[
https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16643712#comment-16643712
]
Wellington Chevreuil commented on HBASE-21275:
----------------------------------------------
Thanks [~apurtell], that's definitely a typo and wrong path. Checking further
on this, I had observed that WebAppContext does need anything different than
null as its ResourceBase, even if it does not really use it. If we don't call
*setResourceBase*, it ends up facing a NPE during initialisation, which will
cause both *testThriftServerHttpTraceDisabled* and *testRunThriftServer* to
fail/error:
{noformat}
2018-10-09 17:13:35,423 ERROR [ThriftServer-httpServer] mortbay.log
(Slf4jLog.java:warn(87)) - Failed startup of context
org.mortbay.jetty.webapp.WebAppContext@19c0d445{/,null}
java.lang.NullPointerException
at org.mortbay.resource.Resource.newResource(Resource.java:141)
at org.mortbay.resource.Resource.newResource(Resource.java:121)
at org.mortbay.jetty.webapp.WebAppContext.resolveWebApp(WebAppContext.java:924)
at org.mortbay.jetty.webapp.WebAppContext.getWebInf(WebAppContext.java:832)
at
org.mortbay.jetty.webapp.WebInfConfiguration.configureClassLoader(WebInfConfiguration.java:62)
at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:489)
at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
at org.mortbay.jetty.Server.doStart(Server.java:224)
at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
at
org.apache.hadoop.hbase.thrift.ThriftServerRunner$1.run(ThriftServerRunner.java:374)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594)
at
org.apache.hadoop.hbase.thrift.ThriftServerRunner.run(ThriftServerRunner.java:368)
at org.apache.hadoop.hbase.thrift.ThriftServer.doMain(ThriftServer.java:106)
at
org.apache.hadoop.hbase.thrift.TestThriftHttpServer$1.run(TestThriftHttpServer.java:120)
at java.lang.Thread.run(Thread.java:748){noformat}
Anyways, I don't think it really matters, as we are auto generating web.xml,
but inspecting the jar structure, my guess is that correct path to be set would
be *hbase-webapps/*:
{noformat}
873 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/index.html
680 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/WEB-INF/web.xml
2997 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo.png
97339 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.min.css
1293 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/hbase.css
119892 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.css
17044 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap-theme.css
15220 Tue Oct 09 17:19:32 BST 2018
hbase-webapps/static/css/bootstrap-theme.min.css
3206 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_small.png
58458 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.js
93636 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/jquery.min.js
1347 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/tab.js
27726 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.min.js
3592 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_med.gif
16448 Tue Oct 09 17:19:32 BST 2018
hbase-webapps/static/fonts/glyphicons-halflings-regular.woff
14079 Tue Oct 09 17:19:32 BST 2018
hbase-webapps/static/fonts/glyphicons-halflings-regular.eot
29512 Tue Oct 09 17:19:32 BST 2018
hbase-webapps/static/fonts/glyphicons-halflings-regular.ttf
63157 Tue Oct 09 17:19:32 BST 2018
hbase-webapps/static/fonts/glyphicons-halflings-regular.svg
{noformat}
Am attaching another patch version, correcting this and the checkstyle issues.
Please let me know on any thoughts/concerns.
> Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http
> server (branch 1 only)
> ------------------------------------------------------------------------------------------------
>
> Key: HBASE-21275
> URL: https://issues.apache.org/jira/browse/HBASE-21275
> Project: HBase
> Issue Type: Bug
> Components: Thrift
> Reporter: Wellington Chevreuil
> Assignee: Wellington Chevreuil
> Priority: Minor
> Fix For: 1.4.8, 1.2.7
>
> Attachments: HBASE-21275-branch-1.2.001.patch,
> HBASE-21275-branch-1.2.002.patch
>
>
> There's been a reasonable number of users running thrift http server on hbase
> 1.x suffering with security audit tests pointing thrift server allows TRACE
> requests.
> After doing some search, I can see HBASE-20406 added restrictions for
> TRACE/OPTIONS method when Thrift is running over http, but it relies on many
> other commits applied to thrift http server. This patch was later reverted
> from master. Then again later, HBASE-20004 had made TRACE/OPTIONS
> configurable via "*hbase.thrift.http.allow.options.method*" property, with
> both methods being disabled by default. This also seems to rely on many
> changes applied to thrift http server, and a branch 1 compatible patch does
> not seem feasible.
> A solution for branch 1 is pretty simple though, am proposing a patch that
> simply uses *WebAppContext*, instead of *Context*, as the context for the
> *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by
> default.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
