HADOOP-12765. HttpServer2 should switch to using the non-blocking SslSelectChannelConnector to prevent performance degradation when handling SSL connections. Contributed by Min Shen.
This commit is contained in:
parent
2550371f66
commit
03a9343d57
|
@ -105,6 +105,11 @@
|
|||
<artifactId>jetty-util</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.mortbay.jetty</groupId>
|
||||
<artifactId>jetty-sslengine</artifactId>
|
||||
<scope>compile</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>javax.servlet.jsp</groupId>
|
||||
<artifactId>jsp-api</artifactId>
|
||||
|
|
|
@ -56,7 +56,7 @@ import org.apache.hadoop.conf.Configuration;
|
|||
import org.apache.hadoop.fs.CommonConfigurationKeys;
|
||||
import org.apache.hadoop.security.AuthenticationFilterInitializer;
|
||||
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
|
||||
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
|
||||
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
|
||||
import org.apache.hadoop.jmx.JMXJsonServlet;
|
||||
import org.apache.hadoop.log.LogLevel;
|
||||
import org.apache.hadoop.security.SecurityUtil;
|
||||
|
@ -77,7 +77,7 @@ import org.mortbay.jetty.handler.ContextHandlerCollection;
|
|||
import org.mortbay.jetty.handler.HandlerCollection;
|
||||
import org.mortbay.jetty.handler.RequestLogHandler;
|
||||
import org.mortbay.jetty.nio.SelectChannelConnector;
|
||||
import org.mortbay.jetty.security.SslSocketConnector;
|
||||
import org.mortbay.jetty.security.SslSelectChannelConnector;
|
||||
import org.mortbay.jetty.servlet.AbstractSessionManager;
|
||||
import org.mortbay.jetty.servlet.Context;
|
||||
import org.mortbay.jetty.servlet.DefaultServlet;
|
||||
|
@ -332,29 +332,7 @@ public final class HttpServer2 implements FilterContainer {
|
|||
if ("http".equals(scheme)) {
|
||||
listener = HttpServer2.createDefaultChannelConnector();
|
||||
} else if ("https".equals(scheme)) {
|
||||
SslSocketConnector c = new SslSocketConnectorSecure();
|
||||
c.setHeaderBufferSize(1024*64);
|
||||
c.setNeedClientAuth(needsClientAuth);
|
||||
c.setKeyPassword(keyPassword);
|
||||
|
||||
if (keyStore != null) {
|
||||
c.setKeystore(keyStore);
|
||||
c.setKeystoreType(keyStoreType);
|
||||
c.setPassword(keyStorePassword);
|
||||
}
|
||||
|
||||
if (trustStore != null) {
|
||||
c.setTruststore(trustStore);
|
||||
c.setTruststoreType(trustStoreType);
|
||||
c.setTrustPassword(trustStorePassword);
|
||||
}
|
||||
|
||||
if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
|
||||
c.setExcludeCipherSuites(excludeCiphers.split(","));
|
||||
LOG.info("Excluded Cipher List:" + excludeCiphers);
|
||||
}
|
||||
|
||||
listener = c;
|
||||
listener = createHttpsChannelConnector();
|
||||
|
||||
} else {
|
||||
throw new HadoopIllegalArgumentException(
|
||||
|
@ -367,6 +345,32 @@ public final class HttpServer2 implements FilterContainer {
|
|||
server.loadListeners();
|
||||
return server;
|
||||
}
|
||||
|
||||
private Connector createHttpsChannelConnector() {
|
||||
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
|
||||
configureChannelConnector(c);
|
||||
|
||||
c.setNeedClientAuth(needsClientAuth);
|
||||
c.setKeyPassword(keyPassword);
|
||||
|
||||
if (keyStore != null) {
|
||||
c.setKeystore(keyStore);
|
||||
c.setKeystoreType(keyStoreType);
|
||||
c.setPassword(keyStorePassword);
|
||||
}
|
||||
|
||||
if (trustStore != null) {
|
||||
c.setTruststore(trustStore);
|
||||
c.setTruststoreType(trustStoreType);
|
||||
c.setTrustPassword(trustStorePassword);
|
||||
}
|
||||
|
||||
if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
|
||||
c.setExcludeCipherSuites(excludeCiphers.split(","));
|
||||
LOG.info("Excluded Cipher List:" + excludeCiphers);
|
||||
}
|
||||
return c;
|
||||
}
|
||||
}
|
||||
|
||||
private HttpServer2(final Builder b) throws IOException {
|
||||
|
@ -508,21 +512,25 @@ public final class HttpServer2 implements FilterContainer {
|
|||
Collections.<String, String> emptyMap(), new String[] { "/*" });
|
||||
}
|
||||
|
||||
@InterfaceAudience.Private
|
||||
public static Connector createDefaultChannelConnector() {
|
||||
SelectChannelConnector ret = new SelectChannelConnector();
|
||||
ret.setLowResourceMaxIdleTime(10000);
|
||||
ret.setAcceptQueueSize(128);
|
||||
ret.setResolveNames(false);
|
||||
ret.setUseDirectBuffers(false);
|
||||
private static void configureChannelConnector(SelectChannelConnector c) {
|
||||
c.setLowResourceMaxIdleTime(10000);
|
||||
c.setAcceptQueueSize(128);
|
||||
c.setResolveNames(false);
|
||||
c.setUseDirectBuffers(false);
|
||||
if(Shell.WINDOWS) {
|
||||
// result of setting the SO_REUSEADDR flag is different on Windows
|
||||
// http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
|
||||
// without this 2 NN's can start on the same machine and listen on
|
||||
// the same port with indeterminate routing of incoming requests to them
|
||||
ret.setReuseAddress(false);
|
||||
c.setReuseAddress(false);
|
||||
}
|
||||
ret.setHeaderBufferSize(1024*64);
|
||||
c.setHeaderBufferSize(1024*64);
|
||||
}
|
||||
|
||||
@InterfaceAudience.Private
|
||||
public static Connector createDefaultChannelConnector() {
|
||||
SelectChannelConnector ret = new SelectChannelConnector();
|
||||
configureChannelConnector(ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
|
|
@ -18,41 +18,41 @@
|
|||
|
||||
package org.apache.hadoop.security.ssl;
|
||||
|
||||
import org.mortbay.jetty.security.SslSocketConnector;
|
||||
|
||||
import javax.net.ssl.SSLServerSocket;
|
||||
import java.io.IOException;
|
||||
import java.net.ServerSocket;
|
||||
import java.util.ArrayList;
|
||||
|
||||
import javax.net.ssl.SSLEngine;
|
||||
|
||||
import org.apache.hadoop.classification.InterfaceAudience;
|
||||
import org.mortbay.jetty.security.SslSelectChannelConnector;
|
||||
|
||||
/**
|
||||
* This subclass of the Jetty SslSocketConnector exists solely to control
|
||||
* the TLS protocol versions allowed. This is fallout from the POODLE
|
||||
* vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
|
||||
* This subclass of the Jetty SslSelectChannelConnector exists solely to
|
||||
* control the TLS protocol versions allowed. This is fallout from the
|
||||
* POODLE vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
|
||||
* Only TLS 1.0 and later protocols are allowed.
|
||||
*/
|
||||
public class SslSocketConnectorSecure extends SslSocketConnector {
|
||||
@InterfaceAudience.Private
|
||||
public class SslSelectChannelConnectorSecure extends SslSelectChannelConnector {
|
||||
|
||||
public SslSocketConnectorSecure() {
|
||||
public SslSelectChannelConnectorSecure() {
|
||||
super();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new ServerSocket that will not accept SSLv3 connections,
|
||||
* but will accept TLSv1.x connections.
|
||||
* Disable SSLv3 protocol.
|
||||
*/
|
||||
protected ServerSocket newServerSocket(String host, int port,int backlog)
|
||||
throws IOException {
|
||||
SSLServerSocket socket = (SSLServerSocket)
|
||||
super.newServerSocket(host, port, backlog);
|
||||
@Override
|
||||
protected SSLEngine createSSLEngine() throws IOException {
|
||||
SSLEngine engine = super.createSSLEngine();
|
||||
ArrayList<String> nonSSLProtocols = new ArrayList<String>();
|
||||
for (String p : socket.getEnabledProtocols()) {
|
||||
for (String p : engine.getEnabledProtocols()) {
|
||||
if (!p.contains("SSLv3")) {
|
||||
nonSSLProtocols.add(p);
|
||||
}
|
||||
}
|
||||
socket.setEnabledProtocols(nonSSLProtocols.toArray(
|
||||
new String[nonSSLProtocols.size()]));
|
||||
return socket;
|
||||
engine.setEnabledProtocols(nonSSLProtocols.toArray(
|
||||
new String[nonSSLProtocols.size()]));
|
||||
return engine;
|
||||
}
|
||||
}
|
|
@ -18,15 +18,16 @@
|
|||
package org.apache.hadoop.crypto.key.kms.server;
|
||||
|
||||
import com.google.common.base.Preconditions;
|
||||
|
||||
import org.apache.commons.io.IOUtils;
|
||||
import org.apache.hadoop.conf.Configuration;
|
||||
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
|
||||
import org.apache.hadoop.fs.Path;
|
||||
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
|
||||
import org.apache.hadoop.util.ThreadUtil;
|
||||
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
|
||||
import org.mortbay.jetty.Connector;
|
||||
import org.mortbay.jetty.Server;
|
||||
import org.mortbay.jetty.security.SslSocketConnector;
|
||||
import org.mortbay.jetty.security.SslSelectChannelConnector;
|
||||
import org.mortbay.jetty.webapp.WebAppContext;
|
||||
|
||||
import java.io.File;
|
||||
|
@ -54,7 +55,7 @@ public class MiniKMS {
|
|||
if (!ssl) {
|
||||
server.getConnectors()[0].setHost(host);
|
||||
} else {
|
||||
SslSocketConnector c = new SslSocketConnectorSecure();
|
||||
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
|
||||
c.setHost(host);
|
||||
c.setNeedClientAuth(false);
|
||||
c.setKeystore(keyStore);
|
||||
|
@ -71,7 +72,7 @@ public class MiniKMS {
|
|||
|
||||
private static URL getJettyURL(Server server) {
|
||||
boolean ssl = server.getConnectors()[0].getClass()
|
||||
== SslSocketConnectorSecure.class;
|
||||
== SslSelectChannelConnectorSecure.class;
|
||||
try {
|
||||
String scheme = (ssl) ? "https" : "http";
|
||||
return new URL(scheme + "://" +
|
||||
|
|
|
@ -24,14 +24,14 @@ import java.net.ServerSocket;
|
|||
import java.net.URL;
|
||||
import java.net.UnknownHostException;
|
||||
|
||||
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
|
||||
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
|
||||
import org.junit.Test;
|
||||
import org.junit.rules.MethodRule;
|
||||
import org.junit.runners.model.FrameworkMethod;
|
||||
import org.junit.runners.model.Statement;
|
||||
import org.mortbay.jetty.Connector;
|
||||
import org.mortbay.jetty.Server;
|
||||
import org.mortbay.jetty.security.SslSocketConnector;
|
||||
import org.mortbay.jetty.security.SslSelectChannelConnector;
|
||||
|
||||
public class TestJettyHelper implements MethodRule {
|
||||
private boolean ssl;
|
||||
|
@ -93,7 +93,7 @@ public class TestJettyHelper implements MethodRule {
|
|||
server.getConnectors()[0].setHost(host);
|
||||
server.getConnectors()[0].setPort(port);
|
||||
} else {
|
||||
SslSocketConnector c = new SslSocketConnectorSecure();
|
||||
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
|
||||
c.setHost(host);
|
||||
c.setPort(port);
|
||||
c.setNeedClientAuth(false);
|
||||
|
|
|
@ -526,6 +526,11 @@
|
|||
<artifactId>jetty-util</artifactId>
|
||||
<version>${jetty.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.mortbay.jetty</groupId>
|
||||
<artifactId>jetty-sslengine</artifactId>
|
||||
<version>${jetty.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.tomcat.embed</groupId>
|
||||
<artifactId>tomcat-embed-core</artifactId>
|
||||
|
|
Loading…
Reference in New Issue