[
https://issues.apache.org/jira/browse/IMPALA-14452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18031111#comment-18031111
]
ASF subversion and git services commented on IMPALA-14452:
----------------------------------------------------------
Commit 512a73771f37f8d8b25aba90b99fc6cdd64aa24d in impala's branch
refs/heads/master from Michael Smith
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=512a73771 ]
IMPALA-14452: Fix impala-shell SSL with Python 3.12
Removes deprecated ImpalaHttpClient constructor that supported port and
path as it has been deprecated since at least 2020 and appears unused.
Removes cert_file and key_file as they were also never used, and if
required must now be passed in via ssl_context.
Updates TSSLSocket fixes for Thrift 0.16 and Python 3.12. _validate_cert
was removed by Thrift 0.16, but everything worked because Thrift used
ssl.match_hostname instead. With Python 3.12 ssl.match_hostname no
longer exists so we rely on OpenSSL to handle verification with
ssl.PROTOCOL_TLS_CLIENT.
Only uses ssl.PROTOCOL_TLS_CLIENT when match_hostname is unavailable to
avoid changing existing behavior. THRIFT-792 identifies that TSocket
suppresses connection errors, where we would otherwise see SSL hostname
verification errors like
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: IP address mismatch, certificate is not
valid for '::1'. (_ssl.c:1131)
Python 2.7.9 and 3.2 are minimum required versions; both have been EOL
for several years.
Testing:
- ran custom_cluster/{test_client_ssl.py,test_ipv6.py} on Ubuntu 24 with
Python 3.12, OpenSSL 3.0.13.
- ran custom_cluster/test_client_ssl.py on RHEL 7.9 with Python 2.7.5
and Python 3.6.8, OpenSSL 1.0.2k-fips.
- adds test that hostname checking is configured.
Change-Id: I046a9010ac4cb1f7d705935054b306cddaf8bdc7
Reviewed-on: http://gerrit.cloudera.org:8080/23519
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Csaba Ringhofer <[email protected]>
> Impala shell with hs2-http + certificate does not work on Python 3.12
> ---------------------------------------------------------------------
>
> Key: IMPALA-14452
> URL: https://issues.apache.org/jira/browse/IMPALA-14452
> Project: IMPALA
> Issue Type: Bug
> Components: Clients
> Reporter: Csaba Ringhofer
> Assignee: Michael Smith
> Priority: Major
>
> {code}
> impala-shell --ssl --protocol=hs2-http
> --ca_cert=be/src/testutil/wildcardCA.pem
> Starting Impala Shell with no authentication using Python 3.12.9
> 2025-09-18 18:31:02 [Exception] Error connectingTypeError
> HTTPSConnection.__init__() got an unexpected keyword argument 'key_file'
> {code}
> The same issue came up in Thrift and in impyla:
> THRIFT-5847
> https://github.com/cloudera/impyla/issues/529
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
