Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/13299 )
Change subject: IMPALA-8538: HS2 + HTTP(S) + BASIC/LDAP based thrift server endpoint ...................................................................... Patch Set 3: (13 comments) http://gerrit.cloudera.org:8080/#/c/13299/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/13299/2//COMMIT_MSG@21 PS2, Line 21: : : TODO > Sure. I checked, and the differences between this version and thrift master Sounds fine. I think having it in our own codebase is also nice to be able to use impala utility code http://gerrit.cloudera.org:8080/#/c/13299/3//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/13299/3//COMMIT_MSG@25 PS3, Line 25: - Fuzz test the http endpoint quickly looking at THttpTransport, I don't see any limits on the buffer size, and some kinda sketchy looking 32-bit math that seems susceptible to overflow. We should try connecting and sending 5GB lines and make sure it doesn't allocate 5GB of memory, doesn't overflow, etc http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc@202 PS3, Line 202: bool LdapCheckPass(const char* user, const char* pass, unsigned passlen) { this function can be made static, right? http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc@872 PS3, Line 872: if (!principal_.empty()) { I don't think this logic quite makes sense. Just because Kerberos is enabled doesn't mean we should prohibit non-kerberized LDAP access, right? http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc@950 PS3, Line 950: boost::shared_ptr<ThriftServer::ConnectionContext> connection_ptr, this can be a const reference to the shared_ptr http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc@956 PS3, Line 956: static_cast consider down_cast<> from gutil/casts.h here, which does an RTTI type check in debug builds http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/rpc/authentication.cc@963 PS3, Line 963: static_cast same http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/transport/THttpServer.cpp File be/src/transport/THttpServer.cpp: http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/transport/THttpServer.cpp@71 PS3, Line 71: RFC7230 says the whitespace between the : and the header value is optional: https://tools.ietf.org/html/rfc7230#section-3.2 http://gerrit.cloudera.org:8080/#/c/13299/3/be/src/transport/THttpServer.cpp@75 PS3, Line 75: throw TTransportException("HTTP Basic auth failed."); does this end up closing the connection immediately? If not, I'm worried about a malicious client sending the Authorization header twice -- once with a valid authn, the second time without. That leaves the connection in a somewhat odd state, where authorized_ = true but headersDone() never got called. Perhaps it would be safer to just copy off the authorization header here into a variable, and then do the actual checking in headersDone() instead? http://gerrit.cloudera.org:8080/#/c/13299/3/common/thrift/metrics.json File common/thrift/metrics.json: http://gerrit.cloudera.org:8080/#/c/13299/3/common/thrift/metrics.json@904 PS3, Line 904: { nit: weird indentation http://gerrit.cloudera.org:8080/#/c/13299/3/common/thrift/metrics.json@909 PS3, Line 909: "label": "HiveServer2 API Active Connections", need to make these labels unique to HTTP (here and below) http://gerrit.cloudera.org:8080/#/c/13299/3/common/thrift/metrics.json@944 PS3, Line 944: { should we file a JIRA to add metrics for unauthorized conn attempts? or is there already one at the LDAP layer? http://gerrit.cloudera.org:8080/#/c/13299/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java File fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java: http://gerrit.cloudera.org:8080/#/c/13299/3/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java@102 PS3, Line 102: public void testHiveserver2() throws Exception { worth adding a negative test with the wrong password, as well as various invalid header cases, etc. -- To view, visit http://gerrit.cloudera.org:8080/13299 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ic5569ac62ef3af2868b5d0581f5029dac736b2ff Gerrit-Change-Number: 13299 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Marshall <[email protected]> Gerrit-Reviewer: Bharath Vissapragada <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Michael Ho <[email protected]> Gerrit-Reviewer: Mike Yoder <[email protected]> Gerrit-Reviewer: Sudhanshu Arora <[email protected]> Gerrit-Reviewer: Thomas Marshall <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-Comment-Date: Thu, 23 May 2019 06:10:32 +0000 Gerrit-HasComments: Yes
