anmolnar commented on a change in pull request #4125:
URL: https://github.com/apache/hbase/pull/4125#discussion_r829044839



##########
File path: 
hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcConnection.java
##########
@@ -297,11 +295,10 @@ public void operationComplete(ChannelFuture future) 
throws Exception {
             established(ch);
           }
         }
-      }).channel();
+      }).sync().channel();

Review comment:
       HBase shell is not able to connect without this. I'm sure I've seen 
errors in RS-Master communication as well, but it works in most cases.
   
   The issue is:
   ```
   ERROR: Failed contacting masters after 1 attempts.
   Exceptions:
   java.io.IOException: Call to address=Andors-MacBook-Pro.local:16000 failed 
on local exception: java.io.IOException: 
java.lang.UnsupportedOperationException: unsupported message type: Call 
(expected: ByteBuf, FileRegion)
   ```
   
   My thinking is that `connect()` is having a race with `sendRequest()`, 
becaue NettyRpcConnection is trying to establish the connection in lazy way: 
doesn't do anything until the first request (`Call`) comes in. Because of this 
we have to make sure that the Netty pipeline is in a usable state before 
letting sendRequest() to push the Call into and seems like `sync()` is enough. 
It waits for the connection to be established before we give back the channel.
   
   This is still not ideal IMHO: we could implement a latch to wait for the SSL 
handshake to happen before doing anything else - like ZooKeeper does -, but it 
might be overkill in this case given that it already works fine with sync().

##########
File path: 
hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcConnection.java
##########
@@ -297,11 +295,10 @@ public void operationComplete(ChannelFuture future) 
throws Exception {
             established(ch);
           }
         }
-      }).channel();
+      }).sync().channel();

Review comment:
       HBase shell is not able to connect without this. I'm sure I've seen 
errors in RS-Master communication as well, but it works in most cases.
   
   The issue is:
   ```
   ERROR: Failed contacting masters after 1 attempts.
   Exceptions:
   java.io.IOException: Call to address=Andors-MacBook-Pro.local:16000 failed 
on local exception:
   java.io.IOException: java.lang.UnsupportedOperationException: unsupported 
message type: Call (expected: ByteBuf, FileRegion)
   ```
   
   My thinking is that `connect()` is having a race with `sendRequest()`, 
becaue NettyRpcConnection is trying to establish the connection in lazy way: 
doesn't do anything until the first request (`Call`) comes in. Because of this 
we have to make sure that the Netty pipeline is in a usable state before 
letting sendRequest() to push the Call into and seems like `sync()` is enough. 
It waits for the connection to be established before we give back the channel.
   
   This is still not ideal IMHO: we could implement a latch to wait for the SSL 
handshake to happen before doing anything else - like ZooKeeper does -, but it 
might be overkill in this case given that it already works fine with sync().

##########
File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
##########
@@ -181,4 +204,80 @@ public int getNumOpenConnections() {
     // allChannels also contains the server channel, so exclude that from the 
count.
     return channelsCount > 0 ? channelsCount - 1 : channelsCount;
   }
+
+  private synchronized void initSSL(ChannelPipeline p, boolean 
supportPlaintext) throws
+    X509Exception {
+    SslContext nettySslContext;
+
+    SSLContextAndOptions sslContextAndOptions = 
x509Util.getDefaultSSLContextAndOptions();
+    nettySslContext = sslContextAndOptions
+      .createNettyJdkSslContext(sslContextAndOptions.getSSLContext(), false);
+
+    if (supportPlaintext) {
+      p.addLast("ssl", new NettyRpcServer.DualModeSslHandler(nettySslContext));
+      LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
+    } else {
+      p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
+      LOG.debug("SSL handler added for channel: {}", p.channel());
+    }
+  }
+
+  /**
+   * A handler that detects whether the client would like to use
+   * TLS or not and responds in kind. The first bytes are examined
+   * for the static TLS headers to make the determination and
+   * placed back in the stream with the correct ChannelHandler
+   * instantiated.
+   */
+  class DualModeSslHandler extends OptionalSslHandler {
+
+    DualModeSslHandler(SslContext sslContext) {
+      super(sslContext);
+    }
+
+    @Override
+    protected void decode(ChannelHandlerContext context, ByteBuf in, 
List<Object> out)
+      throws Exception {
+      if (in.readableBytes() >= 5) {
+        super.decode(context, in, out);
+      } else if (in.readableBytes() > 0) {
+        // It requires 5 bytes to detect a proper ssl connection. In the

Review comment:
       That's copied from the base class.

##########
File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
##########
@@ -181,4 +204,80 @@ public int getNumOpenConnections() {
     // allChannels also contains the server channel, so exclude that from the 
count.
     return channelsCount > 0 ? channelsCount - 1 : channelsCount;
   }
+
+  private synchronized void initSSL(ChannelPipeline p, boolean 
supportPlaintext) throws
+    X509Exception {
+    SslContext nettySslContext;
+
+    SSLContextAndOptions sslContextAndOptions = 
x509Util.getDefaultSSLContextAndOptions();
+    nettySslContext = sslContextAndOptions
+      .createNettyJdkSslContext(sslContextAndOptions.getSSLContext(), false);
+
+    if (supportPlaintext) {
+      p.addLast("ssl", new NettyRpcServer.DualModeSslHandler(nettySslContext));
+      LOG.debug("Dual mode SSL handler added for channel: {}", p.channel());
+    } else {
+      p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc()));
+      LOG.debug("SSL handler added for channel: {}", p.channel());
+    }
+  }
+
+  /**
+   * A handler that detects whether the client would like to use
+   * TLS or not and responds in kind. The first bytes are examined
+   * for the static TLS headers to make the determination and
+   * placed back in the stream with the correct ChannelHandler
+   * instantiated.
+   */
+  class DualModeSslHandler extends OptionalSslHandler {
+
+    DualModeSslHandler(SslContext sslContext) {
+      super(sslContext);
+    }
+
+    @Override
+    protected void decode(ChannelHandlerContext context, ByteBuf in, 
List<Object> out)
+      throws Exception {
+      if (in.readableBytes() >= 5) {
+        super.decode(context, in, out);
+      } else if (in.readableBytes() > 0) {
+        // It requires 5 bytes to detect a proper ssl connection. In the
+        // case that the server receives fewer, check if we can fail to 
plaintext.
+        // This will occur when for any four letter work commands.
+        if (TLS_HANDSHAKE_RECORD_TYPE != in.getByte(0)) {
+          LOG.debug("first byte {} does not match TLS handshake, failing to 
plaintext",
+            in.getByte(0));
+          handleNonSsl(context);

Review comment:
       I ended up removing this class. That's something which was needed for 
ZooKeeper 4LW commands which is obviously not the case for HBase.

##########
File path: 
hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java
##########
@@ -181,4 +204,80 @@ public int getNumOpenConnections() {
     // allChannels also contains the server channel, so exclude that from the 
count.
     return channelsCount > 0 ? channelsCount - 1 : channelsCount;
   }
+
+  private synchronized void initSSL(ChannelPipeline p, boolean 
supportPlaintext) throws
+    X509Exception {
+    SslContext nettySslContext;
+
+    SSLContextAndOptions sslContextAndOptions = 
x509Util.getDefaultSSLContextAndOptions();
+    nettySslContext = sslContextAndOptions
+      .createNettyJdkSslContext(sslContextAndOptions.getSSLContext(), false);
+
+    if (supportPlaintext) {

Review comment:
       Good point. Yes, we should support it. Let me add a config option.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Reply via email to