Search in sources :

Example 1 with SslConnectionFactory

use of org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory in project hbase by apache.

the class RESTServer method run.

/**
 * Runs the REST server.
 */
public synchronized void run() throws Exception {
    Pair<FilterHolder, Class<? extends ServletContainer>> pair = loginServerPrincipal(userProvider, conf);
    FilterHolder authFilter = pair.getFirst();
    Class<? extends ServletContainer> containerClass = pair.getSecond();
    RESTServlet servlet = RESTServlet.getInstance(conf, userProvider);
    // set up the Jersey servlet container for Jetty
    ResourceConfig application = new ResourceConfig().packages("org.apache.hadoop.hbase.rest").register(JacksonJaxbJsonProvider.class);
    // Using our custom ServletContainer is tremendously important. This is what makes sure the
    // UGI.doAs() is done for the remoteUser, and calls are not made as the REST server itself.
    ServletContainer servletContainer = ReflectionUtils.newInstance(containerClass, application);
    ServletHolder sh = new ServletHolder(servletContainer);
    // Set the default max thread number to 100 to limit
    // the number of concurrent requests so that REST server doesn't OOM easily.
    // Jetty set the default max thread number to 250, if we don't set it.
    // 
    // Our default min thread number 2 is the same as that used by Jetty.
    int maxThreads = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREADS_MAX, 100);
    int minThreads = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREADS_MIN, 2);
    // Use the default queue (unbounded with Jetty 9.3) if the queue size is negative, otherwise use
    // bounded {@link ArrayBlockingQueue} with the given size
    int queueSize = servlet.getConfiguration().getInt(REST_THREAD_POOL_TASK_QUEUE_SIZE, -1);
    int idleTimeout = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREAD_IDLE_TIMEOUT, 60000);
    QueuedThreadPool threadPool = queueSize > 0 ? new QueuedThreadPool(maxThreads, minThreads, idleTimeout, new ArrayBlockingQueue<>(queueSize)) : new QueuedThreadPool(maxThreads, minThreads, idleTimeout);
    this.server = new Server(threadPool);
    // Setup JMX
    MBeanContainer mbContainer = new MBeanContainer(ManagementFactory.getPlatformMBeanServer());
    server.addEventListener(mbContainer);
    server.addBean(mbContainer);
    String host = servlet.getConfiguration().get("hbase.rest.host", "0.0.0.0");
    int servicePort = servlet.getConfiguration().getInt("hbase.rest.port", 8080);
    int httpHeaderCacheSize = servlet.getConfiguration().getInt(HTTP_HEADER_CACHE_SIZE, DEFAULT_HTTP_HEADER_CACHE_SIZE);
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.setSecureScheme("https");
    httpConfig.setSecurePort(servicePort);
    httpConfig.setHeaderCacheSize(httpHeaderCacheSize);
    httpConfig.setRequestHeaderSize(DEFAULT_HTTP_MAX_HEADER_SIZE);
    httpConfig.setResponseHeaderSize(DEFAULT_HTTP_MAX_HEADER_SIZE);
    httpConfig.setSendServerVersion(false);
    httpConfig.setSendDateHeader(false);
    ServerConnector serverConnector;
    if (conf.getBoolean(REST_SSL_ENABLED, false)) {
        HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
        httpsConfig.addCustomizer(new SecureRequestCustomizer());
        SslContextFactory sslCtxFactory = new SslContextFactory();
        String keystore = conf.get(REST_SSL_KEYSTORE_STORE);
        String keystoreType = conf.get(REST_SSL_KEYSTORE_TYPE);
        String password = HBaseConfiguration.getPassword(conf, REST_SSL_KEYSTORE_PASSWORD, null);
        String keyPassword = HBaseConfiguration.getPassword(conf, REST_SSL_KEYSTORE_KEYPASSWORD, password);
        sslCtxFactory.setKeyStorePath(keystore);
        if (StringUtils.isNotBlank(keystoreType)) {
            sslCtxFactory.setKeyStoreType(keystoreType);
        }
        sslCtxFactory.setKeyStorePassword(password);
        sslCtxFactory.setKeyManagerPassword(keyPassword);
        String trustStore = conf.get(REST_SSL_TRUSTSTORE_STORE);
        if (StringUtils.isNotBlank(trustStore)) {
            sslCtxFactory.setTrustStorePath(trustStore);
        }
        String trustStorePassword = HBaseConfiguration.getPassword(conf, REST_SSL_TRUSTSTORE_PASSWORD, null);
        if (StringUtils.isNotBlank(trustStorePassword)) {
            sslCtxFactory.setTrustStorePassword(trustStorePassword);
        }
        String trustStoreType = conf.get(REST_SSL_TRUSTSTORE_TYPE);
        if (StringUtils.isNotBlank(trustStoreType)) {
            sslCtxFactory.setTrustStoreType(trustStoreType);
        }
        String[] excludeCiphers = servlet.getConfiguration().getStrings(REST_SSL_EXCLUDE_CIPHER_SUITES, ArrayUtils.EMPTY_STRING_ARRAY);
        if (excludeCiphers.length != 0) {
            sslCtxFactory.setExcludeCipherSuites(excludeCiphers);
        }
        String[] includeCiphers = servlet.getConfiguration().getStrings(REST_SSL_INCLUDE_CIPHER_SUITES, ArrayUtils.EMPTY_STRING_ARRAY);
        if (includeCiphers.length != 0) {
            sslCtxFactory.setIncludeCipherSuites(includeCiphers);
        }
        String[] excludeProtocols = servlet.getConfiguration().getStrings(REST_SSL_EXCLUDE_PROTOCOLS, ArrayUtils.EMPTY_STRING_ARRAY);
        if (excludeProtocols.length != 0) {
            sslCtxFactory.setExcludeProtocols(excludeProtocols);
        }
        String[] includeProtocols = servlet.getConfiguration().getStrings(REST_SSL_INCLUDE_PROTOCOLS, ArrayUtils.EMPTY_STRING_ARRAY);
        if (includeProtocols.length != 0) {
            sslCtxFactory.setIncludeProtocols(includeProtocols);
        }
        serverConnector = new ServerConnector(server, new SslConnectionFactory(sslCtxFactory, HttpVersion.HTTP_1_1.toString()), new HttpConnectionFactory(httpsConfig));
    } else {
        serverConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
    }
    int acceptQueueSize = servlet.getConfiguration().getInt(REST_CONNECTOR_ACCEPT_QUEUE_SIZE, -1);
    if (acceptQueueSize >= 0) {
        serverConnector.setAcceptQueueSize(acceptQueueSize);
    }
    serverConnector.setPort(servicePort);
    serverConnector.setHost(host);
    server.addConnector(serverConnector);
    server.setStopAtShutdown(true);
    // set up context
    ServletContextHandler ctxHandler = new ServletContextHandler(server, "/", ServletContextHandler.SESSIONS);
    ctxHandler.addServlet(sh, PATH_SPEC_ANY);
    if (authFilter != null) {
        ctxHandler.addFilter(authFilter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST));
    }
    // Load filters from configuration.
    String[] filterClasses = servlet.getConfiguration().getStrings(FILTER_CLASSES, GzipFilter.class.getName());
    for (String filter : filterClasses) {
        filter = filter.trim();
        ctxHandler.addFilter(filter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST));
    }
    addCSRFFilter(ctxHandler, conf);
    addClickjackingPreventionFilter(ctxHandler, conf);
    addSecurityHeadersFilter(ctxHandler, conf);
    HttpServerUtil.constrainHttpMethods(ctxHandler, servlet.getConfiguration().getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));
    // Put up info server.
    int port = conf.getInt("hbase.rest.info.port", 8085);
    if (port >= 0) {
        conf.setLong("startcode", EnvironmentEdgeManager.currentTime());
        String a = conf.get("hbase.rest.info.bindAddress", "0.0.0.0");
        this.infoServer = new InfoServer("rest", a, port, false, conf);
        this.infoServer.setAttribute("hbase.conf", conf);
        this.infoServer.start();
    }
    // start server
    server.start();
}
Also used : FilterHolder(org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.FilterHolder) SecureRequestCustomizer(org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer) Server(org.apache.hbase.thirdparty.org.eclipse.jetty.server.Server) InfoServer(org.apache.hadoop.hbase.http.InfoServer) HttpConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConnectionFactory) ServletHolder(org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletHolder) HttpConfiguration(org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConfiguration) SslConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory) GzipFilter(org.apache.hadoop.hbase.rest.filter.GzipFilter) ServerConnector(org.apache.hbase.thirdparty.org.eclipse.jetty.server.ServerConnector) SslContextFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.util.ssl.SslContextFactory) ArrayBlockingQueue(java.util.concurrent.ArrayBlockingQueue) QueuedThreadPool(org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool) ServletContainer(org.apache.hbase.thirdparty.org.glassfish.jersey.servlet.ServletContainer) MBeanContainer(org.apache.hbase.thirdparty.org.eclipse.jetty.jmx.MBeanContainer) InfoServer(org.apache.hadoop.hbase.http.InfoServer) ResourceConfig(org.apache.hbase.thirdparty.org.glassfish.jersey.server.ResourceConfig) ServletContextHandler(org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletContextHandler)

Example 2 with SslConnectionFactory

use of org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory in project hbase by apache.

the class ThriftServer method setupHTTPServer.

/**
 * Setup an HTTP Server using Jetty to serve calls from THttpClient
 *
 * @throws IOException IOException
 */
protected void setupHTTPServer() throws IOException {
    TProtocolFactory protocolFactory = new TBinaryProtocol.Factory();
    TServlet thriftHttpServlet = createTServlet(protocolFactory);
    // Set the default max thread number to 100 to limit
    // the number of concurrent requests so that Thrfit HTTP server doesn't OOM easily.
    // Jetty set the default max thread number to 250, if we don't set it.
    // 
    // Our default min thread number 2 is the same as that used by Jetty.
    int minThreads = conf.getInt(HTTP_MIN_THREADS_KEY, conf.getInt(TBoundedThreadPoolServer.MIN_WORKER_THREADS_CONF_KEY, HTTP_MIN_THREADS_KEY_DEFAULT));
    int maxThreads = conf.getInt(HTTP_MAX_THREADS_KEY, conf.getInt(TBoundedThreadPoolServer.MAX_WORKER_THREADS_CONF_KEY, HTTP_MAX_THREADS_KEY_DEFAULT));
    QueuedThreadPool threadPool = new QueuedThreadPool(maxThreads);
    threadPool.setMinThreads(minThreads);
    httpServer = new Server(threadPool);
    // Context handler
    ServletContextHandler ctxHandler = new ServletContextHandler(httpServer, "/", ServletContextHandler.SESSIONS);
    ctxHandler.addServlet(new ServletHolder(thriftHttpServlet), "/*");
    HttpServerUtil.constrainHttpMethods(ctxHandler, conf.getBoolean(THRIFT_HTTP_ALLOW_OPTIONS_METHOD, THRIFT_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));
    // set up Jetty and run the embedded server
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.setSecureScheme("https");
    httpConfig.setSecurePort(listenPort);
    httpConfig.setHeaderCacheSize(DEFAULT_HTTP_MAX_HEADER_SIZE);
    httpConfig.setRequestHeaderSize(DEFAULT_HTTP_MAX_HEADER_SIZE);
    httpConfig.setResponseHeaderSize(DEFAULT_HTTP_MAX_HEADER_SIZE);
    httpConfig.setSendServerVersion(false);
    httpConfig.setSendDateHeader(false);
    ServerConnector serverConnector;
    if (conf.getBoolean(THRIFT_SSL_ENABLED_KEY, false)) {
        HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
        httpsConfig.addCustomizer(new SecureRequestCustomizer());
        SslContextFactory sslCtxFactory = new SslContextFactory();
        String keystore = conf.get(THRIFT_SSL_KEYSTORE_STORE_KEY);
        String password = HBaseConfiguration.getPassword(conf, THRIFT_SSL_KEYSTORE_PASSWORD_KEY, null);
        String keyPassword = HBaseConfiguration.getPassword(conf, THRIFT_SSL_KEYSTORE_KEYPASSWORD_KEY, password);
        sslCtxFactory.setKeyStorePath(keystore);
        sslCtxFactory.setKeyStorePassword(password);
        sslCtxFactory.setKeyManagerPassword(keyPassword);
        sslCtxFactory.setKeyStoreType(conf.get(THRIFT_SSL_KEYSTORE_TYPE_KEY, THRIFT_SSL_KEYSTORE_TYPE_DEFAULT));
        String[] excludeCiphers = conf.getStrings(THRIFT_SSL_EXCLUDE_CIPHER_SUITES_KEY, ArrayUtils.EMPTY_STRING_ARRAY);
        if (excludeCiphers.length != 0) {
            sslCtxFactory.setExcludeCipherSuites(excludeCiphers);
        }
        String[] includeCiphers = conf.getStrings(THRIFT_SSL_INCLUDE_CIPHER_SUITES_KEY, ArrayUtils.EMPTY_STRING_ARRAY);
        if (includeCiphers.length != 0) {
            sslCtxFactory.setIncludeCipherSuites(includeCiphers);
        }
        // Disable SSLv3 by default due to "Poodle" Vulnerability - CVE-2014-3566
        String[] excludeProtocols = conf.getStrings(THRIFT_SSL_EXCLUDE_PROTOCOLS_KEY, "SSLv3");
        if (excludeProtocols.length != 0) {
            sslCtxFactory.setExcludeProtocols(excludeProtocols);
        }
        String[] includeProtocols = conf.getStrings(THRIFT_SSL_INCLUDE_PROTOCOLS_KEY, ArrayUtils.EMPTY_STRING_ARRAY);
        if (includeProtocols.length != 0) {
            sslCtxFactory.setIncludeProtocols(includeProtocols);
        }
        serverConnector = new ServerConnector(httpServer, new SslConnectionFactory(sslCtxFactory, HttpVersion.HTTP_1_1.toString()), new HttpConnectionFactory(httpsConfig));
    } else {
        serverConnector = new ServerConnector(httpServer, new HttpConnectionFactory(httpConfig));
    }
    serverConnector.setPort(listenPort);
    serverConnector.setHost(getBindAddress(conf).getHostAddress());
    httpServer.addConnector(serverConnector);
    httpServer.setStopAtShutdown(true);
    if (doAsEnabled) {
        ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
    }
    LOG.info("Starting Thrift HTTP Server on {}", Integer.toString(listenPort));
}
Also used : TProtocolFactory(org.apache.thrift.protocol.TProtocolFactory) SecureRequestCustomizer(org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer) Server(org.apache.hbase.thirdparty.org.eclipse.jetty.server.Server) TThreadedSelectorServer(org.apache.thrift.server.TThreadedSelectorServer) TServer(org.apache.thrift.server.TServer) InfoServer(org.apache.hadoop.hbase.http.InfoServer) THsHaServer(org.apache.thrift.server.THsHaServer) TNonblockingServer(org.apache.thrift.server.TNonblockingServer) SaslRpcServer(org.apache.hadoop.security.SaslRpcServer) SaslServer(javax.security.sasl.SaslServer) HttpConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConnectionFactory) ServletHolder(org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletHolder) SslConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory) HttpConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConnectionFactory) TProtocolFactory(org.apache.thrift.protocol.TProtocolFactory) LoggerFactory(org.slf4j.LoggerFactory) SslContextFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.util.ssl.SslContextFactory) TTransportFactory(org.apache.thrift.transport.TTransportFactory) HttpConfiguration(org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConfiguration) SslConnectionFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory) TServlet(org.apache.thrift.server.TServlet) ServerConnector(org.apache.hbase.thirdparty.org.eclipse.jetty.server.ServerConnector) SslContextFactory(org.apache.hbase.thirdparty.org.eclipse.jetty.util.ssl.SslContextFactory) QueuedThreadPool(org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool) ServletContextHandler(org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletContextHandler)

Aggregations

InfoServer (org.apache.hadoop.hbase.http.InfoServer)2 HttpConfiguration (org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConfiguration)2 HttpConnectionFactory (org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConnectionFactory)2 SecureRequestCustomizer (org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer)2 Server (org.apache.hbase.thirdparty.org.eclipse.jetty.server.Server)2 ServerConnector (org.apache.hbase.thirdparty.org.eclipse.jetty.server.ServerConnector)2 SslConnectionFactory (org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory)2 ServletContextHandler (org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletContextHandler)2 ServletHolder (org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletHolder)2 SslContextFactory (org.apache.hbase.thirdparty.org.eclipse.jetty.util.ssl.SslContextFactory)2 QueuedThreadPool (org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool)2 ArrayBlockingQueue (java.util.concurrent.ArrayBlockingQueue)1 SaslServer (javax.security.sasl.SaslServer)1 GzipFilter (org.apache.hadoop.hbase.rest.filter.GzipFilter)1 SaslRpcServer (org.apache.hadoop.security.SaslRpcServer)1 MBeanContainer (org.apache.hbase.thirdparty.org.eclipse.jetty.jmx.MBeanContainer)1 FilterHolder (org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.FilterHolder)1 ResourceConfig (org.apache.hbase.thirdparty.org.glassfish.jersey.server.ResourceConfig)1 ServletContainer (org.apache.hbase.thirdparty.org.glassfish.jersey.servlet.ServletContainer)1 TProtocolFactory (org.apache.thrift.protocol.TProtocolFactory)1