[jira] [Updated] (HADOOP-18245) Extend KMS related exceptions that get mapped to ConnectException

Ritesh H Shukla (Jira) Wed, 18 May 2022 14:49:06 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-18245?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ritesh H Shukla updated HADOOP-18245:
-------------------------------------
    Description: 
Based on production workload, we found that it is not enough to map just 
SSLHandshakeException to ConnectException in Loadbalancing KMS Client but that 
needs to be extended to SSLExceptions and SocketExceptions.

Sample JDK code that can raise these exceptions: 
https://github.com/openjdk/jdk/blob/jdk-18%2B32/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java#L1409-L1428

Sample Exception backtrace: 
22/04/13 16:25:53 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
[https://bdgtr041x10h5.nam.nsroot.net:16001/kms/v1/] threw an IOException:
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
        at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1470)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1298)
        at 
sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDe
Caused by: java.io.EOFException: SSL peer shut down incorrectly
        at 
sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:480)
        at 
sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:469)
        ... 59 more

  was:
Based on production workload, we found that it is not enough to map just 
SSLHandshakeException to ConnectException in Loadbalancing KMS Client but that 
needs to be extended to SSLExceptions and SocketExceptions.

Sample JDK code that can raise these exceptions.

     /**
     * Read the initial handshake records.
     */
    private int readHandshakeRecord() throws IOException {
        while (!conContext.isInboundClosed()) {
            try {
                Plaintext plainText = decode(null);
                if ((plainText.contentType == ContentType.HANDSHAKE.id) &&
                        conContext.isNegotiated) {
                    return 0;
                }
            } catch (SSLException |
                    InterruptedIOException | SocketException se) {
                // Don't change exception in case of timeouts or interrupts
                // or SocketException.
                throw se;
            } catch (IOException ioe) {
                throw new SSLException("readHandshakeRecord", ioe);
            }
        }

        return -1;
    }


> Extend KMS related exceptions that get mapped to ConnectException 
> ------------------------------------------------------------------
>
>                 Key: HADOOP-18245
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18245
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>            Reporter: Ritesh H Shukla
>            Priority: Major
>
> Based on production workload, we found that it is not enough to map just 
> SSLHandshakeException to ConnectException in Loadbalancing KMS Client but 
> that needs to be extended to SSLExceptions and SocketExceptions.
> Sample JDK code that can raise these exceptions: 
> https://github.com/openjdk/jdk/blob/jdk-18%2B32/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java#L1409-L1428
> Sample Exception backtrace: 
> 22/04/13 16:25:53 WARN kms.LoadBalancingKMSClientProvider: KMS provider at 
> [https://bdgtr041x10h5.nam.nsroot.net:16001/kms/v1/] threw an IOException:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
>         at sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1470)
>         at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1298)
>         at 
> sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
>         at 
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
>         at 
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
>         at 
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDe
> Caused by: java.io.EOFException: SSL peer shut down incorrectly
>         at 
> sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:480)
>         at 
> sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:469)
>         ... 59 more



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (HADOOP-18245) Extend KMS related exceptions that get mapped to ConnectException

Reply via email to