org.apache.hadoop.http.HttpServer2 Maven / Gradle / Ivy
The newest version!
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.http;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.io.PrintStream;
import java.net.BindException;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.util.HashMap;
import java.util.Collections;
import java.util.Optional;
import java.util.Properties;
import java.util.Enumeration;
import java.util.Arrays;
import java.util.Timer;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.jmx.JMXJsonServletNaNFiltered;
import org.apache.hadoop.util.Preconditions;
import org.apache.hadoop.thirdparty.com.google.common.collect.ImmutableMap;
import com.sun.jersey.spi.container.servlet.ServletContainer;
import org.apache.hadoop.HadoopIllegalArgumentException;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.ConfServlet;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.conf.Configuration.IntegerRanges;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.jmx.JMXJsonServlet;
import org.apache.hadoop.log.LogLevel;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.metrics2.sink.PrometheusMetricsSink;
import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.SignerSecretProvider;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.FileMonitoringTimerTask;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.Lists;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.RequestLog;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker;
import org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.eclipse.jetty.server.handler.HandlerCollection;
import org.eclipse.jetty.server.handler.RequestLogHandler;
import org.eclipse.jetty.server.handler.StatisticsHandler;
import org.eclipse.jetty.server.session.SessionHandler;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.FilterMapping;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.servlet.ServletMapping;
import org.eclipse.jetty.util.ArrayUtil;
import org.eclipse.jetty.util.MultiException;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.eclipse.jetty.webapp.WebAppContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.JMX_NAN_FILTER;
import static org.apache.hadoop.fs.CommonConfigurationKeysPublic.JMX_NAN_FILTER_DEFAULT;
/**
* Create a Jetty embedded server to answer http requests. The primary goal is
* to serve up status information for the server. There are three contexts:
* "/logs/" {@literal ->} points to the log directory "/static/" {@literal ->}
* points to common static files (src/webapps/static) "/" {@literal ->} the
* jsp server code from (src/webapps/{@literal <}name{@literal >})
*
* This class is a fork of the old HttpServer. HttpServer exists for
* compatibility reasons. See HBASE-10336 for more details.
*/
@InterfaceAudience.Private
@InterfaceStability.Evolving
public final class HttpServer2 implements FilterContainer {
public static final Logger LOG = LoggerFactory.getLogger(HttpServer2.class);
public static final String HTTP_SCHEME = "http";
public static final String HTTPS_SCHEME = "https";
public static final String HTTP_MAX_REQUEST_HEADER_SIZE_KEY =
"hadoop.http.max.request.header.size";
public static final int HTTP_MAX_REQUEST_HEADER_SIZE_DEFAULT = 65536;
public static final String HTTP_MAX_RESPONSE_HEADER_SIZE_KEY =
"hadoop.http.max.response.header.size";
public static final int HTTP_MAX_RESPONSE_HEADER_SIZE_DEFAULT = 65536;
public static final String HTTP_SOCKET_BACKLOG_SIZE_KEY =
"hadoop.http.socket.backlog.size";
public static final int HTTP_SOCKET_BACKLOG_SIZE_DEFAULT = 500;
public static final String HTTP_MAX_THREADS_KEY = "hadoop.http.max.threads";
public static final String HTTP_ACCEPTOR_COUNT_KEY =
"hadoop.http.acceptor.count";
// -1 to use default behavior of setting count based on CPU core count
public static final int HTTP_ACCEPTOR_COUNT_DEFAULT = -1;
public static final String HTTP_SELECTOR_COUNT_KEY =
"hadoop.http.selector.count";
// -1 to use default behavior of setting count based on CPU core count
public static final int HTTP_SELECTOR_COUNT_DEFAULT = -1;
// idle timeout in milliseconds
public static final String HTTP_IDLE_TIMEOUT_MS_KEY =
"hadoop.http.idle_timeout.ms";
public static final int HTTP_IDLE_TIMEOUT_MS_DEFAULT = 60000;
public static final String HTTP_TEMP_DIR_KEY = "hadoop.http.temp.dir";
public static final String FILTER_INITIALIZER_PROPERTY
= "hadoop.http.filter.initializers";
public static final String HTTP_SNI_HOST_CHECK_ENABLED_KEY
= "hadoop.http.sni.host.check.enabled";
public static final boolean HTTP_SNI_HOST_CHECK_ENABLED_DEFAULT = false;
// The ServletContext attribute where the daemon Configuration
// gets stored.
public static final String CONF_CONTEXT_ATTRIBUTE = "hadoop.conf";
public static final String ADMINS_ACL = "admins.acl";
public static final String SPNEGO_FILTER = "authentication";
public static final String NO_CACHE_FILTER = "NoCacheFilter";
public static final String BIND_ADDRESS = "bind.address";
private final AccessControlList adminsAcl;
protected final Server webServer;
private final HandlerCollection handlers;
private final List listeners = Lists.newArrayList();
protected final WebAppContext webAppContext;
protected final boolean findPort;
protected final IntegerRanges portRanges;
private final Map defaultContexts =
new HashMap<>();
protected final List filterNames = new ArrayList<>();
static final String STATE_DESCRIPTION_ALIVE = " - alive";
static final String STATE_DESCRIPTION_NOT_LIVE = " - not live";
private final SignerSecretProvider secretProvider;
private final Optional configurationChangeMonitor;
private XFrameOption xFrameOption;
private boolean xFrameOptionIsEnabled;
public static final String HTTP_HEADER_PREFIX = "hadoop.http.header.";
private static final String HTTP_HEADER_REGEX =
"hadoop\\.http\\.header\\.([a-zA-Z\\-_]+)";
static final String X_XSS_PROTECTION =
"X-XSS-Protection:1; mode=block";
static final String X_CONTENT_TYPE_OPTIONS =
"X-Content-Type-Options:nosniff";
private static final String X_FRAME_OPTIONS = "X-FRAME-OPTIONS";
private static final Pattern PATTERN_HTTP_HEADER_REGEX =
Pattern.compile(HTTP_HEADER_REGEX);
private boolean prometheusSupport;
protected static final String PROMETHEUS_SINK = "PROMETHEUS_SINK";
private PrometheusMetricsSink prometheusMetricsSink;
private StatisticsHandler statsHandler;
private HttpServer2Metrics metrics;
/**
* Class to construct instances of HTTP server with specific options.
*/
public static class Builder {
private ArrayList endpoints = Lists.newArrayList();
private String name;
private Configuration conf;
private Configuration sslConf;
private String[] pathSpecs;
private AccessControlList adminsAcl;
private boolean securityEnabled = false;
private String usernameConfKey;
private String keytabConfKey;
private boolean needsClientAuth;
private String trustStore;
private String trustStorePassword;
private String trustStoreType;
private String keyStore;
private String keyStorePassword;
private String keyStoreType;
// The -keypass option in keytool
private String keyPassword;
private boolean findPort;
private IntegerRanges portRanges = null;
private String hostName;
private boolean disallowFallbackToRandomSignerSecretProvider;
private final List authFilterConfigurationPrefixes =
new ArrayList<>(Collections.singletonList(
"hadoop.http.authentication."));
private String excludeCiphers;
private boolean xFrameEnabled;
private XFrameOption xFrameOption = XFrameOption.SAMEORIGIN;
private boolean sniHostCheckEnabled;
private Optional configurationChangeMonitor = Optional.empty();
public Builder setName(String name){
this.name = name;
return this;
}
/**
* Add an endpoint that the HTTP server should listen to.
*
* @param endpoint
* the endpoint of that the HTTP server should listen to. The
* scheme specifies the protocol (i.e. HTTP / HTTPS), the host
* specifies the binding address, and the port specifies the
* listening port. Unspecified or zero port means that the server
* can listen to any port.
* @return Builder.
*/
public Builder addEndpoint(URI endpoint) {
endpoints.add(endpoint);
return this;
}
/**
* Set the hostname of the http server. The host name is used to resolve the
* _HOST field in Kerberos principals. The hostname of the first listener
* will be used if the name is unspecified.
*
* @param hostName hostName.
* @return Builder.
*/
public Builder hostName(String hostName) {
this.hostName = hostName;
return this;
}
public Builder trustStore(String location, String password, String type) {
this.trustStore = location;
this.trustStorePassword = password;
this.trustStoreType = type;
return this;
}
public Builder keyStore(String location, String password, String type) {
this.keyStore = location;
this.keyStorePassword = password;
this.keyStoreType = type;
return this;
}
public Builder keyPassword(String password) {
this.keyPassword = password;
return this;
}
/**
* Specify whether the server should authorize the client in SSL
* connections.
*
* @param value value.
* @return Builder.
*/
public Builder needsClientAuth(boolean value) {
this.needsClientAuth = value;
return this;
}
public Builder setFindPort(boolean findPort) {
this.findPort = findPort;
return this;
}
public Builder setPortRanges(IntegerRanges ranges) {
this.portRanges = ranges;
return this;
}
public Builder setConf(Configuration conf) {
this.conf = conf;
return this;
}
/**
* Specify the SSL configuration to load. This API provides an alternative
* to keyStore/keyPassword/trustStore.
*
* @param sslCnf sslCnf.
* @return Builder.
*/
public Builder setSSLConf(Configuration sslCnf) {
this.sslConf = sslCnf;
return this;
}
public Builder setPathSpec(String[] pathSpec) {
this.pathSpecs = pathSpec;
return this;
}
public Builder setACL(AccessControlList acl) {
this.adminsAcl = acl;
return this;
}
public Builder setSecurityEnabled(boolean securityEnabled) {
this.securityEnabled = securityEnabled;
return this;
}
public Builder setUsernameConfKey(String usernameConfKey) {
this.usernameConfKey = usernameConfKey;
return this;
}
public Builder setKeytabConfKey(String keytabConfKey) {
this.keytabConfKey = keytabConfKey;
return this;
}
public Builder disallowFallbackToRandomSingerSecretProvider(boolean value) {
this.disallowFallbackToRandomSignerSecretProvider = value;
return this;
}
public Builder setAuthFilterConfigurationPrefix(String value) {
this.authFilterConfigurationPrefixes.clear();
this.authFilterConfigurationPrefixes.add(value);
return this;
}
public Builder setAuthFilterConfigurationPrefixes(String[] prefixes) {
this.authFilterConfigurationPrefixes.clear();
Collections.addAll(this.authFilterConfigurationPrefixes, prefixes);
return this;
}
public Builder excludeCiphers(String pExcludeCiphers) {
this.excludeCiphers = pExcludeCiphers;
return this;
}
/**
* Adds the ability to control X_FRAME_OPTIONS on HttpServer2.
* @param xFrameEnabled - True enables X_FRAME_OPTIONS false disables it.
* @return Builder.
*/
public Builder configureXFrame(boolean xFrameEnabled) {
this.xFrameEnabled = xFrameEnabled;
return this;
}
/**
* Sets a valid X-Frame-option that can be used by HttpServer2.
* @param option - String DENY, SAMEORIGIN or ALLOW-FROM are the only valid
* options. Any other value will throw IllegalArgument
* Exception.
* @return Builder.
*/
public Builder setXFrameOption(String option) {
this.xFrameOption = XFrameOption.getEnum(option);
return this;
}
/**
* Enable or disable sniHostCheck.
*
* @param sniHostCheckEnabled Enable sniHostCheck if true, else disable it.
* @return Builder.
*/
public Builder setSniHostCheckEnabled(boolean sniHostCheckEnabled) {
this.sniHostCheckEnabled = sniHostCheckEnabled;
return this;
}
/**
* A wrapper of {@link Configuration#getPassword(String)}. It returns
* String
instead of char[]
.
*
* @param conf the configuration
* @param name the property name
* @return the password string or null
*/
private static String getPasswordString(Configuration conf, String name)
throws IOException {
char[] passchars = conf.getPassword(name);
if (passchars == null) {
return null;
}
return new String(passchars);
}
/**
* Load SSL properties from the SSL configuration.
*/
private void loadSSLConfiguration() throws IOException {
if (sslConf == null) {
return;
}
needsClientAuth = sslConf.getBoolean(
SSLFactory.SSL_SERVER_NEED_CLIENT_AUTH,
SSLFactory.SSL_SERVER_NEED_CLIENT_AUTH_DEFAULT);
keyStore = sslConf.getTrimmed(SSLFactory.SSL_SERVER_KEYSTORE_LOCATION);
if (keyStore == null || keyStore.isEmpty()) {
throw new IOException(String.format("Property %s not specified",
SSLFactory.SSL_SERVER_KEYSTORE_LOCATION));
}
keyStorePassword = getPasswordString(sslConf,
SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD);
if (keyStorePassword == null) {
throw new IOException(String.format("Property %s not specified",
SSLFactory.SSL_SERVER_KEYSTORE_PASSWORD));
}
keyStoreType = sslConf.get(SSLFactory.SSL_SERVER_KEYSTORE_TYPE,
SSLFactory.SSL_SERVER_KEYSTORE_TYPE_DEFAULT);
keyPassword = getPasswordString(sslConf,
SSLFactory.SSL_SERVER_KEYSTORE_KEYPASSWORD);
trustStore = sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_LOCATION);
trustStorePassword = getPasswordString(sslConf,
SSLFactory.SSL_SERVER_TRUSTSTORE_PASSWORD);
trustStoreType = sslConf.get(SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE,
SSLFactory.SSL_SERVER_TRUSTSTORE_TYPE_DEFAULT);
excludeCiphers = sslConf.get(SSLFactory.SSL_SERVER_EXCLUDE_CIPHER_LIST);
}
public HttpServer2 build() throws IOException {
Preconditions.checkNotNull(name, "name is not set");
Preconditions.checkState(!endpoints.isEmpty(), "No endpoints specified");
if (hostName == null) {
hostName = endpoints.get(0).getHost();
}
if (this.conf == null) {
conf = new Configuration();
}
HttpServer2 server = new HttpServer2(this);
if (this.securityEnabled &&
authFilterConfigurationPrefixes.stream().noneMatch(
prefix -> this.conf.get(prefix + "type")
.equals(PseudoAuthenticationHandler.TYPE))
) {
server.initSpnego(
conf,
hostName,
getFilterProperties(conf, authFilterConfigurationPrefixes),
usernameConfKey,
keytabConfKey);
}
for (URI ep : endpoints) {
if (HTTPS_SCHEME.equals(ep.getScheme())) {
loadSSLConfiguration();
break;
}
}
int requestHeaderSize = conf.getInt(
HTTP_MAX_REQUEST_HEADER_SIZE_KEY,
HTTP_MAX_REQUEST_HEADER_SIZE_DEFAULT);
int responseHeaderSize = conf.getInt(
HTTP_MAX_RESPONSE_HEADER_SIZE_KEY,
HTTP_MAX_RESPONSE_HEADER_SIZE_DEFAULT);
int idleTimeout = conf.getInt(HTTP_IDLE_TIMEOUT_MS_KEY,
HTTP_IDLE_TIMEOUT_MS_DEFAULT);
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setRequestHeaderSize(requestHeaderSize);
httpConfig.setResponseHeaderSize(responseHeaderSize);
httpConfig.setSendServerVersion(false);
int backlogSize = conf.getInt(HTTP_SOCKET_BACKLOG_SIZE_KEY,
HTTP_SOCKET_BACKLOG_SIZE_DEFAULT);
// If setSniHostCheckEnabled() is used to enable SNI hostname check,
// configuration lookup is skipped.
if (!sniHostCheckEnabled) {
sniHostCheckEnabled = conf.getBoolean(HTTP_SNI_HOST_CHECK_ENABLED_KEY,
HTTP_SNI_HOST_CHECK_ENABLED_DEFAULT);
}
for (URI ep : endpoints) {
final ServerConnector connector;
String scheme = ep.getScheme();
if (HTTP_SCHEME.equals(scheme)) {
connector = createHttpChannelConnector(server.webServer,
httpConfig);
} else if (HTTPS_SCHEME.equals(scheme)) {
connector = createHttpsChannelConnector(server.webServer,
httpConfig);
} else {
throw new HadoopIllegalArgumentException(
"unknown scheme for endpoint:" + ep);
}
connector.setHost(ep.getHost());
connector.setPort(ep.getPort() == -1 ? 0 : ep.getPort());
connector.setAcceptQueueSize(backlogSize);
connector.setIdleTimeout(idleTimeout);
server.addListener(connector);
}
server.loadListeners();
return server;
}
private ServerConnector createHttpChannelConnector(
Server server, HttpConfiguration httpConfig) {
ServerConnector conn = new ServerConnector(server,
conf.getInt(HTTP_ACCEPTOR_COUNT_KEY, HTTP_ACCEPTOR_COUNT_DEFAULT),
conf.getInt(HTTP_SELECTOR_COUNT_KEY, HTTP_SELECTOR_COUNT_DEFAULT));
ConnectionFactory connFactory = new HttpConnectionFactory(httpConfig);
conn.addConnectionFactory(connFactory);
if(Shell.WINDOWS) {
// result of setting the SO_REUSEADDR flag is different on Windows
// http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
// without this 2 NN's can start on the same machine and listen on
// the same port with indeterminate routing of incoming requests to them
conn.setReuseAddress(false);
}
return conn;
}
private ServerConnector createHttpsChannelConnector(
Server server, HttpConfiguration httpConfig) {
httpConfig.setSecureScheme(HTTPS_SCHEME);
httpConfig.addCustomizer(
new SecureRequestCustomizer(sniHostCheckEnabled));
ServerConnector conn = createHttpChannelConnector(server, httpConfig);
SslContextFactory.Server sslContextFactory =
new SslContextFactory.Server();
sslContextFactory.setNeedClientAuth(needsClientAuth);
if (keyPassword != null) {
sslContextFactory.setKeyManagerPassword(keyPassword);
}
if (keyStore != null) {
sslContextFactory.setKeyStorePath(keyStore);
sslContextFactory.setKeyStoreType(keyStoreType);
if (keyStorePassword != null) {
sslContextFactory.setKeyStorePassword(keyStorePassword);
}
}
if (trustStore != null) {
sslContextFactory.setTrustStorePath(trustStore);
sslContextFactory.setTrustStoreType(trustStoreType);
if (trustStorePassword != null) {
sslContextFactory.setTrustStorePassword(trustStorePassword);
}
}
if(null != excludeCiphers && !excludeCiphers.isEmpty()) {
sslContextFactory.setExcludeCipherSuites(
StringUtils.getTrimmedStrings(excludeCiphers));
LOG.info("Excluded Cipher List:" + excludeCiphers);
}
setEnabledProtocols(sslContextFactory);
long storesReloadInterval =
conf.getLong(FileBasedKeyStoresFactory.SSL_STORES_RELOAD_INTERVAL_TPL_KEY,
FileBasedKeyStoresFactory.DEFAULT_SSL_STORES_RELOAD_INTERVAL);
if (storesReloadInterval > 0 &&
(keyStore != null || trustStore != null)) {
this.configurationChangeMonitor = Optional.of(
this.makeConfigurationChangeMonitor(storesReloadInterval, sslContextFactory));
}
conn.addFirstConnectionFactory(new SslConnectionFactory(sslContextFactory,
HttpVersion.HTTP_1_1.asString()));
return conn;
}
private Timer makeConfigurationChangeMonitor(long reloadInterval,
SslContextFactory.Server sslContextFactory) {
java.util.Timer timer = new java.util.Timer(FileBasedKeyStoresFactory.SSL_MONITORING_THREAD_NAME, true);
ArrayList locations = new ArrayList();
if (keyStore != null) {
locations.add(Paths.get(keyStore));
}
if (trustStore != null) {
locations.add(Paths.get(trustStore));
}
//
// The Jetty SSLContextFactory provides a 'reload' method which will reload both
// truststore and keystore certificates.
//
timer.schedule(new FileMonitoringTimerTask(
locations,
path -> {
LOG.info("Reloading keystore and truststore certificates.");
try {
sslContextFactory.reload(factory -> { });
} catch (Exception ex) {
LOG.error("Failed to reload SSL keystore " +
"and truststore certificates", ex);
}
},null),
reloadInterval,
reloadInterval
);
return timer;
}
private void setEnabledProtocols(SslContextFactory sslContextFactory) {
String enabledProtocols = conf.get(SSLFactory.SSL_ENABLED_PROTOCOLS_KEY,
SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT);
if (!enabledProtocols.equals(SSLFactory.SSL_ENABLED_PROTOCOLS_DEFAULT)) {
// Jetty 9.2.4.v20141103 and above excludes certain protocols by
// default. Remove the user enabled protocols from the exclude list,
// and add them into the include list.
String[] jettyExcludedProtocols =
sslContextFactory.getExcludeProtocols();
String[] enabledProtocolsArray =
StringUtils.getTrimmedStrings(enabledProtocols);
List enabledProtocolsList =
Arrays.asList(enabledProtocolsArray);
List resetExcludedProtocols = new ArrayList<>();
for (String jettyExcludedProtocol: jettyExcludedProtocols) {
if (!enabledProtocolsList.contains(jettyExcludedProtocol)) {
resetExcludedProtocols.add(jettyExcludedProtocol);
} else {
LOG.debug("Removed {} from exclude protocol list",
jettyExcludedProtocol);
}
}
sslContextFactory.setExcludeProtocols(
resetExcludedProtocols.toArray(new String[0]));
LOG.info("Reset exclude protocol list: {}", resetExcludedProtocols);
sslContextFactory.setIncludeProtocols(enabledProtocolsArray);
LOG.info("Enabled protocols: {}", enabledProtocols);
}
}
}
private HttpServer2(final Builder b) throws IOException {
final String appDir = getWebAppsPath(b.name);
this.webServer = new Server();
this.adminsAcl = b.adminsAcl;
this.handlers = new HandlerCollection();
this.webAppContext = createWebAppContext(b, adminsAcl, appDir);
this.xFrameOptionIsEnabled = b.xFrameEnabled;
this.xFrameOption = b.xFrameOption;
this.configurationChangeMonitor = b.configurationChangeMonitor;
try {
this.secretProvider =
constructSecretProvider(b, webAppContext.getServletContext());
this.webAppContext.getServletContext().setAttribute
(AuthenticationFilter.SIGNER_SECRET_PROVIDER_ATTRIBUTE,
secretProvider);
} catch(IOException e) {
throw e;
} catch (Exception e) {
throw new IOException(e);
}
this.findPort = b.findPort;
this.portRanges = b.portRanges;
initializeWebServer(b.name, b.hostName, b.conf, b.pathSpecs);
}
private void initializeWebServer(String name, String hostName,
Configuration conf, String[] pathSpecs)
throws IOException {
Preconditions.checkNotNull(webAppContext);
int maxThreads = conf.getInt(HTTP_MAX_THREADS_KEY, -1);
// If HTTP_MAX_THREADS is not configured, QueueThreadPool() will use the
// default value (currently 250).
QueuedThreadPool threadPool = (QueuedThreadPool) webServer.getThreadPool();
threadPool.setDaemon(true);
if (maxThreads != -1) {
threadPool.setMaxThreads(maxThreads);
}
SessionHandler handler = webAppContext.getSessionHandler();
handler.setHttpOnly(true);
handler.getSessionCookieConfig().setSecure(true);
ContextHandlerCollection contexts = new ContextHandlerCollection();
RequestLog requestLog = HttpRequestLog.getRequestLog(name);
handlers.addHandler(contexts);
if (requestLog != null) {
RequestLogHandler requestLogHandler = new RequestLogHandler();
requestLogHandler.setRequestLog(requestLog);
handlers.addHandler(requestLogHandler);
}
handlers.addHandler(webAppContext);
final String appDir = getWebAppsPath(name);
addDefaultApps(contexts, appDir, conf);
webServer.setHandler(handlers);
if (conf.getBoolean(
CommonConfigurationKeysPublic.HADOOP_HTTP_METRICS_ENABLED,
CommonConfigurationKeysPublic.HADOOP_HTTP_METRICS_ENABLED_DEFAULT)) {
// Jetty StatisticsHandler must be inserted as the first handler.
// The tree might look like this:
//
// - StatisticsHandler (for all requests)
// - HandlerList
// - ContextHandlerCollection
// - RequestLogHandler (if enabled)
// - WebAppContext
// - SessionHandler
// - Servlets
// - Filters
// - etc..
//
// Reference: https://www.eclipse.org/lists/jetty-users/msg06273.html
statsHandler = new StatisticsHandler();
webServer.insertHandler(statsHandler);
}
Map xFrameParams = setHeaders(conf);
addGlobalFilter("safety", QuotingInputFilter.class.getName(), xFrameParams);
final FilterInitializer[] initializers = getFilterInitializers(conf);
if (initializers != null) {
conf = new Configuration(conf);
conf.set(BIND_ADDRESS, hostName);
for (FilterInitializer c : initializers) {
c.initFilter(this, conf);
}
}
addDefaultServlets(conf);
addPrometheusServlet(conf);
addAsyncProfilerServlet(contexts, conf);
}
private void addAsyncProfilerServlet(ContextHandlerCollection contexts, Configuration conf)
throws IOException {
final String asyncProfilerHome = ProfileServlet.getAsyncProfilerHome();
if (asyncProfilerHome != null && !asyncProfilerHome.trim().isEmpty()) {
addServlet("prof", "/prof", ProfileServlet.class);
Path tmpDir = Paths.get(ProfileServlet.OUTPUT_DIR);
if (Files.notExists(tmpDir)) {
Files.createDirectories(tmpDir);
}
ServletContextHandler genCtx = new ServletContextHandler(contexts, "/prof-output-hadoop");
genCtx.addServlet(ProfileOutputServlet.class, "/*");
genCtx.setResourceBase(tmpDir.toAbsolutePath().toString());
genCtx.setDisplayName("prof-output-hadoop");
setContextAttributes(genCtx, conf);
} else {
addServlet("prof", "/prof", ProfilerDisabledServlet.class);
LOG.info("ASYNC_PROFILER_HOME environment variable and async.profiler.home system property "
+ "not specified. Disabling /prof endpoint.");
}
}
private void addPrometheusServlet(Configuration conf) {
prometheusSupport = conf.getBoolean(
CommonConfigurationKeysPublic.HADOOP_PROMETHEUS_ENABLED,
CommonConfigurationKeysPublic.HADOOP_PROMETHEUS_ENABLED_DEFAULT);
if (prometheusSupport) {
prometheusMetricsSink = new PrometheusMetricsSink();
getWebAppContext().getServletContext()
.setAttribute(PROMETHEUS_SINK, prometheusMetricsSink);
addServlet("prometheus", "/prom", PrometheusServlet.class);
}
}
private void addListener(ServerConnector connector) {
listeners.add(connector);
}
private static WebAppContext createWebAppContext(Builder b,
AccessControlList adminsAcl, final String appDir) {
WebAppContext ctx = new WebAppContext();
ctx.setDefaultsDescriptor(null);
ServletHolder holder = new ServletHolder(new WebServlet());
Map params = ImmutableMap. builder()
.put("acceptRanges", "true")
.put("dirAllowed", "false")
.put("gzip", "true")
.put("useFileMappedBuffer", "true")
.build();
holder.setInitParameters(params);
ctx.setWelcomeFiles(new String[] {"index.html"});
ctx.addServlet(holder, "/");
ctx.setDisplayName(b.name);
ctx.setContextPath("/");
ctx.setWar(appDir + "/" + b.name);
String tempDirectory = b.conf.get(HTTP_TEMP_DIR_KEY);
if (tempDirectory != null && !tempDirectory.isEmpty()) {
ctx.setTempDirectory(new File(tempDirectory));
ctx.setAttribute("javax.servlet.context.tempdir", tempDirectory);
}
ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, b.conf);
ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
addNoCacheFilter(ctx);
return ctx;
}
private static SignerSecretProvider constructSecretProvider(final Builder b,
ServletContext ctx)
throws Exception {
final Configuration conf = b.conf;
Properties config = getFilterProperties(conf,
b.authFilterConfigurationPrefixes);
return AuthenticationFilter.constructSecretProvider(
ctx, config, b.disallowFallbackToRandomSignerSecretProvider);
}
public static Properties getFilterProperties(Configuration conf, List prefixes) {
Properties props = new Properties();
for (String prefix : prefixes) {
Map filterConfigMap =
AuthenticationFilterInitializer.getFilterConfigMap(conf, prefix);
for (Map.Entry entry : filterConfigMap.entrySet()) {
Object previous = props.setProperty(entry.getKey(), entry.getValue());
if (previous != null && !previous.equals(entry.getValue())) {
LOG.warn("Overwriting configuration for key='{}' with value='{}' " +
"previous value='{}'", entry.getKey(), entry.getValue(), previous);
}
}
}
return props;
}
private static void addNoCacheFilter(ServletContextHandler ctxt) {
defineFilter(ctxt, NO_CACHE_FILTER, NoCacheFilter.class.getName(),
Collections. emptyMap(), new String[] { "/*" });
}
/** Get an array of FilterConfiguration specified in the conf */
private static FilterInitializer[] getFilterInitializers(Configuration conf) {
if (conf == null) {
return null;
}
Class>[] classes = conf.getClasses(FILTER_INITIALIZER_PROPERTY);
if (classes == null) {
return null;
}
List> classList = new ArrayList<>(Arrays.asList(classes));
if (classList.contains(AuthenticationFilterInitializer.class) &&
classList.contains(ProxyUserAuthenticationFilterInitializer.class)) {
classList.remove(AuthenticationFilterInitializer.class);
}
FilterInitializer[] initializers = new FilterInitializer[classList.size()];
for(int i = 0; i < classList.size(); i++) {
initializers[i] = (FilterInitializer)ReflectionUtils.newInstance(
classList.get(i), conf);
}
return initializers;
}
/**
* Add default apps.
*
* @param parent contexthandlercollection.
* @param appDir The application directory
* @param conf configuration.
* @throws IOException raised on errors performing I/O.
*/
protected void addDefaultApps(ContextHandlerCollection parent,
final String appDir, Configuration conf) throws IOException {
// set up the context for "/logs/" if "hadoop.log.dir" property is defined
// and it's enabled.
String logDir = System.getProperty("hadoop.log.dir");
boolean logsEnabled = conf.getBoolean(
CommonConfigurationKeys.HADOOP_HTTP_LOGS_ENABLED,
CommonConfigurationKeys.HADOOP_HTTP_LOGS_ENABLED_DEFAULT);
if (logDir != null && logsEnabled) {
ServletContextHandler logContext =
new ServletContextHandler(parent, "/logs");
logContext.setResourceBase(logDir);
logContext.addServlet(AdminAuthorizedServlet.class, "/*");
if (conf.getBoolean(
CommonConfigurationKeys.HADOOP_JETTY_LOGS_SERVE_ALIASES,
CommonConfigurationKeys.DEFAULT_HADOOP_JETTY_LOGS_SERVE_ALIASES)) {
@SuppressWarnings("unchecked")
Map params = logContext.getInitParams();
params.put("org.eclipse.jetty.servlet.Default.aliases", "true");
}
logContext.setDisplayName("logs");
SessionHandler handler = new SessionHandler();
handler.setHttpOnly(true);
handler.getSessionCookieConfig().setSecure(true);
logContext.setSessionHandler(handler);
logContext.addAliasCheck(new SymlinkAllowedResourceAliasChecker(logContext));
setContextAttributes(logContext, conf);
addNoCacheFilter(logContext);
defaultContexts.put(logContext, true);
}
// set up the context for "/static/*"
ServletContextHandler staticContext =
new ServletContextHandler(parent, "/static");
staticContext.setResourceBase(appDir + "/static");
staticContext.addServlet(WebServlet.class, "/*");
staticContext.setDisplayName("static");
@SuppressWarnings("unchecked")
Map params = staticContext.getInitParams();
params.put("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
params.put("org.eclipse.jetty.servlet.Default.gzip", "true");
SessionHandler handler = new SessionHandler();
handler.setHttpOnly(true);
handler.getSessionCookieConfig().setSecure(true);
staticContext.setSessionHandler(handler);
staticContext.addAliasCheck(new SymlinkAllowedResourceAliasChecker(staticContext));
setContextAttributes(staticContext, conf);
defaultContexts.put(staticContext, true);
}
private void setContextAttributes(ServletContextHandler context,
Configuration conf) {
context.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf);
context.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
}
/**
* Add default servlets.
* @param configuration the hadoop configuration
*/
protected void addDefaultServlets(Configuration configuration) {
// set up default servlets
addServlet("stacks", "/stacks", StackServlet.class);
addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
addServlet("jmx", "/jmx",
configuration.getBoolean(JMX_NAN_FILTER, JMX_NAN_FILTER_DEFAULT)
? JMXJsonServletNaNFiltered.class
: JMXJsonServlet.class
);
addServlet("conf", "/conf", ConfServlet.class);
}
public void addContext(ServletContextHandler ctxt, boolean isFiltered) {
handlers.addHandler(ctxt);
addNoCacheFilter(ctxt);
defaultContexts.put(ctxt, isFiltered);
}
/**
* Set a value in the webapp context. These values are available to the jsp
* pages as "application.getAttribute(name)".
* @param name The name of the attribute
* @param value The value of the attribute
*/
public void setAttribute(String name, Object value) {
webAppContext.setAttribute(name, value);
}
/**
* Add a Jersey resource package.
* @param packageName The Java package name containing the Jersey resource.
* @param pathSpec The path spec for the servlet
*/
public void addJerseyResourcePackage(final String packageName,
final String pathSpec) {
addJerseyResourcePackage(packageName, pathSpec,
Collections.emptyMap());
}
/**
* Add a Jersey resource package.
* @param packageName The Java package name containing the Jersey resource.
* @param pathSpec The path spec for the servlet
* @param params properties and features for ResourceConfig
*/
public void addJerseyResourcePackage(final String packageName,
final String pathSpec, Map params) {
LOG.info("addJerseyResourcePackage: packageName=" + packageName
+ ", pathSpec=" + pathSpec);
final ServletHolder sh = new ServletHolder(ServletContainer.class);
sh.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
"com.sun.jersey.api.core.PackagesResourceConfig");
sh.setInitParameter("com.sun.jersey.config.property.packages", packageName);
for (Map.Entry entry : params.entrySet()) {
sh.setInitParameter(entry.getKey(), entry.getValue());
}
webAppContext.addServlet(sh, pathSpec);
}
/**
* Add a servlet in the server.
* @param name The name of the servlet (can be passed as null)
* @param pathSpec The path spec for the servlet
* @param clazz The servlet class
*/
public void addServlet(String name, String pathSpec,
Class extends HttpServlet> clazz) {
addInternalServlet(name, pathSpec, clazz, false);
}
/**
* Add an internal servlet in the server.
* Note: This method is to be used for adding servlets that facilitate
* internal communication and not for user facing functionality. For
* servlets added using this method, filters are not enabled.
*
* @param name The name of the servlet (can be passed as null)
* @param pathSpec The path spec for the servlet
* @param clazz The servlet class
*/
public void addInternalServlet(String name, String pathSpec,
Class extends HttpServlet> clazz) {
addInternalServlet(name, pathSpec, clazz, false);
}
/**
* Add an internal servlet in the server, specifying whether or not to
* protect with Kerberos authentication.
* Note: This method is to be used for adding servlets that facilitate
* internal communication and not for user facing functionality. For
* servlets added using this method, filters (except internal Kerberos
* filters) are not enabled.
*
* @param name The name of the servlet (can be passed as null)
* @param pathSpec The path spec for the servlet
* @param clazz The servlet class
* @param requireAuth Require Kerberos authenticate to access servlet
*/
public void addInternalServlet(String name, String pathSpec,
Class extends HttpServlet> clazz, boolean requireAuth) {
ServletHolder holder = new ServletHolder(clazz);
if (name != null) {
holder.setName(name);
}
// Jetty doesn't like the same path spec mapping to different servlets, so
// if there's already a mapping for this pathSpec, remove it and assume that
// the newest one is the one we want
final ServletMapping[] servletMappings =
webAppContext.getServletHandler().getServletMappings();
for (int i = 0; i < servletMappings.length; i++) {
if (servletMappings[i].containsPathSpec(pathSpec)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Found existing " + servletMappings[i].getServletName() +
" servlet at path " + pathSpec + "; will replace mapping" +
" with " + holder.getName() + " servlet");
}
ServletMapping[] newServletMappings =
ArrayUtil.removeFromArray(servletMappings, servletMappings[i]);
webAppContext.getServletHandler()
.setServletMappings(newServletMappings);
break;
}
}
webAppContext.addServlet(holder, pathSpec);
}
/**
* Add an internal servlet in the server, with initialization parameters.
* Note: This method is to be used for adding servlets that facilitate
* internal communication and not for user facing functionality. For
* servlets added using this method, filters (except internal Kerberos
* filters) are not enabled.
*
* @param name The name of the servlet (can be passed as null)
* @param pathSpec The path spec for the servlet
* @param clazz The servlet class
* @param params init parameters
*/
public void addInternalServlet(String name, String pathSpec,
Class extends HttpServlet> clazz, Map params) {
// Jetty doesn't like the same path spec mapping to different servlets, so
// if there's already a mapping for this pathSpec, remove it and assume that
// the newest one is the one we want
final ServletHolder sh = new ServletHolder(clazz);
sh.setName(name);
sh.setInitParameters(params);
final ServletMapping[] servletMappings =
webAppContext.getServletHandler().getServletMappings();
for (int i = 0; i < servletMappings.length; i++) {
if (servletMappings[i].containsPathSpec(pathSpec)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Found existing " + servletMappings[i].getServletName() +
" servlet at path " + pathSpec + "; will replace mapping" +
" with " + sh.getName() + " servlet");
}
ServletMapping[] newServletMappings =
ArrayUtil.removeFromArray(servletMappings, servletMappings[i]);
webAppContext.getServletHandler()
.setServletMappings(newServletMappings);
break;
}
}
webAppContext.addServlet(sh, pathSpec);
}
/**
* Add the given handler to the front of the list of handlers.
*
* @param handler The handler to add
*/
public void addHandlerAtFront(Handler handler) {
Handler[] h = ArrayUtil.prependToArray(
handler, this.handlers.getHandlers(), Handler.class);
handlers.setHandlers(h);
}
/**
* Add the given handler to the end of the list of handlers.
*
* @param handler The handler to add
*/
public void addHandlerAtEnd(Handler handler) {
handlers.addHandler(handler);
}
@Override
public void addFilter(String name, String classname,
Map parameters) {
FilterHolder filterHolder = getFilterHolder(name, classname, parameters);
final String[] userFacingUrls = {"/", "/*" };
FilterMapping fmap = getFilterMapping(name, userFacingUrls);
defineFilter(webAppContext, filterHolder, fmap);
LOG.info(
"Added filter " + name + " (class=" + classname + ") to context "
+ webAppContext.getDisplayName());
final String[] ALL_URLS = { "/*" };
fmap = getFilterMapping(name, ALL_URLS);
for (Map.Entry e
: defaultContexts.entrySet()) {
if (e.getValue()) {
ServletContextHandler ctx = e.getKey();
defineFilter(ctx, filterHolder, fmap);
LOG.info("Added filter " + name + " (class=" + classname
+ ") to context " + ctx.getDisplayName());
}
}
filterNames.add(name);
}
@Override
public void addGlobalFilter(String name, String classname,
Map parameters) {
final String[] ALL_URLS = { "/*" };
FilterHolder filterHolder = getFilterHolder(name, classname, parameters);
FilterMapping fmap = getFilterMapping(name, ALL_URLS);
defineFilter(webAppContext, filterHolder, fmap);
for (ServletContextHandler ctx : defaultContexts.keySet()) {
defineFilter(ctx, filterHolder, fmap);
}
LOG.info("Added global filter '" + name + "' (class=" + classname + ")");
}
/**
* Define a filter for a context and set up default url mappings.
*
* @param ctx ctx.
* @param name name.
* @param classname classname.
* @param parameters parameters.
* @param urls urls.
*/
public static void defineFilter(ServletContextHandler ctx, String name,
String classname, Map parameters, String[] urls) {
FilterHolder filterHolder = getFilterHolder(name, classname, parameters);
FilterMapping fmap = getFilterMapping(name, urls);
defineFilter(ctx, filterHolder, fmap);
}
/**
* Define a filter for a context and set up default url mappings.
*/
private static void defineFilter(ServletContextHandler ctx,
FilterHolder holder, FilterMapping fmap) {
ServletHandler handler = ctx.getServletHandler();
handler.addFilter(holder, fmap);
}
private static FilterMapping getFilterMapping(String name, String[] urls) {
FilterMapping fmap = new FilterMapping();
fmap.setPathSpecs(urls);
fmap.setDispatches(FilterMapping.ALL);
fmap.setFilterName(name);
return fmap;
}
private static FilterHolder getFilterHolder(String name, String classname,
Map parameters) {
FilterHolder holder = new FilterHolder();
holder.setName(name);
holder.setClassName(classname);
if (parameters != null) {
holder.setInitParameters(parameters);
}
return holder;
}
/**
* Add the path spec to the filter path mapping.
* @param pathSpec The path spec
* @param webAppCtx The WebApplicationContext to add to
*/
protected void addFilterPathMapping(String pathSpec,
ServletContextHandler webAppCtx) {
ServletHandler handler = webAppCtx.getServletHandler();
for(String name : filterNames) {
FilterMapping fmap = new FilterMapping();
fmap.setPathSpec(pathSpec);
fmap.setFilterName(name);
fmap.setDispatches(FilterMapping.ALL);
handler.addFilterMapping(fmap);
}
}
/**
* Get the value in the webapp context.
* @param name The name of the attribute
* @return The value of the attribute
*/
public Object getAttribute(String name) {
return webAppContext.getAttribute(name);
}
public WebAppContext getWebAppContext(){
return this.webAppContext;
}
/**
* Get the pathname to the webapps files.
* @param appName eg "secondary" or "datanode"
* @return the pathname as a URL
* @throws FileNotFoundException if 'webapps' directory cannot be found
* on CLASSPATH or in the development location.
*/
protected String getWebAppsPath(String appName) throws FileNotFoundException {
URL resourceUrl = null;
File webResourceDevLocation = new File("src/main/webapps", appName);
if (webResourceDevLocation.exists()) {
LOG.info("Web server is in development mode. Resources "
+ "will be read from the source tree.");
try {
resourceUrl = webResourceDevLocation.getParentFile().toURI().toURL();
} catch (MalformedURLException e) {
throw new FileNotFoundException("Mailformed URL while finding the "
+ "web resource dir:" + e.getMessage());
}
} else {
resourceUrl =
getClass().getClassLoader().getResource("webapps/" + appName);
if (resourceUrl == null) {
throw new FileNotFoundException("webapps/" + appName +
" not found in CLASSPATH");
}
}
String urlString = resourceUrl.toString();
return urlString.substring(0, urlString.lastIndexOf('/'));
}
/**
* Get the port that the server is on
* @return the port
*/
@Deprecated
public int getPort() {
return ((ServerConnector)webServer.getConnectors()[0]).getLocalPort();
}
/**
* Get the address that corresponds to a particular connector.
*
* @param index index.
* @return the corresponding address for the connector, or null if there's no
* such connector or the connector is not bounded or was closed.
*/
public InetSocketAddress getConnectorAddress(int index) {
Preconditions.checkArgument(index >= 0);
if (index > webServer.getConnectors().length)
return null;
ServerConnector c = (ServerConnector)webServer.getConnectors()[index];
if (c.getLocalPort() == -1 || c.getLocalPort() == -2) {
// The connector is not bounded or was closed
return null;
}
return new InetSocketAddress(c.getHost(), c.getLocalPort());
}
/**
* Set the min, max number of worker threads (simultaneous connections).
*
* @param min min.
* @param max max.
*/
public void setThreads(int min, int max) {
QueuedThreadPool pool = (QueuedThreadPool) webServer.getThreadPool();
pool.setMinThreads(min);
pool.setMaxThreads(max);
}
private void initSpnego(Configuration conf, String hostName,
Properties authFilterConfigurationPrefixes, String usernameConfKey, String keytabConfKey)
throws IOException {
Map params = new HashMap<>();
for (Map.Entry
© 2015 - 2025 Weber Informatics LLC | Privacy Policy