[jira] [Commented] (HBASE-21275) Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http server (branch 1 only)

Tue, 09 Oct 2018 09:42:54 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-21275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16643712#comment-16643712
 ] 

Wellington Chevreuil commented on HBASE-21275:
----------------------------------------------

Thanks [~apurtell], that's definitely a typo and wrong path. Checking further 
on this, I had observed that WebAppContext does need anything different than 
null as its ResourceBase, even if it does not really use it. If we don't call 
*setResourceBase*, it ends up facing a NPE during initialisation, which will 
cause both *testThriftServerHttpTraceDisabled* and *testRunThriftServer* to 
fail/error:
{noformat}
2018-10-09 17:13:35,423 ERROR [ThriftServer-httpServer] mortbay.log 
(Slf4jLog.java:warn(87)) - Failed startup of context 
org.mortbay.jetty.webapp.WebAppContext@19c0d445{/,null}
java.lang.NullPointerException
at org.mortbay.resource.Resource.newResource(Resource.java:141)
at org.mortbay.resource.Resource.newResource(Resource.java:121)
at org.mortbay.jetty.webapp.WebAppContext.resolveWebApp(WebAppContext.java:924)
at org.mortbay.jetty.webapp.WebAppContext.getWebInf(WebAppContext.java:832)
at 
org.mortbay.jetty.webapp.WebInfConfiguration.configureClassLoader(WebInfConfiguration.java:62)
at org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:489)
at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
at org.mortbay.jetty.handler.HandlerWrapper.doStart(HandlerWrapper.java:130)
at org.mortbay.jetty.Server.doStart(Server.java:224)
at org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50)
at 
org.apache.hadoop.hbase.thrift.ThriftServerRunner$1.run(ThriftServerRunner.java:374)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at 
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1594)
at 
org.apache.hadoop.hbase.thrift.ThriftServerRunner.run(ThriftServerRunner.java:368)
at org.apache.hadoop.hbase.thrift.ThriftServer.doMain(ThriftServer.java:106)
at 
org.apache.hadoop.hbase.thrift.TestThriftHttpServer$1.run(TestThriftHttpServer.java:120)
at java.lang.Thread.run(Thread.java:748){noformat}

Anyways, I don't think it really matters, as we are auto generating web.xml, 
but inspecting the jar structure, my guess is that correct path to be set would 
be *hbase-webapps/*:

{noformat}
  873 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/index.html
   680 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/thrift/WEB-INF/web.xml
  2997 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo.png
 97339 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.min.css
  1293 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/hbase.css
119892 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap.css
 17044 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/css/bootstrap-theme.css
 15220 Tue Oct 09 17:19:32 BST 2018 
hbase-webapps/static/css/bootstrap-theme.min.css
  3206 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_small.png
 58458 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.js
 93636 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/jquery.min.js
  1347 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/tab.js
 27726 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/js/bootstrap.min.js
  3592 Tue Oct 09 17:19:32 BST 2018 hbase-webapps/static/hbase_logo_med.gif
 16448 Tue Oct 09 17:19:32 BST 2018 
hbase-webapps/static/fonts/glyphicons-halflings-regular.woff
 14079 Tue Oct 09 17:19:32 BST 2018 
hbase-webapps/static/fonts/glyphicons-halflings-regular.eot
 29512 Tue Oct 09 17:19:32 BST 2018 
hbase-webapps/static/fonts/glyphicons-halflings-regular.ttf
 63157 Tue Oct 09 17:19:32 BST 2018 
hbase-webapps/static/fonts/glyphicons-halflings-regular.svg
{noformat}

Am attaching another patch version, correcting this and the checkstyle issues. 
Please let me know on any thoughts/concerns.

> Thrift Server (branch 1 fix) -> Disable TRACE HTTP method for thrift http 
> server (branch 1 only)
> ------------------------------------------------------------------------------------------------
>
>                 Key: HBASE-21275
>                 URL: https://issues.apache.org/jira/browse/HBASE-21275
>             Project: HBase
>          Issue Type: Bug
>          Components: Thrift
>            Reporter: Wellington Chevreuil
>            Assignee: Wellington Chevreuil
>            Priority: Minor
>             Fix For: 1.4.8, 1.2.7
>
>         Attachments: HBASE-21275-branch-1.2.001.patch, 
> HBASE-21275-branch-1.2.002.patch
>
>
> There's been a reasonable number of users running thrift http server on hbase 
> 1.x suffering with security audit tests pointing thrift server allows TRACE 
> requests.
> After doing some search, I can see HBASE-20406 added restrictions for 
> TRACE/OPTIONS method when Thrift is running over http, but it relies on many 
> other commits applied to thrift http server. This patch was later reverted 
> from master. Then again later, HBASE-20004 had made TRACE/OPTIONS 
> configurable via "*hbase.thrift.http.allow.options.method*" property, with 
> both methods being disabled by default. This also seems to rely on many 
> changes applied to thrift http server, and a branch 1 compatible patch does 
> not seem feasible.
> A solution for branch 1 is pretty simple though, am proposing a patch that 
> simply uses *WebAppContext*, instead of *Context*, as the context for the 
> *HttpServer* instance. *WebAppContext* will already restrict TRACE methods by 
> default.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to