Re: [PR] HIVE-29112: HMS embedded servlets https support [hive]

Sat, 02 Aug 2025 13:49:15 -0700 


ayushtkn commented on code in PR #6002:
URL: https://github.com/apache/hive/pull/6002#discussion_r2248423426


##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletServerBuilder.java:
##########
@@ -50,6 +53,10 @@
  * different ports.
  */
 public class ServletServerBuilder {
+  private static final Logger LOGGER = 
LoggerFactory.getLogger(ServletServerBuilder.class);
+  private static final String HTTP11 = "http/1.1";

Review Comment:
   this is unused



##########
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/properties/HMSServletTest.java:
##########
@@ -92,30 +97,38 @@ protected void stopServer(int port) throws Exception {
     }
   }
 
+  protected static HttpClient createHttpClient(Configuration conf) {
+    SSLContext sslCtxt = clientSSLContextFactory(conf);
+    return sslCtxt != null
+      ? 
HttpClients.custom().setSSLContext(sslCtxt).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build()
+      : HttpClients.createDefault();
+  }
 
   @Override
   protected PropertyClient createClient(Configuration conf, int sport) throws 
Exception {
     String path = MetastoreConf.getVar(conf, 
MetastoreConf.ConfVars.PROPERTIES_SERVLET_PATH);
-    URL url = new URL("http://hive@localhost:"; + sport + "/" + path + "/" + 
NS);
+    String scheme = MetastoreConf.getBoolVar(conf, 
MetastoreConf.ConfVars.HTTPSERVER_USE_HTTPS)
+            ? "https" : "http";
+    URI uri = new URI(scheme + "://hive@localhost:" + sport + "/" + path + "/" 
+ NS);

Review Comment:
   curious why the variable name is "sport", Sport in english means something 
totally different :-) 



##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletServerBuilder.java:
##########
@@ -159,24 +166,55 @@ private Server createServer() {
   }
 
   /**
-   * Creates a server instance and a connector on a given port.
+   * Create an SSL context factory using the configuration.
    *
-   * @param server            the server instance
-   * @param sslContextFactory the ssl factory
-   * @param port              the port
-   * @return the server connector listening to the port
+   * @param conf The configuration to use
+   * @return The created SslContextFactory or null if creation failed
+   */
+  private static SslContextFactory createSslContextFactory(Configuration conf) 
{
+    try {
+      return ServletSecurity.createSslContextFactoryIf(conf, 
MetastoreConf.ConfVars.HTTPSERVER_USE_HTTPS);
+    } catch (IOException e) {
+      LOGGER.error("Failed to create SSL context factory", e);
+      return null;
+    }

Review Comment:
   Why do we need this logic. IOE is thrown when getting password from the 
credential provider fails. That should be fatal I believe. Here I think we are 
treating it same as the conf was set off



##########
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/properties/HMSTestBase.java:
##########
@@ -145,6 +156,78 @@ public synchronized void tearDown() throws Exception {
     }
   }
 
+  /**
+   * This is how we created a self-signed certificate for localhost needed for 
https (ssl) configuration
+   * The keystore and truststore were generated using the following commands:
+   * % keytool -genkeypair -alias Hive -keyalg RSA -keysize 2048 -validity 
3650 -storetype PKCS12 -keystore hive_keystore.p12 -storepass apache -keypass 
apache
+   * % keytool -export -alias Hive -file hive.crt -keystore hive_keystore.p12 
-storepass apache
+   * % keytool -import -alias Hive -file hive.crt -keystore 
hive_trusstore.p012 -storepass apache -noprompt -storetype PKCS12
+  */
+  private static final String LOCALHOST_KEY_STORE_NAME = "hive_keystore.p12";
+  private static final String KEY_STORE_TRUST_STORE_PASSWORD = "apache";
+  private static final String TRUST_STORE_NAME = "hive_truststore.p12";
+  private static final String STORES_DIR = "src/test/resources";
+
+  /**
+   * Sets the metastore configuration to use SSL.
+
+   * @param conf the configuration to set
+   */
+  public static void setHttpsConf(Configuration conf) {
+    MetastoreConf.setBoolVar(conf, MetastoreConf.ConfVars.USE_SSL, true);
+    MetastoreConf.setBoolVar(conf, 
MetastoreConf.ConfVars.HTTPSERVER_USE_HTTPS, true);
+    MetastoreConf.setVar(conf, MetastoreConf.ConfVars.SSL_KEYSTORE_PATH,
+            STORES_DIR + File.separator + LOCALHOST_KEY_STORE_NAME);
+    MetastoreConf.setVar(conf, MetastoreConf.ConfVars.SSL_KEYSTORE_PASSWORD,
+            KEY_STORE_TRUST_STORE_PASSWORD);
+    MetastoreConf.setVar(conf, MetastoreConf.ConfVars.SSL_KEYSTORE_TYPE, 
"PKCS12");
+    MetastoreConf.setVar(conf, 
MetastoreConf.ConfVars.SSL_KEYMANAGERFACTORY_ALGORITHM, 
KeyManagerFactory.getDefaultAlgorithm());

Review Comment:
   crosses the line limit I believe, can you format the code



##########
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/properties/HMSServletTest1.java:
##########
@@ -167,4 +172,54 @@ public Map<String, String> getProperties(List<String> 
selection) throws IOExcept
     }
   }
 
+  @Test
+  public void testServletEchoB() throws Exception {

Review Comment:
   can you choose a better name, unable to decode what does B mean here



##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletServerBuilder.java:
##########
@@ -159,24 +166,55 @@ private Server createServer() {
   }
 
   /**
-   * Creates a server instance and a connector on a given port.
+   * Create an SSL context factory using the configuration.
    *
-   * @param server            the server instance
-   * @param sslContextFactory the ssl factory
-   * @param port              the port
-   * @return the server connector listening to the port
+   * @param conf The configuration to use
+   * @return The created SslContextFactory or null if creation failed
+   */
+  private static SslContextFactory createSslContextFactory(Configuration conf) 
{
+    try {
+      return ServletSecurity.createSslContextFactoryIf(conf, 
MetastoreConf.ConfVars.HTTPSERVER_USE_HTTPS);
+    } catch (IOException e) {
+      LOGGER.error("Failed to create SSL context factory", e);
+      return null;
+    }
+  }
+
+  /**
+   * Create an HTTP or HTTPS connector.
+   *
+   * @param server The server to create the connector for
+   * @param sslContextFactory The ssl context factory to use;
+   *                          if null, the connector will be HTTP; if not 
null, the connector will be HTTPS
+   * @param port The port to bind the connector to
+   * @return The created ServerConnector
    */
   private ServerConnector createConnector(Server server, SslContextFactory 
sslContextFactory, int port) {
-    final ServerConnector connector = new ServerConnector(server, 
sslContextFactory);
+    final ServerConnector connector;
+    if (sslContextFactory == null) {
+      connector = new ServerConnector(server);
+      connector.setName(HTTP);
+      connector.setReuseAddress(true);

Review Comment:
   this is getting called twice. It would be called below at L217 as well, so 
we can drop it here



##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletSecurity.java:
##########
@@ -304,13 +304,24 @@ static void loginServerPrincipal(Configuration conf) 
throws IOException {
   }
 
   /**
-   * Creates an SSL context factory if configuration states so.
+   * Creates an SSL context factory if the configuration states so.
    * @param conf the configuration
    * @return null if no ssl in config, an instance otherwise
    * @throws IOException if getting password fails
    */
   static SslContextFactory createSslContextFactory(Configuration conf) throws 
IOException {
-    final boolean useSsl  = MetastoreConf.getBoolVar(conf, 
MetastoreConf.ConfVars.USE_SSL);
+    return createSslContextFactoryIf(conf, MetastoreConf.ConfVars.USE_SSL);
+  }
+
+  /**
+   * Creates an SSL context factory if a configuration variable states so.
+   * @param conf the configuration
+   * @param condition the condition variable to check for SSL
+   * @return null if no ssl in config, an instance otherwise
+   * @throws IOException if getting password fails
+   */
+  static SslContextFactory createSslContextFactoryIf(Configuration conf, 
MetastoreConf.ConfVars condition) throws IOException {
+    final boolean useSsl = MetastoreConf.getBoolVar(conf, condition);

Review Comment:
   this is crossing the line limit
   
https://github.com/apache/hive/blob/master/checkstyle/checkstyle.xml#L159-L160



##########
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/properties/HMSServletTest.java:
##########
@@ -156,16 +169,19 @@ public Map<String, String> getProperties(List<String> 
selection) {
 
   @Test
   public void testServletEchoA() throws Exception {
-    URL url = new URL("http://hive@localhost:"; + servletPort + "/" + path + 
"/" + NS);
+    String path = MetastoreConf.getVar(conf, 
MetastoreConf.ConfVars.PROPERTIES_SERVLET_PATH);
+    String scheme = MetastoreConf.getBoolVar(conf, 
MetastoreConf.ConfVars.HTTPSERVER_USE_HTTPS)
+            ? "https" : "http";

Review Comment:
   this is done like 3 times in this class itself, can we have a util like 
getScheme()



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Reply via email to