HADOOP-12765. HttpServer2 should switch to using the non-blocking SslSelectChannelConnector to prevent performance degradation when handling SSL connections. Contributed by Min Shen.

This commit is contained in:
Wei-Chiu Chuang 2016-08-19 09:22:49 -07:00
parent 2550371f66
commit 03a9343d57
6 changed files with 79 additions and 60 deletions

View File

@ -105,6 +105,11 @@
<artifactId>jetty-util</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-sslengine</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>

View File

@ -56,7 +56,7 @@ import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
import org.apache.hadoop.jmx.JMXJsonServlet;
import org.apache.hadoop.log.LogLevel;
import org.apache.hadoop.security.SecurityUtil;
@ -77,7 +77,7 @@ import org.mortbay.jetty.handler.ContextHandlerCollection;
import org.mortbay.jetty.handler.HandlerCollection;
import org.mortbay.jetty.handler.RequestLogHandler;
import org.mortbay.jetty.nio.SelectChannelConnector;
import org.mortbay.jetty.security.SslSocketConnector;
import org.mortbay.jetty.security.SslSelectChannelConnector;
import org.mortbay.jetty.servlet.AbstractSessionManager;
import org.mortbay.jetty.servlet.Context;
import org.mortbay.jetty.servlet.DefaultServlet;
@ -332,29 +332,7 @@ public final class HttpServer2 implements FilterContainer {
if ("http".equals(scheme)) {
listener = HttpServer2.createDefaultChannelConnector();
} else if ("https".equals(scheme)) {
SslSocketConnector c = new SslSocketConnectorSecure();
c.setHeaderBufferSize(1024*64);
c.setNeedClientAuth(needsClientAuth);
c.setKeyPassword(keyPassword);
if (keyStore != null) {
c.setKeystore(keyStore);
c.setKeystoreType(keyStoreType);
c.setPassword(keyStorePassword);
}
if (trustStore != null) {
c.setTruststore(trustStore);
c.setTruststoreType(trustStoreType);
c.setTrustPassword(trustStorePassword);
}
if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
c.setExcludeCipherSuites(excludeCiphers.split(","));
LOG.info("Excluded Cipher List:" + excludeCiphers);
}
listener = c;
listener = createHttpsChannelConnector();
} else {
throw new HadoopIllegalArgumentException(
@ -367,6 +345,32 @@ public final class HttpServer2 implements FilterContainer {
server.loadListeners();
return server;
}
private Connector createHttpsChannelConnector() {
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
configureChannelConnector(c);
c.setNeedClientAuth(needsClientAuth);
c.setKeyPassword(keyPassword);
if (keyStore != null) {
c.setKeystore(keyStore);
c.setKeystoreType(keyStoreType);
c.setPassword(keyStorePassword);
}
if (trustStore != null) {
c.setTruststore(trustStore);
c.setTruststoreType(trustStoreType);
c.setTrustPassword(trustStorePassword);
}
if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
c.setExcludeCipherSuites(excludeCiphers.split(","));
LOG.info("Excluded Cipher List:" + excludeCiphers);
}
return c;
}
}
private HttpServer2(final Builder b) throws IOException {
@ -508,21 +512,25 @@ public final class HttpServer2 implements FilterContainer {
Collections.<String, String> emptyMap(), new String[] { "/*" });
}
@InterfaceAudience.Private
public static Connector createDefaultChannelConnector() {
SelectChannelConnector ret = new SelectChannelConnector();
ret.setLowResourceMaxIdleTime(10000);
ret.setAcceptQueueSize(128);
ret.setResolveNames(false);
ret.setUseDirectBuffers(false);
private static void configureChannelConnector(SelectChannelConnector c) {
c.setLowResourceMaxIdleTime(10000);
c.setAcceptQueueSize(128);
c.setResolveNames(false);
c.setUseDirectBuffers(false);
if(Shell.WINDOWS) {
// result of setting the SO_REUSEADDR flag is different on Windows
// http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
// without this 2 NN's can start on the same machine and listen on
// the same port with indeterminate routing of incoming requests to them
ret.setReuseAddress(false);
c.setReuseAddress(false);
}
ret.setHeaderBufferSize(1024*64);
c.setHeaderBufferSize(1024*64);
}
@InterfaceAudience.Private
public static Connector createDefaultChannelConnector() {
SelectChannelConnector ret = new SelectChannelConnector();
configureChannelConnector(ret);
return ret;
}

View File

@ -18,41 +18,41 @@
package org.apache.hadoop.security.ssl;
import org.mortbay.jetty.security.SslSocketConnector;
import javax.net.ssl.SSLServerSocket;
import java.io.IOException;
import java.net.ServerSocket;
import java.util.ArrayList;
import javax.net.ssl.SSLEngine;
import org.apache.hadoop.classification.InterfaceAudience;
import org.mortbay.jetty.security.SslSelectChannelConnector;
/**
* This subclass of the Jetty SslSocketConnector exists solely to control
* the TLS protocol versions allowed. This is fallout from the POODLE
* vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
* This subclass of the Jetty SslSelectChannelConnector exists solely to
* control the TLS protocol versions allowed. This is fallout from the
* POODLE vulnerability (CVE-2014-3566), which requires that SSLv3 be disabled.
* Only TLS 1.0 and later protocols are allowed.
*/
public class SslSocketConnectorSecure extends SslSocketConnector {
@InterfaceAudience.Private
public class SslSelectChannelConnectorSecure extends SslSelectChannelConnector {
public SslSocketConnectorSecure() {
public SslSelectChannelConnectorSecure() {
super();
}
/**
* Create a new ServerSocket that will not accept SSLv3 connections,
* but will accept TLSv1.x connections.
* Disable SSLv3 protocol.
*/
protected ServerSocket newServerSocket(String host, int port,int backlog)
throws IOException {
SSLServerSocket socket = (SSLServerSocket)
super.newServerSocket(host, port, backlog);
@Override
protected SSLEngine createSSLEngine() throws IOException {
SSLEngine engine = super.createSSLEngine();
ArrayList<String> nonSSLProtocols = new ArrayList<String>();
for (String p : socket.getEnabledProtocols()) {
for (String p : engine.getEnabledProtocols()) {
if (!p.contains("SSLv3")) {
nonSSLProtocols.add(p);
}
}
socket.setEnabledProtocols(nonSSLProtocols.toArray(
new String[nonSSLProtocols.size()]));
return socket;
engine.setEnabledProtocols(nonSSLProtocols.toArray(
new String[nonSSLProtocols.size()]));
return engine;
}
}

View File

@ -18,15 +18,16 @@
package org.apache.hadoop.crypto.key.kms.server;
import com.google.common.base.Preconditions;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.apache.hadoop.util.ThreadUtil;
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.security.SslSocketConnector;
import org.mortbay.jetty.security.SslSelectChannelConnector;
import org.mortbay.jetty.webapp.WebAppContext;
import java.io.File;
@ -54,7 +55,7 @@ public class MiniKMS {
if (!ssl) {
server.getConnectors()[0].setHost(host);
} else {
SslSocketConnector c = new SslSocketConnectorSecure();
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
c.setHost(host);
c.setNeedClientAuth(false);
c.setKeystore(keyStore);
@ -71,7 +72,7 @@ public class MiniKMS {
private static URL getJettyURL(Server server) {
boolean ssl = server.getConnectors()[0].getClass()
== SslSocketConnectorSecure.class;
== SslSelectChannelConnectorSecure.class;
try {
String scheme = (ssl) ? "https" : "http";
return new URL(scheme + "://" +

View File

@ -24,14 +24,14 @@ import java.net.ServerSocket;
import java.net.URL;
import java.net.UnknownHostException;
import org.apache.hadoop.security.ssl.SslSocketConnectorSecure;
import org.apache.hadoop.security.ssl.SslSelectChannelConnectorSecure;
import org.junit.Test;
import org.junit.rules.MethodRule;
import org.junit.runners.model.FrameworkMethod;
import org.junit.runners.model.Statement;
import org.mortbay.jetty.Connector;
import org.mortbay.jetty.Server;
import org.mortbay.jetty.security.SslSocketConnector;
import org.mortbay.jetty.security.SslSelectChannelConnector;
public class TestJettyHelper implements MethodRule {
private boolean ssl;
@ -93,7 +93,7 @@ public class TestJettyHelper implements MethodRule {
server.getConnectors()[0].setHost(host);
server.getConnectors()[0].setPort(port);
} else {
SslSocketConnector c = new SslSocketConnectorSecure();
SslSelectChannelConnector c = new SslSelectChannelConnectorSecure();
c.setHost(host);
c.setPort(port);
c.setNeedClientAuth(false);

View File

@ -526,6 +526,11 @@
<artifactId>jetty-util</artifactId>
<version>${jetty.version}</version>
</dependency>
<dependency>
<groupId>org.mortbay.jetty</groupId>
<artifactId>jetty-sslengine</artifactId>
<version>${jetty.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>