[ https://issues.apache.org/jira/browse/HBASE-25987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360700#comment-17360700 ]
Hudson commented on HBASE-25987: -------------------------------- Results for branch branch-2.3 [build #234 on builds.a.o|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234/]: (x) *{color:red}-1 overall{color}* ---- details (if available): (x) {color:red}-1 general checks{color} -- For more information [see general report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234/General_20Nightly_20Build_20Report/] (x) {color:red}-1 jdk8 hadoop2 checks{color} -- For more information [see jdk8 (hadoop2) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/] (x) {color:red}-1 jdk8 hadoop3 checks{color} -- For more information [see jdk8 (hadoop3) report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/] (x) {color:red}-1 jdk11 hadoop3 checks{color} -- For more information [see jdk11 report|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/] (x) {color:red}-1 source release artifact{color} -- See build output for details. (x) {color:red}-1 client integration test{color} -- Something went wrong with this stage, [check relevant console output|https://ci-hadoop.apache.org/job/HBase/job/HBase%20Nightly/job/branch-2.3/234//console]. > Make SSL keystore type configurable for HBase ThriftServer > ---------------------------------------------------------- > > Key: HBASE-25987 > URL: https://issues.apache.org/jira/browse/HBASE-25987 > Project: HBase > Issue Type: Improvement > Components: Thrift > Affects Versions: 3.0.0-alpha-1, 2.2.7, 2.5.0, 2.3.5, 2.4.4 > Reporter: Mate Szalay-Beko > Assignee: Mate Szalay-Beko > Priority: Major > Fix For: 3.0.0-alpha-1, 2.5.0, 2.3.6, 2.4.5 > > > We get the following exception, when trying to start Hbase Thrift Server in > http mode (hbase.regionserver.thrift.http=true) and use non default (not > "jks") keystore type: > > {noformat} > 2021-06-08 07:40:10,275 ERROR org.apache.hadoop.hbase.thrift.ThriftServer: > Cannot run ThriftServer > java.io.IOException: Invalid keystore format > at > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663) > at > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > at > sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) > at > sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) > at java.security.KeyStore.load(KeyStore.java:1445) > at > org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:54) > at > org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1197) > at > org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:321) > at > org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) > at > org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) > at > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) > at > org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) > at > org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) > at > org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) > at org.eclipse.jetty.server.Server.doStart(Server.java:401) > at > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) > at > org.apache.hadoop.hbase.thrift.ThriftServer$2.run(ThriftServer.java:861) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:360) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1878) > at > org.apache.hadoop.hbase.thrift.ThriftServer.run(ThriftServer.java:855) > at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76) > at > org.apache.hadoop.hbase.thrift.ThriftServer.main(ThriftServer.java:882){noformat} > This problem appeared after we applied HBASE-25930 to our local HBase > version. It looks, we never had a parameter to specify the keystore type for > thrift http server. Before HBASE-25930, the keystore type used by the thrift > http server was accidentally defined based on the InfoServer (web ui) > configuration of "ssl.server.keystore.type". Before HBASE-25930, the > InfoServer was started first and it set the keystore type in the global > keystore manager, which setting propagated to the thrift http server too, > without any override. In HBASE-25930 the startup order changed, and the > thrift http server configuration happens before the InfoServer start, so we > lack this accidental configuration change now. > Given that we have independent keystore file path / password parameters > already for the thrift http server, the proper solution is to create a new > parameter also for the keystore type of the thrift http server: > *hbase.thrift.ssl.keystore.type* (defaulting to "jks"). -- This message was sent by Atlassian Jira (v8.3.4#803005)