HADOOP-16718. Allow disabling Server Name Indication (SNI) for Jetty. Contributed by Aravindan Vijayan.

Signed-off-by: Wei-Chiu Chuang <weichiu@apache.org>
Reviewed-by: Siyao Meng <smeng@cloudera.com>
This commit is contained in:
Aravindan Vijayan 2019-12-03 15:46:21 -08:00 committed by Wei-Chiu Chuang
parent 0c217feed8
commit f1ab7f18c4
3 changed files with 35 additions and 2 deletions

View File

@ -154,6 +154,10 @@ public final class HttpServer2 implements FilterContainer {
public static final String FILTER_INITIALIZER_PROPERTY public static final String FILTER_INITIALIZER_PROPERTY
= "hadoop.http.filter.initializers"; = "hadoop.http.filter.initializers";
public static final String HTTP_SNI_HOST_CHECK_ENABLED_KEY
= "hadoop.http.sni.host.check.enabled";
public static final boolean HTTP_SNI_HOST_CHECK_ENABLED_DEFAULT = false;
// The ServletContext attribute where the daemon Configuration // The ServletContext attribute where the daemon Configuration
// gets stored. // gets stored.
public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf"; public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf";
@ -233,6 +237,8 @@ public final class HttpServer2 implements FilterContainer {
private boolean xFrameEnabled; private boolean xFrameEnabled;
private XFrameOption xFrameOption = XFrameOption.SAMEORIGIN; private XFrameOption xFrameOption = XFrameOption.SAMEORIGIN;
private boolean sniHostCheckEnabled;
public Builder setName(String name){ public Builder setName(String name){
this.name = name; this.name = name;
return this; return this;
@ -377,6 +383,17 @@ public final class HttpServer2 implements FilterContainer {
return this; return this;
} }
/**
* Enable or disable sniHostCheck.
*
* @param sniHostCheckEnabled Enable sniHostCheck if true, else disable it.
* @return Builder.
*/
public Builder setSniHostCheckEnabled(boolean sniHostCheckEnabled) {
this.sniHostCheckEnabled = sniHostCheckEnabled;
return this;
}
/** /**
* A wrapper of {@link Configuration#getPassword(String)}. It returns * A wrapper of {@link Configuration#getPassword(String)}. It returns
* <code>String</code> instead of <code>char[]</code>. * <code>String</code> instead of <code>char[]</code>.
@ -471,6 +488,13 @@ public final class HttpServer2 implements FilterContainer {
int backlogSize = conf.getInt(HTTP_SOCKET_BACKLOG_SIZE_KEY, int backlogSize = conf.getInt(HTTP_SOCKET_BACKLOG_SIZE_KEY,
HTTP_SOCKET_BACKLOG_SIZE_DEFAULT); HTTP_SOCKET_BACKLOG_SIZE_DEFAULT);
// If setSniHostCheckEnabled() is used to enable SNI hostname check,
// configuration lookup is skipped.
if (!sniHostCheckEnabled) {
sniHostCheckEnabled = conf.getBoolean(HTTP_SNI_HOST_CHECK_ENABLED_KEY,
HTTP_SNI_HOST_CHECK_ENABLED_DEFAULT);
}
for (URI ep : endpoints) { for (URI ep : endpoints) {
final ServerConnector connector; final ServerConnector connector;
String scheme = ep.getScheme(); String scheme = ep.getScheme();
@ -514,7 +538,8 @@ public final class HttpServer2 implements FilterContainer {
private ServerConnector createHttpsChannelConnector( private ServerConnector createHttpsChannelConnector(
Server server, HttpConfiguration httpConfig) { Server server, HttpConfiguration httpConfig) {
httpConfig.setSecureScheme(HTTPS_SCHEME); httpConfig.setSecureScheme(HTTPS_SCHEME);
httpConfig.addCustomizer(new SecureRequestCustomizer()); httpConfig.addCustomizer(
new SecureRequestCustomizer(sniHostCheckEnabled));
ServerConnector conn = createHttpChannelConnector(server, httpConfig); ServerConnector conn = createHttpChannelConnector(server, httpConfig);
SslContextFactory.Server sslContextFactory = SslContextFactory.Server sslContextFactory =

View File

@ -3789,4 +3789,12 @@
fs space usage statistics refresh jitter in msec. fs space usage statistics refresh jitter in msec.
</description> </description>
</property> </property>
<property>
<name>hadoop.http.sni.host.check.enabled</name>
<value>false</value>
<description>
Enable Server Name Indication (SNI) host check for HTTPS enabled server.
</description>
</property>
</configuration> </configuration>

View File

@ -226,6 +226,6 @@ public class TestCommonConfigurationFields extends TestConfigurationFieldsBase {
// - org.apache.hadoop.io.SequenceFile // - org.apache.hadoop.io.SequenceFile
xmlPropsToSkipCompare.add("io.seqfile.local.dir"); xmlPropsToSkipCompare.add("io.seqfile.local.dir");
xmlPropsToSkipCompare.add("hadoop.http.sni.host.check.enabled");
} }
} }