wip-us.apache.org/repos/asf/incubator-impala/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-impala/commit/16ce201f Tree: http://git-wip-us.apache.org/repos/asf/incubator-impala/tree/16ce201f Diff: http://git-wip-us.apache.org/repos/asf/incubator-impala/diff/16ce201f Branch: refs/heads/master Commit: 16ce201f5250451cb55e2cb9821b5d628d777160 Parents: 97803ce Author: Henry Robinson <[email protected]> Authored: Tue Aug 1 13:41:34 2017 -0700 Committer: Impala Public Jenkins <[email protected]> Committed: Tue Aug 15 09:28:05 2017 +0000 ---------------------------------------------------------------------- be/src/catalog/catalogd-main.cc | 6 ++ be/src/rpc/thrift-client.cc | 14 ++++ be/src/rpc/thrift-client.h | 6 +- be/src/rpc/thrift-server-test.cc | 88 +++++++++++++++++++++++++ be/src/rpc/thrift-server.cc | 43 ++++++++++-- be/src/rpc/thrift-server.h | 49 ++++++++++---- be/src/service/impala-server.cc | 19 ++++++ be/src/statestore/statestore-subscriber.cc | 6 ++ be/src/statestore/statestored-main.cc | 6 ++ bin/impala-config.sh | 4 +- 10 files changed, 215 insertions(+), 26 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/catalog/catalogd-main.cc ---------------------------------------------------------------------- diff --git a/be/src/catalog/catalogd-main.cc b/be/src/catalog/catalogd-main.cc index 4847920..fe681d0 100644 --- a/be/src/catalog/catalogd-main.cc +++ b/be/src/catalog/catalogd-main.cc @@ -48,11 +48,13 @@ DECLARE_string(ssl_server_certificate); DECLARE_string(ssl_private_key); DECLARE_string(ssl_private_key_password_cmd); DECLARE_string(ssl_cipher_list); +DECLARE_string(ssl_minimum_version); #include "common/names.h" using namespace impala; using namespace apache::thrift; +using namespace apache::thrift; int CatalogdMain(int argc, char** argv) { FLAGS_webserver_port = 25020; @@ -94,9 +96,13 @@ int CatalogdMain(int argc, char** argv) { ThriftServerBuilder builder("CatalogService", processor, FLAGS_catalog_service_port); if (EnableInternalSslConnections()) { + SSLProtocol ssl_version; + ABORT_IF_ERROR( + SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &ssl_version)); LOG(INFO) << "Enabling SSL for CatalogService"; builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } ABORT_IF_ERROR(builder.metrics(metrics.get()).Build(&server)); http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/rpc/thrift-client.cc ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-client.cc b/be/src/rpc/thrift-client.cc index 6f01073..a64cdd3 100644 --- a/be/src/rpc/thrift-client.cc +++ b/be/src/rpc/thrift-client.cc @@ -23,6 +23,7 @@ #include <thrift/Thrift.h> #include <gutil/strings/substitute.h> +#include "util/network-util.h" #include "util/time.h" #include "common/names.h" @@ -33,9 +34,22 @@ using namespace strings; DECLARE_string(ssl_client_ca_certificate); DECLARE_string(ssl_cipher_list); +DECLARE_string(ssl_minimum_version); namespace impala { +ThriftClientImpl::ThriftClientImpl(const std::string& ipaddress, int port, bool ssl) + : address_(MakeNetworkAddress(ipaddress, port)), ssl_(ssl) { + if (ssl_) { + SSLProtocol version; + socket_create_status_ = + SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &version); + if (!socket_create_status_.ok()) return; + ssl_factory_.reset(new TSSLSocketFactory(version)); + } + socket_create_status_ = CreateSocket(); +} + Status ThriftClientImpl::Open() { if (!socket_create_status_.ok()) return socket_create_status_; try { http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/rpc/thrift-client.h ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-client.h b/be/src/rpc/thrift-client.h index 26982a1..778075c 100644 --- a/be/src/rpc/thrift-client.h +++ b/be/src/rpc/thrift-client.h @@ -71,11 +71,7 @@ class ThriftClientImpl { Status socket_create_status() { return socket_create_status_; } protected: - ThriftClientImpl(const std::string& ipaddress, int port, bool ssl) - : address_(MakeNetworkAddress(ipaddress, port)), ssl_(ssl) { - if (ssl_) ssl_factory_.reset(new TSSLSocketFactory()); - socket_create_status_ = CreateSocket(); - } + ThriftClientImpl(const std::string& ipaddress, int port, bool ssl); /// Create a new socket without opening it. Returns an error if the socket could not /// be created. http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/rpc/thrift-server-test.cc ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-server-test.cc b/be/src/rpc/thrift-server-test.cc index a7c5ca5..67e149a 100644 --- a/be/src/rpc/thrift-server-test.cc +++ b/be/src/rpc/thrift-server-test.cc @@ -30,9 +30,11 @@ using namespace impala; using namespace strings; using namespace apache::thrift; +using apache::thrift::transport::SSLProtocol; DECLARE_string(ssl_client_ca_certificate); DECLARE_string(ssl_cipher_list); +DECLARE_string(ssl_minimum_version); DECLARE_int32(state_store_port); @@ -257,6 +259,92 @@ TEST(SslTest, MismatchedCiphers) { TTransportException); } +// Test that StringToProtocol() correctly maps strings to their symbolic protocol +// equivalents. +TEST(SslTest, StringToProtocol) { + SSLProtocol version; +#if OPENSSL_VERSION_NUMBER < 0x10001000L + // No TLSv1.1+ support in OpenSSL v1.0.0. + EXPECT_FALSE(SSLProtoVersions::StringToProtocol("tlsv1.2", &version).ok()); + EXPECT_FALSE(SSLProtoVersions::StringToProtocol("tlsv1.1", &version).ok()); + EXPECT_OK(SSLProtoVersions::StringToProtocol("tlsv1", &version)); + EXPECT_EQ(TLSv1_0_plus, version); +#else + map<string, SSLProtocol> TEST_CASES = {{"tlsv1", TLSv1_0_plus}, + {"tlsv1.1", TLSv1_1_plus}, {"tlsv1.2", TLSv1_2_plus}, {"tlsv1_only", TLSv1_0}, + {"tlsv1.1_only", TLSv1_1}, {"tlsv1.2_only", TLSv1_2}}; + for (auto p : TEST_CASES) { + EXPECT_OK(SSLProtoVersions::StringToProtocol(p.first, &version)); + EXPECT_EQ(p.second, version) << "TLS version: " << p.first; + } +#endif +} + +TEST(SslTest, TLSVersionControl) { + auto flag = + ScopedFlagSetter<string>::Make(&FLAGS_ssl_client_ca_certificate, SERVER_CERT); + + // A config is really a pair (server_version, whitelist), where 'server_version' is the + // server TLS version to test, and 'whitelist' is the set of client protocols that + // should be able to connect successfully. This test tries all client protocols, + // expecting those in the whitelist to succeed, and those that are not to fail. + struct Config { + SSLProtocol server_version; + set<SSLProtocol> whitelist; + }; + +#if OPENSSL_VERSION_NUMBER < 0x10001000L + vector<Config> configs = { + {TLSv1_0, {TLSv1_0, TLSv1_0_plus}}, {TLSv1_0_plus, {TLSv1_0, TLSv1_0_plus}}}; +#else + vector<Config> configs = {{TLSv1_0, {TLSv1_0, TLSv1_0_plus}}, + {TLSv1_0_plus, + {TLSv1_0, TLSv1_1, TLSv1_2, TLSv1_0_plus, TLSv1_1_plus, TLSv1_2_plus}}, + {TLSv1_1, {TLSv1_1_plus, TLSv1_1, TLSv1_0_plus}}, + {TLSv1_1_plus, {TLSv1_1, TLSv1_2, TLSv1_0_plus, TLSv1_1_plus, TLSv1_2_plus}}, + {TLSv1_2, {TLSv1_2, TLSv1_0_plus, TLSv1_1_plus, TLSv1_2_plus}}, + {TLSv1_2_plus, {TLSv1_2, TLSv1_0_plus, TLSv1_1_plus, TLSv1_2_plus}}}; +#endif + + for (const auto& config : configs) { + // For each config, start a server with the requested protocol spec, and then try to + // connect a client to it with every possible spec. This is an N^2 test, but the value + // of N is 6. + int port = GetServerPort(); + + ThriftServer* server; + EXPECT_OK(ThriftServerBuilder("DummyStatestore", MakeProcessor(), port) + .ssl(SERVER_CERT, PRIVATE_KEY) + .ssl_version(config.server_version) + .Build(&server)); + EXPECT_OK(server->Start()); + + for (auto client_version : SSLProtoVersions::PROTO_MAP) { + auto s = ScopedFlagSetter<string>::Make( + &FLAGS_ssl_minimum_version, client_version.first); + ThriftClient<StatestoreServiceClientWrapper> ssl_client( + "localhost", port, "", nullptr, true); + EXPECT_OK(ssl_client.Open()); + bool send_done = false; + TRegisterSubscriberResponse resp; + + if (config.whitelist.find(client_version.second) == config.whitelist.end()) { + EXPECT_THROW(ssl_client.iface()->RegisterSubscriber( + resp, TRegisterSubscriberRequest(), &send_done), + TTransportException) + << "TLS version: " << config.server_version + << ", client version: " << client_version.first; + } else { + EXPECT_NO_THROW({ + ssl_client.iface()->RegisterSubscriber( + resp, TRegisterSubscriberRequest(), &send_done); + }) << "TLS version: " + << config.server_version << ", client version: " << client_version.first; + } + } + } +} + TEST(SslTest, MatchedCiphers) { int port = GetServerPort(); ThriftServer* server; http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/rpc/thrift-server.cc ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-server.cc b/be/src/rpc/thrift-server.cc index e1e9a7f..1a558d9 100644 --- a/be/src/rpc/thrift-server.cc +++ b/be/src/rpc/thrift-server.cc @@ -36,10 +36,12 @@ #include <sstream> #include "gen-cpp/Types_types.h" #include "rpc/TAcceptQueueServer.h" +#include "rpc/auth-provider.h" #include "rpc/authentication.h" #include "rpc/thrift-server.h" #include "rpc/thrift-thread.h" #include "util/debug-util.h" +#include "util/metrics.h" #include "util/network-util.h" #include "util/os-util.h" #include "util/uid-util.h" @@ -58,8 +60,8 @@ using namespace apache::thrift::server; using namespace apache::thrift::transport; using namespace apache::thrift; -DEFINE_int32(rpc_cnxn_attempts, 10, "Deprecated"); -DEFINE_int32(rpc_cnxn_retry_interval_ms, 2000, "Deprecated"); +DEFINE_int32_hidden(rpc_cnxn_attempts, 10, "Deprecated"); +DEFINE_int32_hidden(rpc_cnxn_retry_interval_ms, 2000, "Deprecated"); DECLARE_bool(enable_accept_queue_server); DECLARE_string(principal); @@ -70,6 +72,28 @@ DECLARE_string(ssl_cipher_list); namespace impala { +// Specifies the allowed set of values for --ssl_minimum_version. To keep consistent with +// Apache Kudu, specifying a single version enables all versions including and succeeding +// that one (e.g. TLSv1.1 enables v1.1 and v1.2). Specifying TLSv1.1_only enables only +// v1.1. +map<string, SSLProtocol> SSLProtoVersions::PROTO_MAP = { +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + {"tlsv1.2", TLSv1_2_plus}, {"tlsv1.2_only", TLSv1_2}, {"tlsv1.1", TLSv1_1_plus}, + {"tlsv1.1_only", TLSv1_1}, +#endif + {"tlsv1", TLSv1_0_plus}, {"tlsv1_only", TLSv1_0}}; + +Status SSLProtoVersions::StringToProtocol(const string& in, SSLProtocol* protocol) { + for (const auto& proto : SSLProtoVersions::PROTO_MAP) { + if (iequals(in, proto.first)) { + *protocol = proto.second; + return Status::OK(); + } + } + + return Status(Substitute("Unknown TLS version: '$0'", in)); +} + bool EnableInternalSslConnections() { // Enable SSL between servers only if both the client validation certificate and the // server certificate are specified. 'Client' here means clients that are used by Impala @@ -328,11 +352,14 @@ ThriftServer::ThriftServer(const string& name, } } +namespace { + /// Factory subclass to override getPassword() which provides a password string to Thrift /// to decrypt the private key file. class ImpalaSslSocketFactory : public TSSLSocketFactory { public: - ImpalaSslSocketFactory(const string& password) : password_(password) { } + ImpalaSslSocketFactory(SSLProtocol version, const string& password) + : TSSLSocketFactory(version), password_(password) {} protected: virtual void getPassword(string& output, int size) { @@ -344,13 +371,13 @@ class ImpalaSslSocketFactory : public TSSLSocketFactory { /// The password string. const string password_; }; - +} Status ThriftServer::CreateSocket(boost::shared_ptr<TServerTransport>* socket) { if (ssl_enabled()) { // This 'factory' is only called once, since CreateSocket() is only called from // Start() boost::shared_ptr<TSSLSocketFactory> socket_factory( - new ImpalaSslSocketFactory(key_password_)); + new ImpalaSslSocketFactory(version_, key_password_)); socket_factory->overrideDefaultPasswordCallback(); try { if (!cipher_list_.empty()) socket_factory->ciphers(cipher_list_); @@ -367,8 +394,9 @@ Status ThriftServer::CreateSocket(boost::shared_ptr<TServerTransport>* socket) { } } -Status ThriftServer::EnableSsl(const string& certificate, const string& private_key, - const string& pem_password_cmd, const std::string& ciphers) { +Status ThriftServer::EnableSsl(SSLProtocol version, const string& certificate, + const string& private_key, const string& pem_password_cmd, + const std::string& ciphers) { DCHECK(!started_); if (certificate.empty()) return Status(TErrorCode::SSL_CERTIFICATE_PATH_BLANK); if (private_key.empty()) return Status(TErrorCode::SSL_PRIVATE_KEY_PATH_BLANK); @@ -386,6 +414,7 @@ Status ThriftServer::EnableSsl(const string& certificate, const string& private_ certificate_path_ = certificate; private_key_path_ = private_key; cipher_list_ = ciphers; + version_ = version; if (!pem_password_cmd.empty()) { if (!RunShellProcess(pem_password_cmd, &key_password_, true)) { http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/rpc/thrift-server.h ---------------------------------------------------------------------- diff --git a/be/src/rpc/thrift-server.h b/be/src/rpc/thrift-server.h index e52edea..e486e37 100644 --- a/be/src/rpc/thrift-server.h +++ b/be/src/rpc/thrift-server.h @@ -18,21 +18,23 @@ #ifndef IMPALA_RPC_THRIFT_SERVER_H #define IMPALA_RPC_THRIFT_SERVER_H -#include <boost/thread/mutex.hpp> #include <boost/scoped_ptr.hpp> #include <boost/shared_ptr.hpp> +#include <boost/thread/mutex.hpp> #include <boost/unordered_map.hpp> #include <boost/uuid/uuid_generators.hpp> -#include <thrift/server/TServer.h> #include <thrift/TProcessor.h> +#include <thrift/server/TServer.h> +#include <thrift/transport/TSSLSocket.h> #include "common/status.h" -#include "rpc/auth-provider.h" #include "util/metrics.h" #include "util/thread.h" namespace impala { +class AuthProvider; + /// Utility class for all Thrift servers. Runs a threaded server by default, or a /// TThreadPoolServer with, by default, 2 worker threads, that exposes the interface /// described by a user-supplied TProcessor object. @@ -156,13 +158,15 @@ class ThriftServer { AuthProvider* auth_provider = nullptr, MetricGroup* metrics = nullptr, int num_worker_threads = DEFAULT_WORKER_THREADS, ServerType server_type = Threaded); - /// Enables secure access over SSL. Must be called before Start(). The first two - /// arguments are paths to certificate and private key files in .PEM format, - /// respectively. If either file does not exist, an error is returned. The final - /// optional argument provides the command to run if a password is required to decrypt - /// the private key. It is invoked once, and the resulting password is used only for - /// password-protected .PEM files. - Status EnableSsl(const std::string& certificate, const std::string& private_key, + /// Enables secure access over SSL. Must be called before Start(). The first three + /// arguments are the minimum SSL/TLS version, and paths to certificate and private key + /// files in .PEM format, respectively. If either file does not exist, an error is + /// returned. The fourth, optional, argument provides the command to run if a password + /// is required to decrypt the private key. It is invoked once, and the resulting + /// password is used only for password-protected .PEM files. The final argument is a + /// string containing a list of cipher suites, separated by commas, to enable. + Status EnableSsl(apache::thrift::transport::SSLProtocol version, + const std::string& certificate, const std::string& private_key, const std::string& pem_password_cmd = "", const std::string& ciphers = ""); /// Creates the server socket on which this server listens. May be SSL enabled. Returns @@ -191,6 +195,9 @@ class ThriftServer { /// List of ciphers that are ok for clients to use when connecting. std::string cipher_list_; + /// The SSL/TLS protocol client versions that this server will allow to connect. + apache::thrift::transport::SSLProtocol version_; + /// How many worker threads to use to serve incoming requests /// (requests are queued if no thread is immediately available) int num_worker_threads_; @@ -286,6 +293,12 @@ class ThriftServerBuilder { return *this; } + /// Sets the SSL/TLS client version(s) that this server will allow to connect. + ThriftServerBuilder& ssl_version(apache::thrift::transport::SSLProtocol version) { + version_ = version; + return *this; + } + /// Sets the command used to compute the password for the SSL private key. Default is /// empty, i.e. no password needed. ThriftServerBuilder& pem_password_cmd(const std::string& pem_password_cmd) { @@ -308,8 +321,8 @@ class ThriftServerBuilder { std::unique_ptr<ThriftServer> ptr(new ThriftServer(name_, processor_, port_, auth_provider_, metrics_, num_worker_threads_, server_type_)); if (enable_ssl_) { - RETURN_IF_ERROR( - ptr->EnableSsl(certificate_, private_key_, pem_password_cmd_, ciphers_)); + RETURN_IF_ERROR(ptr->EnableSsl( + version_, certificate_, private_key_, pem_password_cmd_, ciphers_)); } (*server) = ptr.release(); return Status::OK(); @@ -326,12 +339,24 @@ class ThriftServerBuilder { MetricGroup* metrics_ = nullptr; bool enable_ssl_ = false; + apache::thrift::transport::SSLProtocol version_ = + apache::thrift::transport::SSLProtocol::TLSv1_0; std::string certificate_; std::string private_key_; std::string pem_password_cmd_; std::string ciphers_; }; +/// Contains a map from string for --ssl_minimum_version to Thrift's SSLProtocol. +struct SSLProtoVersions { + static std::map<std::string, apache::thrift::transport::SSLProtocol> PROTO_MAP; + + /// Given a string, find a corresponding SSLProtocol from PROTO_MAP. Returns an error if + /// one cannot be found. Matching is case-insensitive. + static Status StringToProtocol( + const std::string& in, apache::thrift::transport::SSLProtocol* protocol); +}; + // Returns true if, per the process configuration flags, server<->server communications // should use SSL. bool EnableInternalSslConnections(); http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/service/impala-server.cc ---------------------------------------------------------------------- diff --git a/be/src/service/impala-server.cc b/be/src/service/impala-server.cc index 5778041..00a9d9a 100644 --- a/be/src/service/impala-server.cc +++ b/be/src/service/impala-server.cc @@ -96,6 +96,7 @@ using boost::system_time; using boost::uuids::random_generator; using boost::uuids::uuid; using namespace apache::thrift; +using namespace apache::thrift::transport; using namespace boost::posix_time; using namespace beeswax; using namespace rapidjson; @@ -178,6 +179,15 @@ DEFINE_string(ssl_cipher_list, "", "ciphers for more information. If empty, the default cipher list for your platform " "is used"); +const string SSL_MIN_VERSION_HELP = "The minimum SSL/TLS version that Thrift " + "services should use for both client and server connections. Supported versions are " +#if OPENSSL_VERSION_NUMBER >= 0x10001000L + "TLSv1.0, TLSv1.1 and TLSv1.2"; +#else + "TLSv1.0"; +#endif +DEFINE_string(ssl_minimum_version, "tlsv1", SSL_MIN_VERSION_HELP.c_str()); + DEFINE_int32(idle_session_timeout, 0, "The time, in seconds, that a session may be idle" " for before it is closed (and all running queries cancelled) by Impala. If 0, idle" " sessions are never expired."); @@ -1933,6 +1943,12 @@ Status CreateImpalaServer(ExecEnv* exec_env, int beeswax_port, int hs2_port, int impala_server->reset(new ImpalaServer(exec_env)); + SSLProtocol ssl_version = SSLProtocol::TLSv1_0; + if (!FLAGS_ssl_server_certificate.empty() || EnableInternalSslConnections()) { + RETURN_IF_ERROR( + SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &ssl_version)); + } + if (be_port != 0 && be_server != nullptr) { boost::shared_ptr<ImpalaInternalService> thrift_if(new ImpalaInternalService()); boost::shared_ptr<TProcessor> be_processor( @@ -1947,6 +1963,7 @@ Status CreateImpalaServer(ExecEnv* exec_env, int beeswax_port, int hs2_port, int LOG(INFO) << "Enabling SSL for backend"; be_builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } RETURN_IF_ERROR(be_builder.metrics(exec_env->metrics()).Build(be_server)); @@ -1974,6 +1991,7 @@ Status CreateImpalaServer(ExecEnv* exec_env, int beeswax_port, int hs2_port, int LOG(INFO) << "Enabling SSL for Beeswax"; builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } RETURN_IF_ERROR( @@ -2000,6 +2018,7 @@ Status CreateImpalaServer(ExecEnv* exec_env, int beeswax_port, int hs2_port, int LOG(INFO) << "Enabling SSL for HiveServer2"; builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/statestore/statestore-subscriber.cc ---------------------------------------------------------------------- diff --git a/be/src/statestore/statestore-subscriber.cc b/be/src/statestore/statestore-subscriber.cc index 69ddfdc..7cfcaf7 100644 --- a/be/src/statestore/statestore-subscriber.cc +++ b/be/src/statestore/statestore-subscriber.cc @@ -39,6 +39,7 @@ using boost::posix_time::seconds; using namespace apache::thrift; +using namespace apache::thrift::transport; using namespace strings; DEFINE_int32(statestore_subscriber_timeout_seconds, 30, "The amount of time (in seconds)" @@ -53,6 +54,7 @@ DECLARE_string(ssl_server_certificate); DECLARE_string(ssl_private_key); DECLARE_string(ssl_private_key_password_cmd); DECLARE_string(ssl_cipher_list); +DECLARE_string(ssl_minimum_version); namespace impala { @@ -196,9 +198,13 @@ Status StatestoreSubscriber::Start() { ThriftServerBuilder builder( "StatestoreSubscriber", processor, heartbeat_address_.port); if (EnableInternalSslConnections()) { + SSLProtocol ssl_version; + RETURN_IF_ERROR( + SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &ssl_version)); LOG(INFO) << "Enabling SSL for Statestore subscriber"; builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/be/src/statestore/statestored-main.cc ---------------------------------------------------------------------- diff --git a/be/src/statestore/statestored-main.cc b/be/src/statestore/statestored-main.cc index f4c4672..1dcb682 100644 --- a/be/src/statestore/statestored-main.cc +++ b/be/src/statestore/statestored-main.cc @@ -43,11 +43,13 @@ DECLARE_string(ssl_server_certificate); DECLARE_string(ssl_private_key); DECLARE_string(ssl_private_key_password_cmd); DECLARE_string(ssl_cipher_list); +DECLARE_string(ssl_minimum_version); #include "common/names.h" using namespace impala; using namespace apache::thrift; +using namespace apache::thrift::transport; int StatestoredMain(int argc, char** argv) { // Override default for webserver port @@ -87,9 +89,13 @@ int StatestoredMain(int argc, char** argv) { ThriftServer* server; ThriftServerBuilder builder("StatestoreService", processor, FLAGS_state_store_port); if (EnableInternalSslConnections()) { + SSLProtocol ssl_version; + ABORT_IF_ERROR( + SSLProtoVersions::StringToProtocol(FLAGS_ssl_minimum_version, &ssl_version)); LOG(INFO) << "Enabling SSL for Statestore"; builder.ssl(FLAGS_ssl_server_certificate, FLAGS_ssl_private_key) .pem_password_cmd(FLAGS_ssl_private_key_password_cmd) + .ssl_version(ssl_version) .cipher_list(FLAGS_ssl_cipher_list); } ABORT_IF_ERROR(builder.metrics(metrics.get()).Build(&server)); http://git-wip-us.apache.org/repos/asf/incubator-impala/blob/16ce201f/bin/impala-config.sh ---------------------------------------------------------------------- diff --git a/bin/impala-config.sh b/bin/impala-config.sh index 5470bb0..58b8529 100755 --- a/bin/impala-config.sh +++ b/bin/impala-config.sh @@ -72,7 +72,7 @@ fi # moving to a different build of the toolchain, e.g. when a version is bumped or a # compile option is changed. The build id can be found in the output of the toolchain # build jobs, it is constructed from the build number and toolchain git hash prefix. -export IMPALA_TOOLCHAIN_BUILD_ID=447-f3bee11cc6 +export IMPALA_TOOLCHAIN_BUILD_ID=450-fc9954b4fa # Versions of toolchain dependencies. # ----------------------------------- export IMPALA_AVRO_VERSION=1.7.4-p4 @@ -107,7 +107,7 @@ export IMPALA_SQUEASEL_VERSION=3.3 # TPC utilities used for test/benchmark data generation. export IMPALA_TPC_DS_VERSION=2.1.0 export IMPALA_TPC_H_VERSION=2.17.0 -export IMPALA_THRIFT_VERSION=0.9.0-p9 +export IMPALA_THRIFT_VERSION=0.9.0-p10 export IMPALA_THRIFT_JAVA_VERSION=0.9.0 export IMPALA_ZLIB_VERSION=1.2.8
