[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798732#comment-17798732
]
Hudson commented on HBASE-21500:
Results for branch branch-3
[build #106 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-3/106/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-3/106/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-3/106/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-3/106/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -
>
> Key: HBASE-21500
> URL: https://issues.apache.org/jira/browse/HBASE-21500
> Project: HBase
> Issue Type: Bug
>Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>Reporter: Bhupendra Kumar Jain
>Assignee: Nihal Jain
>Priority: Minor
> Fix For: 2.6.0, 3.0.0-beta-1
>
> Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and
> need to change as per jetty 9.x new version after the HBASE-12894
> Refer
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798726#comment-17798726
]
Hudson commented on HBASE-21500:
Results for branch master
[build #967 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/967/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/967/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/967/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/master/967/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -
>
> Key: HBASE-21500
> URL: https://issues.apache.org/jira/browse/HBASE-21500
> Project: HBase
> Issue Type: Bug
>Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>Reporter: Bhupendra Kumar Jain
>Assignee: Nihal Jain
>Priority: Minor
> Fix For: 2.6.0, 3.0.0-beta-1
>
> Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and
> need to change as per jetty 9.x new version after the HBASE-12894
> Refer
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798462#comment-17798462
]
Hudson commented on HBASE-21500:
Results for branch branch-2
[build #946 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/946/]:
(x) *{color:red}-1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/946/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/946/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(x) {color:red}-1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/946/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(x) {color:red}-1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2/946/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -
>
> Key: HBASE-21500
> URL: https://issues.apache.org/jira/browse/HBASE-21500
> Project: HBase
> Issue Type: Bug
>Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>Reporter: Bhupendra Kumar Jain
>Assignee: Nihal Jain
>Priority: Minor
> Fix For: 2.6.0, 3.0.0-beta-1
>
> Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and
> need to change as per jetty 9.x new version after the HBASE-12894
> Refer
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798446#comment-17798446
]
Hudson commented on HBASE-21500:
Results for branch branch-2.6
[build #14 on
builds.a.o|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.6/14/]:
(/) *{color:green}+1 overall{color}*
details (if available):
(/) {color:green}+1 general checks{color}
-- For more information [see general
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.6/14/General_20Nightly_20Build_20Report/]
(/) {color:green}+1 jdk8 hadoop2 checks{color}
-- For more information [see jdk8 (hadoop2)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.6/14/JDK8_20Nightly_20Build_20Report_20_28Hadoop2_29/]
(/) {color:green}+1 jdk8 hadoop3 checks{color}
-- For more information [see jdk8 (hadoop3)
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.6/14/JDK8_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 jdk11 hadoop3 checks{color}
-- For more information [see jdk11
report|https://ci-hbase.apache.org/job/HBase%20Nightly/job/branch-2.6/14/JDK11_20Nightly_20Build_20Report_20_28Hadoop3_29/]
(/) {color:green}+1 source release artifact{color}
-- See build output for details.
(/) {color:green}+1 client integration test{color}
> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -
>
> Key: HBASE-21500
> URL: https://issues.apache.org/jira/browse/HBASE-21500
> Project: HBase
> Issue Type: Bug
>Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>Reporter: Bhupendra Kumar Jain
>Assignee: Nihal Jain
>Priority: Minor
> Fix For: 2.6.0, 3.0.0-beta-1
>
> Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and
> need to change as per jetty 9.x new version after the HBASE-12894
> Refer
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[ https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17798284#comment-17798284 ] Nihal Jain commented on HBASE-21500: Thanks for the review [~zhangduo]. Also let me know if we can push for branch-2.5 a nd branch-2.4. Skipped for now, as seems no one is using this feature of disabling symlinks. > "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version > - > > Key: HBASE-21500 > URL: https://issues.apache.org/jira/browse/HBASE-21500 > Project: HBase > Issue Type: Bug >Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1 >Reporter: Bhupendra Kumar Jain >Assignee: Nihal Jain >Priority: Minor > Fix For: 2.6.0, 3.0.0-beta-2 > > Attachments: HBASE-21500.master.001.patch > > > Noticed that Jetty aliases parameter in HttpServer.java > "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and > need to change as per jetty 9.x new version after the HBASE-12894 > Refer > https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647 > It should be *"org.eclipse.jetty.servlet.Default.aliases"* -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (HBASE-21500) "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
[
https://issues.apache.org/jira/browse/HBASE-21500?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17797501#comment-17797501
]
Nihal Jain commented on HBASE-21500:
Copy pasted RCA from github PR:
Changing the property name to {{org.eclipse.jetty.servlet.Default.aliases}}
does not solve the problem.
Upon investigating found that in
[Jetty#ContextHandler|https://github.com/jetty/jetty.project/blob/d49f298c7f5361161cd71264aabd50dbfc8e4c59/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ContextHandler.java],
{{SymlinkAllowedResourceAliasChecker}} is added by default, irrespective of
whether {{hbase.jetty.logs.serve.aliases}} is set to {{true}} or {{{}false{}}},
allowing aliases for {{/logs}} always. Hence issue is revealed only if the
value is set to {{{}false{}}}.
See
[serving-aliased-files|https://github.com/jetty/jetty.project/blob/jetty-9.4.53.v20231009/jetty-documentation/src/main/asciidoc/configuring/security/serving-aliased-files.adoc]
for how this feature works.
Based on the docs, I have created a patch with fix.
To test the fix following steps were followed:
# Disallowed flow
* Build code with {{assembly:single}}
* Untar the tarball
* Configure {{hbase.jetty.logs.serve.aliases}} to {{false}} and start hbase in
local mode
hbase.jetty.logs.serve.aliases
false
* Goto logs directory and run following:
** {{touch /tmp/test.txt test.txt}}
** {{ln -s /tmp/test.txt test.txt}}
* Goto {{http://localhost:16010/logs/test.txt}} and a 404 error should be
thrown. See
[!https://private-user-images.githubusercontent.com/3429351/291016234-12ad9b92-3808-40b0-a9b3-d135ce156623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDI3NjMxNzMsIm5iZiI6MTcwMjc2Mjg3MywicGF0aCI6Ii8zNDI5MzUxLzI5MTAxNjIzNC0xMmFkOWI5Mi0zODA4LTQwYjAtYTliMy1kMTM1Y2UxNTY2MjMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIxNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMTZUMjE0MTEzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ODgzODY2NjljNGNiYzk4YTVjMjY2ODMzN2EyMmI3ZTQ0ZDdmMGI1YWRiMGQ3NDQ5MzMxNDcxOWUxYzI3MjBmNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.biyQngECGTa9eHMuY46JhVF6dP3cd_lfSK7v-stgjdo|width=556!|https://private-user-images.githubusercontent.com/3429351/291016234-12ad9b92-3808-40b0-a9b3-d135ce156623.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTEiLCJleHAiOjE3MDI3NjMxNzMsIm5iZiI6MTcwMjc2Mjg3MywicGF0aCI6Ii8zNDI5MzUxLzI5MTAxNjIzNC0xMmFkOWI5Mi0zODA4LTQwYjAtYTliMy1kMTM1Y2UxNTY2MjMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQUlXTkpZQVg0Q1NWRUg1M0ElMkYyMDIzMTIxNiUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyMzEyMTZUMjE0MTEzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ODgzODY2NjljNGNiYzk4YTVjMjY2ODMzN2EyMmI3ZTQ0ZDdmMGI1YWRiMGQ3NDQ5MzMxNDcxOWUxYzI3MjBmNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.biyQngECGTa9eHMuY46JhVF6dP3cd_lfSK7v-stgjdo]
# Allowed flow, which is current default behavior and works even without the
patch
* Repeat above steps {{hbase.jetty.logs.serve.aliases}} to {{true}} or just
remove it.
* We should be able to access symlinked file test.txt
> "hbase.jetty.logs.serve.aliases" is broken with jetty 9.x version
> -
>
> Key: HBASE-21500
> URL: https://issues.apache.org/jira/browse/HBASE-21500
> Project: HBase
> Issue Type: Bug
>Affects Versions: 3.0.0-alpha-1, 2.1.0, 2.0.0, 2.0.1, 2.1.1
>Reporter: Bhupendra Kumar Jain
>Assignee: Nihal Jain
>Priority: Minor
> Fix For: 3.0.0-beta-2
>
> Attachments: HBASE-21500.master.001.patch
>
>
> Noticed that Jetty aliases parameter in HttpServer.java
> "*org.mortbay.jetty.servlet.Default.aliases*" is as per old jetty version and
> need to change as per jetty 9.x new version after the HBASE-12894
> Refer
> https://github.com/apache/hbase/blob/405bf5e6383a09f435baadbac6c389e9f6c43ac6/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java#L647
> It should be *"org.eclipse.jetty.servlet.Default.aliases"*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
