Repository: hadoop Updated Branches: refs/heads/branch-2 5fa241daa -> dfcbc1202
HADOOP-12765. HttpServer2 should switch to using the non-blocking SslSelectChannelConnector to prevent performance degradation when handling SSL connections. Contributed by Min Shen. Branch-2 patch contributed by Wei-Chiu Chuang. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/dfcbc120 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/dfcbc120 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/dfcbc120 Branch: refs/heads/branch-2 Commit: dfcbc12026b591745a7d7279f2b840152cb53a91 Parents: 5fa241d Author: Zhe Zhang <z...@apache.org> Authored: Tue Aug 23 14:46:08 2016 -0700 Committer: Zhe Zhang <z...@apache.org> Committed: Tue Aug 23 14:46:08 2016 -0700 ---------------------------------------------------------------------- hadoop-common-project/hadoop-common/pom.xml | 5 ++ .../org/apache/hadoop/http/HttpServer2.java | 76 +++++++++++--------- .../ssl/SslSelectChannelConnectorSecure.java | 58 +++++++++++++++ .../security/ssl/SslSocketConnectorSecure.java | 58 --------------- .../hadoop/crypto/key/kms/server/MiniKMS.java | 9 +-- .../org/apache/hadoop/test/TestJettyHelper.java | 6 +- hadoop-project/pom.xml | 5 ++ 7 files changed, 118 insertions(+), 99 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/pom.xml ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/pom.xml b/hadoop-common-project/hadoop-common/pom.xml index 09f630c..b35a40e 100644 --- a/hadoop-common-project/hadoop-common/pom.xml +++ b/hadoop-common-project/hadoop-common/pom.xml @@ -106,6 +106,11 @@ </dependency> <dependency> + <groupId>org.mortbay.jetty</groupId> + <artifactId>jetty-sslengine</artifactId> + <scope>compile</scope> + </dependency> + <dependency> <groupId>javax.servlet.jsp</groupId> <artifactId>jsp-api</artifactId> <scope>runtime</scope> http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java index c179bd0..62fb4b6 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/http/HttpServer2.java @@ -56,7 +56,7 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.security.AuthenticationFilterInitializer; import org.apache.hadoop.security.authentication.util.SignerSecretProvider; -import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; +import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure; import org.apache.hadoop.jmx.JMXJsonServlet; import org.apache.hadoop.log.LogLevel; import org.apache.hadoop.metrics.MetricsServlet; @@ -78,7 +78,7 @@ import org.mortbay.jetty.handler.ContextHandlerCollection; import org.mortbay.jetty.handler.HandlerCollection; import org.mortbay.jetty.handler.RequestLogHandler; import org.mortbay.jetty.nio.SelectChannelConnector; -import org.mortbay.jetty.security.SslSocketConnector; +import org.mortbay.jetty.security.SslSelectChannelConnector; import org.mortbay.jetty.servlet.AbstractSessionManager; import org.mortbay.jetty.servlet.Context; import org.mortbay.jetty.servlet.DefaultServlet; @@ -333,29 +333,7 @@ public final class HttpServer2 implements FilterContainer { if ("http".equals(scheme)) { listener = HttpServer2.createDefaultChannelConnector(); } else if ("https".equals(scheme)) { - SslSocketConnector c = new SslSocketConnectorSecure(); - c.setHeaderBufferSize(1024*64); - c.setNeedClientAuth(needsClientAuth); - c.setKeyPassword(keyPassword); - - if (keyStore != null) { - c.setKeystore(keyStore); - c.setKeystoreType(keyStoreType); - c.setPassword(keyStorePassword); - } - - if (trustStore != null) { - c.setTruststore(trustStore); - c.setTruststoreType(trustStoreType); - c.setTrustPassword(trustStorePassword); - } - - if(null != excludeCiphers && !excludeCiphers.isEmpty()) { - c.setExcludeCipherSuites(excludeCiphers.split(",")); - LOG.info("Excluded Cipher List:" + excludeCiphers); - } - - listener = c; + listener = createHttpsChannelConnector(); } else { throw new HadoopIllegalArgumentException( @@ -368,6 +346,32 @@ public final class HttpServer2 implements FilterContainer { server.loadListeners(); return server; } + + private Connector createHttpsChannelConnector() { + SslSelectChannelConnector c = new SslSelectChannelConnectorSecure(); + configureChannelConnector(c); + + c.setNeedClientAuth(needsClientAuth); + c.setKeyPassword(keyPassword); + + if (keyStore != null) { + c.setKeystore(keyStore); + c.setKeystoreType(keyStoreType); + c.setPassword(keyStorePassword); + } + + if (trustStore != null) { + c.setTruststore(trustStore); + c.setTruststoreType(trustStoreType); + c.setTrustPassword(trustStorePassword); + } + + if(null != excludeCiphers && !excludeCiphers.isEmpty()) { + c.setExcludeCipherSuites(excludeCiphers.split(",")); + LOG.info("Excluded Cipher List:" + excludeCiphers); + } + return c; + } } private HttpServer2(final Builder b) throws IOException { @@ -541,21 +545,25 @@ public final class HttpServer2 implements FilterContainer { } } - @InterfaceAudience.Private - public static Connector createDefaultChannelConnector() { - SelectChannelConnector ret = new SelectChannelConnectorWithSafeStartup(); - ret.setLowResourceMaxIdleTime(10000); - ret.setAcceptQueueSize(128); - ret.setResolveNames(false); - ret.setUseDirectBuffers(false); + private static void configureChannelConnector(SelectChannelConnector c) { + c.setLowResourceMaxIdleTime(10000); + c.setAcceptQueueSize(128); + c.setResolveNames(false); + c.setUseDirectBuffers(false); if(Shell.WINDOWS) { // result of setting the SO_REUSEADDR flag is different on Windows // http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx // without this 2 NN's can start on the same machine and listen on // the same port with indeterminate routing of incoming requests to them - ret.setReuseAddress(false); + c.setReuseAddress(false); } - ret.setHeaderBufferSize(1024*64); + c.setHeaderBufferSize(1024*64); + } + + @InterfaceAudience.Private + public static Connector createDefaultChannelConnector() { + SelectChannelConnector ret = new SelectChannelConnectorWithSafeStartup(); + configureChannelConnector(ret); return ret; } http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java new file mode 100644 index 0000000..7de689b --- /dev/null +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSelectChannelConnectorSecure.java @@ -0,0 +1,58 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.security.ssl; + +import java.io.IOException; +import java.util.ArrayList; + +import javax.net.ssl.SSLEngine; + +import org.apache.hadoop.classification.InterfaceAudience; +import org.mortbay.jetty.security.SslSelectChannelConnector; + +/** + * This subclass of the Jetty SslSelectChannelConnector exists solely to + * control the TLS protocol versions allowed. This is fallout from the + * POODLE vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled. + * Only TLS 1.0 and later protocols are allowed. + */ +@InterfaceAudience.Private +public class SslSelectChannelConnectorSecure extends SslSelectChannelConnector { + + public SslSelectChannelConnectorSecure() { + super(); + } + + /** + * Disable SSLv3 protocol. + */ + @Override + protected SSLEngine createSSLEngine() throws IOException { + SSLEngine engine = super.createSSLEngine(); + ArrayList<String> nonSSLProtocols = new ArrayList<String>(); + for (String p : engine.getEnabledProtocols()) { + if (!p.contains("SSLv3")) { + nonSSLProtocols.add(p); + } + } + engine.setEnabledProtocols(nonSSLProtocols.toArray( + new String[nonSSLProtocols.size()])); + return engine; + } +} http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java deleted file mode 100644 index 52ab7ad..0000000 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SslSocketConnectorSecure.java +++ /dev/null @@ -1,58 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.apache.hadoop.security.ssl; - -import org.mortbay.jetty.security.SslSocketConnector; - -import javax.net.ssl.SSLServerSocket; -import java.io.IOException; -import java.net.ServerSocket; -import java.util.ArrayList; - -/** - * This subclass of the Jetty SslSocketConnector exists solely to control - * the TLS protocol versions allowed. This is fallout from the POODLE - * vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled. - * Only TLS 1.0 and later protocols are allowed. - */ -public class SslSocketConnectorSecure extends SslSocketConnector { - - public SslSocketConnectorSecure() { - super(); - } - - /** - * Create a new ServerSocket that will not accept SSLv3 connections, - * but will accept TLSv1.x connections. - */ - protected ServerSocket newServerSocket(String host, int port,int backlog) - throws IOException { - SSLServerSocket socket = (SSLServerSocket) - super.newServerSocket(host, port, backlog); - ArrayList<String> nonSSLProtocols = new ArrayList<String>(); - for (String p : socket.getEnabledProtocols()) { - if (!p.contains("SSLv3")) { - nonSSLProtocols.add(p); - } - } - socket.setEnabledProtocols(nonSSLProtocols.toArray( - new String[nonSSLProtocols.size()])); - return socket; - } -} http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java ---------------------------------------------------------------------- diff --git a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java index eb640bb..6da6500 100644 --- a/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java +++ b/hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/MiniKMS.java @@ -18,14 +18,15 @@ package org.apache.hadoop.crypto.key.kms.server; import com.google.common.base.Preconditions; + import org.apache.commons.io.IOUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.crypto.key.kms.KMSRESTConstants; import org.apache.hadoop.fs.Path; -import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; +import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure; import org.mortbay.jetty.Connector; import org.mortbay.jetty.Server; -import org.mortbay.jetty.security.SslSocketConnector; +import org.mortbay.jetty.security.SslSelectChannelConnector; import org.mortbay.jetty.webapp.WebAppContext; import java.io.File; @@ -52,7 +53,7 @@ public class MiniKMS { if (!ssl) { server.getConnectors()[0].setHost(host); } else { - SslSocketConnector c = new SslSocketConnectorSecure(); + SslSelectChannelConnector c = new SslSelectChannelConnectorSecure(); c.setHost(host); c.setNeedClientAuth(false); c.setKeystore(keyStore); @@ -69,7 +70,7 @@ public class MiniKMS { private static URL getJettyURL(Server server) { boolean ssl = server.getConnectors()[0].getClass() - == SslSocketConnectorSecure.class; + == SslSelectChannelConnectorSecure.class; try { String scheme = (ssl) ? "https" : "http"; return new URL(scheme + "://" + http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java ---------------------------------------------------------------------- diff --git a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java index 177563d..7097803 100644 --- a/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java +++ b/hadoop-hdfs-project/hadoop-hdfs-httpfs/src/test/java/org/apache/hadoop/test/TestJettyHelper.java @@ -24,14 +24,14 @@ import java.net.ServerSocket; import java.net.URL; import java.net.UnknownHostException; -import org.apache.hadoop.security.ssl.SslSocketConnectorSecure; +import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure; import org.junit.Test; import org.junit.rules.MethodRule; import org.junit.runners.model.FrameworkMethod; import org.junit.runners.model.Statement; import org.mortbay.jetty.Connector; import org.mortbay.jetty.Server; -import org.mortbay.jetty.security.SslSocketConnector; +import org.mortbay.jetty.security.SslSelectChannelConnector; public class TestJettyHelper implements MethodRule { private boolean ssl; @@ -93,7 +93,7 @@ public class TestJettyHelper implements MethodRule { server.getConnectors()[0].setHost(host); server.getConnectors()[0].setPort(port); } else { - SslSocketConnector c = new SslSocketConnectorSecure(); + SslSelectChannelConnector c = new SslSelectChannelConnectorSecure(); c.setHost(host); c.setPort(port); c.setNeedClientAuth(false); http://git-wip-us.apache.org/repos/asf/hadoop/blob/dfcbc120/hadoop-project/pom.xml ---------------------------------------------------------------------- diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml index ebd1986..bb635d2 100644 --- a/hadoop-project/pom.xml +++ b/hadoop-project/pom.xml @@ -499,6 +499,11 @@ <version>${jetty.version}</version> </dependency> <dependency> + <groupId>org.mortbay.jetty</groupId> + <artifactId>jetty-sslengine</artifactId> + <version>${jetty.version}</version> + </dependency> + <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>7.0.55</version> --------------------------------------------------------------------- To unsubscribe, e-mail: common-commits-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-commits-h...@hadoop.apache.org
