[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version

Sat, 16 Dec 2023 13:43:04 -0800 


    [ 
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17797501#comment-17797501
 ] 

Nihal Jain commented on HBASE-21500:
------------------------------------

Copy pasted RCA from github PR:

Changing the property name to {{org.eclipse.jetty.servlet.Default.aliases}} 
does not solve the problem.

Upon investigating found that in 
[Jetty#ContextHandler|https://github.com/jetty/jetty.project/blob/d49f298c7f5361161cd71264aabd50dbfc8e4c59/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java],
 {{SymlinkAllowedResourceAliasChecker}} is added by default, irrespective of 
whether {{hbase.jetty.logs.serve.aliases}} is set to {{true}} or {{{}false{}}}, 
allowing aliases for {{/logs}} always. Hence issue is revealed only if the 
value is set to {{{}false{}}}.

See 
[serving-aliased-files|https://github.com/jetty/jetty.project/blob/jetty-9.4.53.v20231009/jetty-documentation/src/main/asciidoc/configuring/security/serving-aliased-files.adoc]
 for how this feature works.

Based on the docs, I have created a patch with fix.

To test the fix following steps were followed:
 # Disallowed flow

 * Build code with {{assembly:single}}
 * Untar the tarball
 * Configure {{hbase.jetty.logs.serve.aliases}} to {{false}} and start hbase in 
local mode
<property>
<name>hbase.jetty.logs.serve.aliases</name>
<value>false</value>
</property>

 
 * Goto logs directory and run following:
 ** {{touch /tmp/test.txt test.txt}}
 ** {{ln -s /tmp/test.txt test.txt}}
 * Goto {{http://localhost:16010/logs/test.txt}} and a 404 error should be 
thrown. See 
[!https://private-user-images.githubusercontent.com/3429351/291016234-12ad9b92-3808-40b0-a9b3-d135ce156623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDI3NjMxNzMsIm5iZiI6MTcwMjc2Mjg3MywicGF0aCI6Ii8zNDI5MzUxLzI5MTAxNjIzNC0xMmFkOWI5Mi0zODA4LTQwYjAtYTliMy1kMTM1Y2UxNTY2MjMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIxNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMTZUMjE0MTEzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ODgzODY2NjljNGNiYzk4YTVjMjY2ODMzN2EyMmI3ZTQ0ZDdmMGI1YWRiMGQ3NDQ5MzMxNDcxOWUxYzI3MjBmNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.biyQngECGTa9eHMuY46JhVF6dP3cd_lfSK7v-stgjdo|width=556!|https://private-user-images.githubusercontent.com/3429351/291016234-12ad9b92-3808-40b0-a9b3-d135ce156623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDI3NjMxNzMsIm5iZiI6MTcwMjc2Mjg3MywicGF0aCI6Ii8zNDI5MzUxLzI5MTAxNjIzNC0xMmFkOWI5Mi0zODA4LTQwYjAtYTliMy1kMTM1Y2UxNTY2MjMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIxNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMTZUMjE0MTEzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ODgzODY2NjljNGNiYzk4YTVjMjY2ODMzN2EyMmI3ZTQ0ZDdmMGI1YWRiMGQ3NDQ5MzMxNDcxOWUxYzI3MjBmNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.biyQngECGTa9eHMuY46JhVF6dP3cd_lfSK7v-stgjdo]

 # Allowed flow, which is current default behavior and works even without the 
patch

 * Repeat above steps {{hbase.jetty.logs.serve.aliases}} to {{true}} or just 
remove it.
 * We should be able to access symlinked file test.txt

> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -----------------------------------------------------------------
>
>                 Key: HBASE-21500
>                 URL: https://issues.apache.org/jira/browse/HBASE-21500
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>            Reporter: Bhupendra Kumar Jain
>            Assignee: Nihal Jain
>            Priority: Minor
>             Fix For: 3.0.0-beta-2
>
>         Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java  
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and 
>  need to change as per jetty 9.x new version after the HBASE-12894
> Refer 
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"* 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to