org.apache.hadoop.hbase.http.HttpServer Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of hbase-http Show documentation
Show all versions of hbase-http Show documentation
HTTP functionality for HBase Servers
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.http;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InterruptedIOException;
import java.io.PrintStream;
import java.net.BindException;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.Servlet;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.hadoop.HadoopIllegalArgumentException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.http.conf.ConfServlet;
import org.apache.hadoop.hbase.http.log.LogLevel;
import org.apache.hadoop.hbase.util.ReflectionUtils;
import org.apache.hadoop.hbase.util.Threads;
import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.yetus.audience.InterfaceStability;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;
import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableMap;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hbase.thirdparty.org.eclipse.jetty.http.HttpVersion;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.Handler;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConfiguration;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.HttpConnectionFactory;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.RequestLog;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.SecureRequestCustomizer;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.Server;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.ServerConnector;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.SymlinkAllowedResourceAliasChecker;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.ErrorHandler;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.HandlerCollection;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.RequestLogHandler;
import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.gzip.GzipHandler;
import org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.DefaultServlet;
import org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.FilterHolder;
import org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.FilterMapping;
import org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletContextHandler;
import org.apache.hbase.thirdparty.org.eclipse.jetty.servlet.ServletHolder;
import org.apache.hbase.thirdparty.org.eclipse.jetty.util.MultiException;
import org.apache.hbase.thirdparty.org.eclipse.jetty.util.ssl.SslContextFactory;
import org.apache.hbase.thirdparty.org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.apache.hbase.thirdparty.org.eclipse.jetty.webapp.WebAppContext;
import org.apache.hbase.thirdparty.org.glassfish.jersey.server.ResourceConfig;
import org.apache.hbase.thirdparty.org.glassfish.jersey.servlet.ServletContainer;
/**
* Create a Jetty embedded server to answer http requests. The primary goal is to serve up status
* information for the server. There are three contexts: "/logs/" -> points to the log directory
* "/static/" -> points to common static files (src/webapps/static) "/" -> the jsp server code
* from (src/webapps/<name>)
*/
@InterfaceAudience.Private
@InterfaceStability.Evolving
public class HttpServer implements FilterContainer {
private static final Logger LOG = LoggerFactory.getLogger(HttpServer.class);
private static final String EMPTY_STRING = "";
// Jetty's max header size is Character.MAX_VALUE - 1, See ArrayTernaryTrie for more details
// And in newer jetty version, they add a check when creating a server so we must follow this
// limitation otherwise the UTs will fail
private static final int DEFAULT_MAX_HEADER_SIZE = Character.MAX_VALUE - 1;
// Add configuration for jetty idle timeout
private static final String HTTP_JETTY_IDLE_TIMEOUT = "hbase.ui.connection.idleTimeout";
// Default jetty idle timeout
private static final long DEFAULT_HTTP_JETTY_IDLE_TIMEOUT = 30000;
static final String FILTER_INITIALIZERS_PROPERTY = "hbase.http.filter.initializers";
static final String HTTP_MAX_THREADS = "hbase.http.max.threads";
public static final String HTTP_UI_AUTHENTICATION = "hbase.security.authentication.ui";
static final String HTTP_AUTHENTICATION_PREFIX = "hbase.security.authentication.";
static final String HTTP_SPNEGO_AUTHENTICATION_PREFIX = HTTP_AUTHENTICATION_PREFIX + "spnego.";
static final String HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_SUFFIX = "kerberos.principal";
public static final String HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_SUFFIX;
static final String HTTP_SPNEGO_AUTHENTICATION_KEYTAB_SUFFIX = "kerberos.keytab";
public static final String HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + HTTP_SPNEGO_AUTHENTICATION_KEYTAB_SUFFIX;
static final String HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_SUFFIX = "kerberos.name.rules";
public static final String HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_SUFFIX;
static final String HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_SUFFIX =
"kerberos.proxyuser.enable";
public static final String HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_SUFFIX;
public static final boolean HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_DEFAULT = false;
static final String HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_SUFFIX = "signature.secret.file";
public static final String HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY =
HTTP_AUTHENTICATION_PREFIX + HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_SUFFIX;
public static final String HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + "admin.users";
public static final String HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY =
HTTP_SPNEGO_AUTHENTICATION_PREFIX + "admin.groups";
public static final String HTTP_PRIVILEGED_CONF_KEY =
"hbase.security.authentication.ui.config.protected";
public static final String HTTP_UI_NO_CACHE_ENABLE_KEY = "hbase.http.filter.no-store.enable";
public static final boolean HTTP_PRIVILEGED_CONF_DEFAULT = false;
// The ServletContext attribute where the daemon Configuration
// gets stored.
public static final String CONF_CONTEXT_ATTRIBUTE = "hbase.conf";
public static final String ADMINS_ACL = "admins.acl";
public static final String BIND_ADDRESS = "bind.address";
public static final String SPNEGO_FILTER = "SpnegoFilter";
public static final String SPNEGO_PROXYUSER_FILTER = "SpnegoProxyUserFilter";
public static final String NO_CACHE_FILTER = "NoCacheFilter";
public static final String APP_DIR = "webapps";
public static final String HTTP_UI_SHOW_STACKTRACE_KEY = "hbase.ui.show-stack-traces";
public static final String METRIC_SERVLETS_CONF_KEY = "hbase.http.metrics.servlets";
public static final String[] METRICS_SERVLETS_DEFAULT = { "jmx", "metrics", "prometheus" };
private static final ImmutableMap METRIC_SERVLETS = new ImmutableMap.Builder()
.put("jmx",
new ServletConfig("jmx", "/jmx", "org.apache.hadoop.hbase.http.jmx.JMXJsonServlet"))
.put("metrics",
// MetricsServlet is deprecated in hadoop 2.8 and removed in 3.0. We shouldn't expect it,
// so pass false so that we don't create a noisy warn during instantiation.
new ServletConfig("metrics", "/metrics", "org.apache.hadoop.metrics.MetricsServlet", false))
.put("prometheus", new ServletConfig("prometheus", "/prometheus",
"org.apache.hadoop.hbase.http.prometheus.PrometheusHadoopServlet"))
.build();
private final AccessControlList adminsAcl;
protected final Server webServer;
protected String appDir;
protected String logDir;
private static final class ListenerInfo {
/**
* Boolean flag to determine whether the HTTP server should clean up the listener in stop().
*/
private final boolean isManaged;
private final ServerConnector listener;
private ListenerInfo(boolean isManaged, ServerConnector listener) {
this.isManaged = isManaged;
this.listener = listener;
}
}
private final List listeners = Lists.newArrayList();
public List getServerConnectors() {
return listeners.stream().map(info -> info.listener).collect(Collectors.toList());
}
protected final WebAppContext webAppContext;
protected final boolean findPort;
protected final Map defaultContexts = new HashMap<>();
protected final List filterNames = new ArrayList<>();
protected final boolean authenticationEnabled;
static final String STATE_DESCRIPTION_ALIVE = " - alive";
static final String STATE_DESCRIPTION_NOT_LIVE = " - not live";
/**
* Class to construct instances of HTTP server with specific options.
*/
public static class Builder {
private ArrayList endpoints = Lists.newArrayList();
private Configuration conf;
private String[] pathSpecs;
private AccessControlList adminsAcl;
private boolean securityEnabled = false;
private String usernameConfKey;
private String keytabConfKey;
private boolean needsClientAuth;
private String excludeCiphers;
private String hostName;
private String appDir = APP_DIR;
private String logDir;
private boolean findPort;
private String trustStore;
private String trustStorePassword;
private String trustStoreType;
private String keyStore;
private String keyStorePassword;
private String keyStoreType;
// The -keypass option in keytool
private String keyPassword;
private String kerberosNameRulesKey;
private String signatureSecretFileKey;
/**
* @see #setAppDir(String)
* @deprecated Since 0.99.0. Use builder pattern via {@link #setAppDir(String)} instead.
*/
@Deprecated
private String name;
/**
* @see #addEndpoint(URI)
* @deprecated Since 0.99.0. Use builder pattern via {@link #addEndpoint(URI)} instead.
*/
@Deprecated
private String bindAddress;
/**
* @see #addEndpoint(URI)
* @deprecated Since 0.99.0. Use builder pattern via {@link #addEndpoint(URI)} instead.
*/
@Deprecated
private int port = -1;
/**
* Add an endpoint that the HTTP server should listen to. the endpoint of that the HTTP server
* should listen to. The scheme specifies the protocol (i.e. HTTP / HTTPS), the host specifies
* the binding address, and the port specifies the listening port. Unspecified or zero port
* means that the server can listen to any port.
*/
public Builder addEndpoint(URI endpoint) {
endpoints.add(endpoint);
return this;
}
/**
* Set the hostname of the http server. The host name is used to resolve the _HOST field in
* Kerberos principals. The hostname of the first listener will be used if the name is
* unspecified.
*/
public Builder hostName(String hostName) {
this.hostName = hostName;
return this;
}
public Builder trustStore(String location, String password, String type) {
this.trustStore = location;
this.trustStorePassword = password;
this.trustStoreType = type;
return this;
}
public Builder keyStore(String location, String password, String type) {
this.keyStore = location;
this.keyStorePassword = password;
this.keyStoreType = type;
return this;
}
public Builder keyPassword(String password) {
this.keyPassword = password;
return this;
}
/**
* Specify whether the server should authorize the client in SSL connections.
*/
public Builder needsClientAuth(boolean value) {
this.needsClientAuth = value;
return this;
}
/**
* @see #setAppDir(String)
* @deprecated Since 0.99.0. Use {@link #setAppDir(String)} instead.
*/
@Deprecated
public Builder setName(String name) {
this.name = name;
return this;
}
/**
* @see #addEndpoint(URI)
* @deprecated Since 0.99.0. Use {@link #addEndpoint(URI)} instead.
*/
@Deprecated
public Builder setBindAddress(String bindAddress) {
this.bindAddress = bindAddress;
return this;
}
/**
* @see #addEndpoint(URI)
* @deprecated Since 0.99.0. Use {@link #addEndpoint(URI)} instead.
*/
@Deprecated
public Builder setPort(int port) {
this.port = port;
return this;
}
public Builder setFindPort(boolean findPort) {
this.findPort = findPort;
return this;
}
public Builder setConf(Configuration conf) {
this.conf = conf;
return this;
}
public Builder setPathSpec(String[] pathSpec) {
this.pathSpecs = pathSpec;
return this;
}
public Builder setACL(AccessControlList acl) {
this.adminsAcl = acl;
return this;
}
public Builder setSecurityEnabled(boolean securityEnabled) {
this.securityEnabled = securityEnabled;
return this;
}
public Builder setUsernameConfKey(String usernameConfKey) {
this.usernameConfKey = usernameConfKey;
return this;
}
public Builder setKeytabConfKey(String keytabConfKey) {
this.keytabConfKey = keytabConfKey;
return this;
}
public Builder setKerberosNameRulesKey(String kerberosNameRulesKey) {
this.kerberosNameRulesKey = kerberosNameRulesKey;
return this;
}
public Builder setSignatureSecretFileKey(String signatureSecretFileKey) {
this.signatureSecretFileKey = signatureSecretFileKey;
return this;
}
public Builder setAppDir(String appDir) {
this.appDir = appDir;
return this;
}
public Builder setLogDir(String logDir) {
this.logDir = logDir;
return this;
}
public void excludeCiphers(String excludeCiphers) {
this.excludeCiphers = excludeCiphers;
}
public HttpServer build() throws IOException {
// Do we still need to assert this non null name if it is deprecated?
if (this.name == null) {
throw new HadoopIllegalArgumentException("name is not set");
}
// Make the behavior compatible with deprecated interfaces
if (bindAddress != null && port != -1) {
try {
endpoints.add(0, new URI("http", "", bindAddress, port, "", "", ""));
} catch (URISyntaxException e) {
throw new HadoopIllegalArgumentException("Invalid endpoint: " + e);
}
}
if (endpoints.isEmpty()) {
throw new HadoopIllegalArgumentException("No endpoints specified");
}
if (hostName == null) {
hostName = endpoints.get(0).getHost();
}
if (this.conf == null) {
conf = new Configuration();
}
HttpServer server = new HttpServer(this);
for (URI ep : endpoints) {
ServerConnector listener = null;
String scheme = ep.getScheme();
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setHeaderCacheSize(DEFAULT_MAX_HEADER_SIZE);
httpConfig.setResponseHeaderSize(DEFAULT_MAX_HEADER_SIZE);
httpConfig.setRequestHeaderSize(DEFAULT_MAX_HEADER_SIZE);
httpConfig.setSendServerVersion(false);
if ("http".equals(scheme)) {
listener = new ServerConnector(server.webServer, new HttpConnectionFactory(httpConfig));
} else if ("https".equals(scheme)) {
HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
httpsConfig.addCustomizer(new SecureRequestCustomizer());
SslContextFactory.Server sslCtxFactory = new SslContextFactory.Server();
sslCtxFactory.setNeedClientAuth(needsClientAuth);
sslCtxFactory.setKeyManagerPassword(keyPassword);
if (keyStore != null) {
sslCtxFactory.setKeyStorePath(keyStore);
sslCtxFactory.setKeyStoreType(keyStoreType);
sslCtxFactory.setKeyStorePassword(keyStorePassword);
}
if (trustStore != null) {
sslCtxFactory.setTrustStorePath(trustStore);
sslCtxFactory.setTrustStoreType(trustStoreType);
sslCtxFactory.setTrustStorePassword(trustStorePassword);
}
if (excludeCiphers != null && !excludeCiphers.trim().isEmpty()) {
sslCtxFactory.setExcludeCipherSuites(StringUtils.getTrimmedStrings(excludeCiphers));
LOG.debug("Excluded SSL Cipher List:" + excludeCiphers);
}
listener = new ServerConnector(server.webServer,
new SslConnectionFactory(sslCtxFactory, HttpVersion.HTTP_1_1.toString()),
new HttpConnectionFactory(httpsConfig));
} else {
throw new HadoopIllegalArgumentException("unknown scheme for endpoint:" + ep);
}
// default settings for connector
listener.setAcceptQueueSize(128);
// config idle timeout for jetty
listener
.setIdleTimeout(conf.getLong(HTTP_JETTY_IDLE_TIMEOUT, DEFAULT_HTTP_JETTY_IDLE_TIMEOUT));
if (Shell.WINDOWS) {
// result of setting the SO_REUSEADDR flag is different on Windows
// http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
// without this 2 NN's can start on the same machine and listen on
// the same port with indeterminate routing of incoming requests to them
listener.setReuseAddress(false);
}
listener.setHost(ep.getHost());
listener.setPort(ep.getPort() == -1 ? 0 : ep.getPort());
server.addManagedListener(listener);
}
server.loadListeners();
return server;
}
}
/**
* @see #HttpServer(String, String, int, boolean, Configuration)
* @deprecated Since 0.99.0
*/
@Deprecated
public HttpServer(String name, String bindAddress, int port, boolean findPort)
throws IOException {
this(name, bindAddress, port, findPort, new Configuration());
}
/**
* Create a status server on the given port. Allows you to specify the path specifications that
* this server will be serving so that they will be added to the filters properly.
* @param name The name of the server
* @param bindAddress The address for this server
* @param port The port to use on the server
* @param findPort whether the server should start at the given port and increment by 1 until
* it finds a free port.
* @param conf Configuration
* @param pathSpecs Path specifications that this httpserver will be serving. These will be
* added to any filters.
* @deprecated Since 0.99.0
*/
@Deprecated
public HttpServer(String name, String bindAddress, int port, boolean findPort, Configuration conf,
String[] pathSpecs) throws IOException {
this(name, bindAddress, port, findPort, conf, null, pathSpecs);
}
/**
* Create a status server on the given port. The jsp scripts are taken from
* src/webapps/<name>.
* @param name The name of the server
* @param port The port to use on the server
* @param findPort whether the server should start at the given port and increment by 1 until it
* finds a free port.
* @param conf Configuration
* @deprecated Since 0.99.0
*/
@Deprecated
public HttpServer(String name, String bindAddress, int port, boolean findPort, Configuration conf)
throws IOException {
this(name, bindAddress, port, findPort, conf, null, null);
}
/**
* Creates a status server on the given port. The JSP scripts are taken from
* src/webapp<name>.
* @param name the name of the server
* @param bindAddress the address for this server
* @param port the port to use on the server
* @param findPort whether the server should start at the given port and increment by 1 until
* it finds a free port
* @param conf the configuration to use
* @param adminsAcl {@link AccessControlList} of the admins
* @throws IOException when creating the server fails
* @deprecated Since 0.99.0
*/
@Deprecated
public HttpServer(String name, String bindAddress, int port, boolean findPort, Configuration conf,
AccessControlList adminsAcl) throws IOException {
this(name, bindAddress, port, findPort, conf, adminsAcl, null);
}
/**
* Create a status server on the given port. The jsp scripts are taken from
* src/webapps/<name>.
* @param name The name of the server
* @param bindAddress The address for this server
* @param port The port to use on the server
* @param findPort whether the server should start at the given port and increment by 1 until
* it finds a free port.
* @param conf Configuration
* @param adminsAcl {@link AccessControlList} of the admins
* @param pathSpecs Path specifications that this httpserver will be serving. These will be
* added to any filters.
* @deprecated Since 0.99.0
*/
@Deprecated
public HttpServer(String name, String bindAddress, int port, boolean findPort, Configuration conf,
AccessControlList adminsAcl, String[] pathSpecs) throws IOException {
this(new Builder().setName(name).addEndpoint(URI.create("http://" + bindAddress + ":" + port))
.setFindPort(findPort).setConf(conf).setACL(adminsAcl).setPathSpec(pathSpecs));
}
private HttpServer(final Builder b) throws IOException {
this.appDir = b.appDir;
this.logDir = b.logDir;
final String appDir = getWebAppsPath(b.name);
int maxThreads = b.conf.getInt(HTTP_MAX_THREADS, 16);
// If HTTP_MAX_THREADS is less than or equal to 0, QueueThreadPool() will use the
// default value (currently 200).
QueuedThreadPool threadPool =
maxThreads <= 0 ? new QueuedThreadPool() : new QueuedThreadPool(maxThreads);
threadPool.setDaemon(true);
this.webServer = new Server(threadPool);
this.adminsAcl = b.adminsAcl;
this.webAppContext = createWebAppContext(b.name, b.conf, adminsAcl, appDir);
this.findPort = b.findPort;
this.authenticationEnabled = b.securityEnabled;
initializeWebServer(b.name, b.hostName, b.conf, b.pathSpecs, b);
this.webServer.setHandler(buildGzipHandler(this.webServer.getHandler()));
}
private void initializeWebServer(String name, String hostName, Configuration conf,
String[] pathSpecs, HttpServer.Builder b) throws FileNotFoundException, IOException {
Preconditions.checkNotNull(webAppContext);
HandlerCollection handlerCollection = new HandlerCollection();
ContextHandlerCollection contexts = new ContextHandlerCollection();
RequestLog requestLog = HttpRequestLog.getRequestLog(name);
if (requestLog != null) {
RequestLogHandler requestLogHandler = new RequestLogHandler();
requestLogHandler.setRequestLog(requestLog);
handlerCollection.addHandler(requestLogHandler);
}
final String appDir = getWebAppsPath(name);
handlerCollection.addHandler(contexts);
handlerCollection.addHandler(webAppContext);
webServer.setHandler(handlerCollection);
webAppContext.setAttribute(ADMINS_ACL, adminsAcl);
// Default apps need to be set first, so that all filters are applied to them.
// Because they're added to defaultContexts, we need them there before we start
// adding filters
addDefaultApps(contexts, appDir, conf);
addGlobalFilter("safety", QuotingInputFilter.class.getName(), null);
addGlobalFilter("clickjackingprevention", ClickjackingPreventionFilter.class.getName(),
ClickjackingPreventionFilter.getDefaultParameters(conf));
HttpConfig httpConfig = new HttpConfig(conf);
addGlobalFilter("securityheaders", SecurityHeadersFilter.class.getName(),
SecurityHeadersFilter.getDefaultParameters(conf, httpConfig.isSecure()));
// But security needs to be enabled prior to adding the other servlets
if (authenticationEnabled) {
initSpnego(conf, hostName, b.usernameConfKey, b.keytabConfKey, b.kerberosNameRulesKey,
b.signatureSecretFileKey);
}
final FilterInitializer[] initializers = getFilterInitializers(conf);
if (initializers != null) {
conf = new Configuration(conf);
conf.set(BIND_ADDRESS, hostName);
for (FilterInitializer c : initializers) {
c.initFilter(this, conf);
}
}
addDefaultServlets(contexts, conf);
if (pathSpecs != null) {
for (String path : pathSpecs) {
LOG.info("adding path spec: " + path);
addFilterPathMapping(path, webAppContext);
}
}
// Check if disable stack trace property is configured
if (!conf.getBoolean(HTTP_UI_SHOW_STACKTRACE_KEY, true)) {
// Disable stack traces for server errors in UI
webServer.setErrorHandler(new ErrorHandler());
webServer.getErrorHandler().setShowStacks(false);
// Disable stack traces for web app errors in UI
webAppContext.getErrorHandler().setShowStacks(false);
}
}
private void addManagedListener(ServerConnector connector) {
listeners.add(new ListenerInfo(true, connector));
}
private static WebAppContext createWebAppContext(String name, Configuration conf,
AccessControlList adminsAcl, final String appDir) {
WebAppContext ctx = new WebAppContext();
ctx.setDisplayName(name);
ctx.setContextPath("/");
ctx.setWar(appDir + "/" + name);
ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf);
// for org.apache.hadoop.metrics.MetricsServlet
ctx.getServletContext().setAttribute(org.apache.hadoop.http.HttpServer2.CONF_CONTEXT_ATTRIBUTE,
conf);
ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
addNoCacheFilter(ctx, conf);
return ctx;
}
/**
* Construct and configure an instance of {@link GzipHandler}. With complex
* multi-{@link WebAppContext} configurations, it's easiest to apply this handler directly to the
* instance of {@link Server} near the end of its configuration, something like
*
*
* Server server = new Server();
* // ...
* server.setHandler(buildGzipHandler(server.getHandler()));
* server.start();
*
*/
public static GzipHandler buildGzipHandler(final Handler wrapped) {
final GzipHandler gzipHandler = new GzipHandler();
gzipHandler.setHandler(wrapped);
return gzipHandler;
}
private static void addNoCacheFilter(ServletContextHandler ctxt, Configuration conf) {
if (conf.getBoolean(HTTP_UI_NO_CACHE_ENABLE_KEY, false)) {
Map filterConfig =
AuthenticationFilterInitializer.getFilterConfigMap(conf, "hbase.http.filter.");
defineFilter(ctxt, NO_CACHE_FILTER, NoCacheFilter.class.getName(), filterConfig,
new String[] { "/*" });
} else {
defineFilter(ctxt, NO_CACHE_FILTER, NoCacheFilter.class.getName(),
Collections. emptyMap(), new String[] { "/*" });
}
}
/** Get an array of FilterConfiguration specified in the conf */
private static FilterInitializer[] getFilterInitializers(Configuration conf) {
if (conf == null) {
return null;
}
Class[] classes = conf.getClasses(FILTER_INITIALIZERS_PROPERTY);
if (classes == null) {
return null;
}
FilterInitializer[] initializers = new FilterInitializer[classes.length];
for (int i = 0; i < classes.length; i++) {
initializers[i] = (FilterInitializer) ReflectionUtils.newInstance(classes[i]);
}
return initializers;
}
/**
* Add default apps.
* @param appDir The application directory
*/
protected void addDefaultApps(ContextHandlerCollection parent, final String appDir,
Configuration conf) {
// set up the context for "/logs/" if "hadoop.log.dir" property is defined.
String logDir = this.logDir;
if (logDir == null) {
logDir = System.getProperty("hadoop.log.dir");
}
if (logDir != null) {
ServletContextHandler logContext = new ServletContextHandler(parent, "/logs");
logContext.addServlet(AdminAuthorizedServlet.class, "/*");
logContext.setResourceBase(logDir);
logContext.setDisplayName("logs");
configureAliasChecks(logContext,
conf.getBoolean(ServerConfigurationKeys.HBASE_JETTY_LOGS_SERVE_ALIASES,
ServerConfigurationKeys.DEFAULT_HBASE_JETTY_LOGS_SERVE_ALIASES));
setContextAttributes(logContext, conf);
addNoCacheFilter(logContext, conf);
defaultContexts.put(logContext, true);
}
// set up the context for "/static/*"
ServletContextHandler staticContext = new ServletContextHandler(parent, "/static");
staticContext.setResourceBase(appDir + "/static");
staticContext.addServlet(DefaultServlet.class, "/*");
staticContext.setDisplayName("static");
setContextAttributes(staticContext, conf);
defaultContexts.put(staticContext, true);
}
/**
* This method configures the alias checks for the given ServletContextHandler based on the
* provided value of shouldServeAlias.
* If shouldServeAlias is set to true, it checks if SymlinkAllowedResourceAliasChecker is already
* a part of the alias check list. If it is already a part of the list, no changes are made, else,
* it adds it to the list.
* If shouldServeAlias is set to false, it clears all alias checks from the
* ServletContextHandler.
* .
* @param context The ServletContextHandler whose alias checks are to be configured
* @param shouldServeAlias Whether aliases should be allowed or not
*/
private void configureAliasChecks(ServletContextHandler context, boolean shouldServeAlias) {
if (shouldServeAlias) {
Class aliasCheckerClass = SymlinkAllowedResourceAliasChecker.class;
// check if SymlinkAllowedResourceAliasChecker is already part of alias check list
// NOTE: we are doing this because this is already present in the context (by default)
if (context.getAliasChecks().stream().anyMatch(aliasCheckerClass::isInstance)) {
LOG.debug("{} is already part of alias check list", aliasCheckerClass.getName());
} else {
context.addAliasCheck(new SymlinkAllowedResourceAliasChecker(context));
LOG.debug("{} added to the alias check list", aliasCheckerClass.getName());
}
LOG.info("Serving aliases allowed for /logs context");
} else {
// if aliasing is disabled, then we should clear the alias check list
context.clearAliasChecks();
LOG.info("Serving aliases disabled for /logs context");
}
}
private void setContextAttributes(ServletContextHandler context, Configuration conf) {
context.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf);
context.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
}
/**
* Add default servlets.
*/
protected void addDefaultServlets(ContextHandlerCollection contexts, Configuration conf)
throws IOException {
// set up default servlets
addPrivilegedServlet("stacks", "/stacks", StackServlet.class);
addPrivilegedServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
// While we don't expect users to have sensitive information in their configuration, they
// might. Give them an option to not expose the service configuration to all users.
if (conf.getBoolean(HTTP_PRIVILEGED_CONF_KEY, HTTP_PRIVILEGED_CONF_DEFAULT)) {
addPrivilegedServlet("conf", "/conf", ConfServlet.class);
} else {
addUnprivilegedServlet("conf", "/conf", ConfServlet.class);
}
final String asyncProfilerHome = ProfileServlet.getAsyncProfilerHome();
if (asyncProfilerHome != null && !asyncProfilerHome.trim().isEmpty()) {
addPrivilegedServlet("prof", "/prof", ProfileServlet.class);
Path tmpDir = Paths.get(ProfileServlet.OUTPUT_DIR);
if (Files.notExists(tmpDir)) {
Files.createDirectories(tmpDir);
}
ServletContextHandler genCtx = new ServletContextHandler(contexts, "/prof-output-hbase");
genCtx.addServlet(ProfileOutputServlet.class, "/*");
genCtx.setResourceBase(tmpDir.toAbsolutePath().toString());
genCtx.setDisplayName("prof-output-hbase");
} else {
addUnprivilegedServlet("prof", "/prof", ProfileServlet.DisabledServlet.class);
LOG.info("ASYNC_PROFILER_HOME environment variable and async.profiler.home system property "
+ "not specified. Disabling /prof endpoint.");
}
/* register metrics servlets */
String[] enabledServlets = conf.getStrings(METRIC_SERVLETS_CONF_KEY, METRICS_SERVLETS_DEFAULT);
for (String enabledServlet : enabledServlets) {
ServletConfig servletConfig = METRIC_SERVLETS.get(enabledServlet);
if (servletConfig != null) {
try {
Class clz = Class.forName(servletConfig.getClazz());
addPrivilegedServlet(servletConfig.getName(), servletConfig.getPathSpec(),
clz.asSubclass(HttpServlet.class));
} catch (Exception e) {
if (servletConfig.isExpected()) {
// metrics are not critical to read/write, so an exception here shouldn't be fatal
// if the class was expected we should warn though
LOG.warn("Couldn't register the servlet " + enabledServlet, e);
}
}
}
}
}
/**
* Set a value in the webapp context. These values are available to the jsp pages as
* "application.getAttribute(name)".
* @param name The name of the attribute
* @param value The value of the attribute
*/
public void setAttribute(String name, Object value) {
webAppContext.setAttribute(name, value);
}
/**
* Add a Jersey resource package.
* @param packageName The Java package name containing the Jersey resource.
* @param pathSpec The path spec for the servlet
*/
public void addJerseyResourcePackage(final String packageName, final String pathSpec) {
LOG.info("addJerseyResourcePackage: packageName=" + packageName + ", pathSpec=" + pathSpec);
ResourceConfig application = new ResourceConfig().packages(packageName);
final ServletHolder sh = new ServletHolder(new ServletContainer(application));
webAppContext.addServlet(sh, pathSpec);
}
/**
* Adds a servlet in the server that any user can access. This method differs from
* {@link #addPrivilegedServlet(String, String, Class)} in that any authenticated user can
* interact with the servlet added by this method.
* @param name The name of the servlet (can be passed as null)
* @param pathSpec The path spec for the servlet
* @param clazz The servlet class
*/
public void addUnprivilegedServlet(String name, String pathSpec,
Class clazz) {
addServletWithAuth(name, pathSpec, clazz, false);
}
/**
* Adds a servlet in the server that any user can access. This method differs from
* {@link #addPrivilegedServlet(String, ServletHolder)} in that any authenticated user can
* interact with the servlet added by this method.
* @param pathSpec The path spec for the servlet
* @param holder The servlet holder
*/
public void addUnprivilegedServlet(String pathSpec, ServletHolder holder) {
addServletWithAuth(pathSpec, holder, false);
}
/**
* Adds a servlet in the server that only administrators can access. This method differs from
* {@link #addUnprivilegedServlet(String, String, Class)} in that only those authenticated user
* who are identified as administrators can interact with the servlet added by this method.
*/
public void addPrivilegedServlet(String name, String pathSpec,
Class clazz) {
addServletWithAuth(name, pathSpec, clazz, true);
}
/**
* Adds a servlet in the server that only administrators can access. This method differs from
* {@link #addUnprivilegedServlet(String, ServletHolder)} in that only those authenticated user
* who are identified as administrators can interact with the servlet added by this method.
*/
public void addPrivilegedServlet(String pathSpec, ServletHolder holder) {
addServletWithAuth(pathSpec, holder, true);
}
/**
* Internal method to add a servlet to the HTTP server. Developers should not call this method
* directly, but invoke it via {@link #addUnprivilegedServlet(String, String, Class)} or
* {@link #addPrivilegedServlet(String, String, Class)}.
*/
void addServletWithAuth(String name, String pathSpec, Class clazz,
boolean requireAuthz) {
addInternalServlet(name, pathSpec, clazz, requireAuthz);
addFilterPathMapping(pathSpec, webAppContext);
}
/**
* Internal method to add a servlet to the HTTP server. Developers should not call this method
* directly, but invoke it via {@link #addUnprivilegedServlet(String, ServletHolder)} or
* {@link #addPrivilegedServlet(String, ServletHolder)}.
*/
void addServletWithAuth(String pathSpec, ServletHolder holder, boolean requireAuthz) {
addInternalServlet(pathSpec, holder, requireAuthz);
addFilterPathMapping(pathSpec, webAppContext);
}
/**
* Add an internal servlet in the server, specifying whether or not to protect with Kerberos
* authentication. Note: This method is to be used for adding servlets that facilitate internal
* communication and not for user facing functionality. For servlets added using this method,
* filters (except internal Kerberos filters) are not enabled.
* @param name The name of the {@link Servlet} (can be passed as null)
* @param pathSpec The path spec for the {@link Servlet}
* @param clazz The {@link Servlet} class
* @param requireAuthz Require Kerberos authenticate to access servlet
*/
void addInternalServlet(String name, String pathSpec, Class clazz,
boolean requireAuthz) {
ServletHolder holder = new ServletHolder(clazz);
if (name != null) {
holder.setName(name);
}
addInternalServlet(pathSpec, holder, requireAuthz);
}
/**
* Add an internal servlet in the server, specifying whether or not to protect with Kerberos
* authentication. Note: This method is to be used for adding servlets that facilitate internal
* communication and not for user facing functionality. For servlets added using this method,
* filters (except internal Kerberos filters) are not enabled.
* @param pathSpec The path spec for the {@link Servlet}
* @param holder The object providing the {@link Servlet} instance
* @param requireAuthz Require Kerberos authenticate to access servlet
*/
void addInternalServlet(String pathSpec, ServletHolder holder, boolean requireAuthz) {
if (authenticationEnabled && requireAuthz) {
FilterHolder filter = new FilterHolder(AdminAuthorizedFilter.class);
filter.setName(AdminAuthorizedFilter.class.getSimpleName());
FilterMapping fmap = new FilterMapping();
fmap.setPathSpec(pathSpec);
fmap.setDispatches(FilterMapping.ALL);
fmap.setFilterName(AdminAuthorizedFilter.class.getSimpleName());
webAppContext.getServletHandler().addFilter(filter, fmap);
}
webAppContext.getSessionHandler().getSessionCookieConfig().setHttpOnly(true);
webAppContext.getSessionHandler().getSessionCookieConfig().setSecure(true);
webAppContext.addServlet(holder, pathSpec);
}
@Override
public void addFilter(String name, String classname, Map parameters) {
final String[] USER_FACING_URLS = { "*.html", "*.jsp" };
defineFilter(webAppContext, name, classname, parameters, USER_FACING_URLS);
LOG.info("Added filter " + name + " (class=" + classname + ") to context "
+ webAppContext.getDisplayName());
final String[] ALL_URLS = { "/*" };
for (Map.Entry e : defaultContexts.entrySet()) {
if (e.getValue()) {
ServletContextHandler handler = e.getKey();
defineFilter(handler, name, classname, parameters, ALL_URLS);
LOG.info("Added filter " + name + " (class=" + classname + ") to context "
+ handler.getDisplayName());
}
}
filterNames.add(name);
}
@Override
public void addGlobalFilter(String name, String classname, Map parameters) {
final String[] ALL_URLS = { "/*" };
defineFilter(webAppContext, name, classname, parameters, ALL_URLS);
for (ServletContextHandler ctx : defaultContexts.keySet()) {
defineFilter(ctx, name, classname, parameters, ALL_URLS);
}
LOG.info("Added global filter '" + name + "' (class=" + classname + ")");
}
/**
* Define a filter for a context and set up default url mappings.
*/
public static void defineFilter(ServletContextHandler handler, String name, String classname,
Map parameters, String[] urls) {
FilterHolder holder = new FilterHolder();
holder.setName(name);
holder.setClassName(classname);
if (parameters != null) {
holder.setInitParameters(parameters);
}
FilterMapping fmap = new FilterMapping();
fmap.setPathSpecs(urls);
fmap.setDispatches(FilterMapping.ALL);
fmap.setFilterName(name);
handler.getServletHandler().addFilter(holder, fmap);
}
/**
* Add the path spec to the filter path mapping.
* @param pathSpec The path spec
* @param webAppCtx The WebApplicationContext to add to
*/
protected void addFilterPathMapping(String pathSpec, WebAppContext webAppCtx) {
for (String name : filterNames) {
FilterMapping fmap = new FilterMapping();
fmap.setPathSpec(pathSpec);
fmap.setFilterName(name);
fmap.setDispatches(FilterMapping.ALL);
webAppCtx.getServletHandler().addFilterMapping(fmap);
}
}
/**
* Get the value in the webapp context.
* @param name The name of the attribute
* @return The value of the attribute
*/
public Object getAttribute(String name) {
return webAppContext.getAttribute(name);
}
public WebAppContext getWebAppContext() {
return this.webAppContext;
}
public String getWebAppsPath(String appName) throws FileNotFoundException {
return getWebAppsPath(this.appDir, appName);
}
/**
* Get the pathname to the webapps files.
* @param appName eg "secondary" or "datanode"
* @return the pathname as a URL
* @throws FileNotFoundException if 'webapps' directory cannot be found on CLASSPATH.
*/
protected String getWebAppsPath(String webapps, String appName) throws FileNotFoundException {
URL url = getClass().getClassLoader().getResource(webapps + "/" + appName);
if (url == null) {
throw new FileNotFoundException(webapps + "/" + appName + " not found in CLASSPATH");
}
String urlString = url.toString();
return urlString.substring(0, urlString.lastIndexOf('/'));
}
/**
* Get the port that the server is on
* @return the port
* @deprecated Since 0.99.0
*/
@Deprecated
public int getPort() {
return ((ServerConnector) webServer.getConnectors()[0]).getLocalPort();
}
/**
* Get the address that corresponds to a particular connector.
* @return the corresponding address for the connector, or null if there's no such connector or
* the connector is not bounded.
*/
public InetSocketAddress getConnectorAddress(int index) {
Preconditions.checkArgument(index >= 0);
if (index > webServer.getConnectors().length) {
return null;
}
ServerConnector c = (ServerConnector) webServer.getConnectors()[index];
if (c.getLocalPort() == -1 || c.getLocalPort() == -2) {
// -1 if the connector has not been opened
// -2 if it has been closed
return null;
}
return new InetSocketAddress(c.getHost(), c.getLocalPort());
}
/**
* Set the min, max number of worker threads (simultaneous connections).
*/
public void setThreads(int min, int max) {
QueuedThreadPool pool = (QueuedThreadPool) webServer.getThreadPool();
pool.setMinThreads(min);
pool.setMaxThreads(max);
}
private void initSpnego(Configuration conf, String hostName, String usernameConfKey,
String keytabConfKey, String kerberosNameRuleKey, String signatureSecretKeyFileKey)
throws IOException {
Map params = new HashMap<>();
String principalInConf = getOrEmptyString(conf, usernameConfKey);
if (!principalInConf.isEmpty()) {
params.put(HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_SUFFIX,
SecurityUtil.getServerPrincipal(principalInConf, hostName));
}
String httpKeytab = getOrEmptyString(conf, keytabConfKey);
if (!httpKeytab.isEmpty()) {
params.put(HTTP_SPNEGO_AUTHENTICATION_KEYTAB_SUFFIX, httpKeytab);
}
String kerberosNameRule = getOrEmptyString(conf, kerberosNameRuleKey);
if (!kerberosNameRule.isEmpty()) {
params.put(HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_SUFFIX, kerberosNameRule);
}
String signatureSecretKeyFile = getOrEmptyString(conf, signatureSecretKeyFileKey);
if (!signatureSecretKeyFile.isEmpty()) {
params.put(HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_SUFFIX, signatureSecretKeyFile);
}
params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
// Verify that the required options were provided
if (
isMissing(params.get(HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_SUFFIX))
|| isMissing(params.get(HTTP_SPNEGO_AUTHENTICATION_KEYTAB_SUFFIX))
) {
throw new IllegalArgumentException(
usernameConfKey + " and " + keytabConfKey + " are both required in the configuration "
+ "to enable SPNEGO/Kerberos authentication for the Web UI");
}
if (
conf.getBoolean(HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY,
HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_DEFAULT)
) {
// Copy/rename standard hadoop proxyuser settings to filter
for (Map.Entry proxyEntry : conf
.getPropsWithPrefix(ProxyUsers.CONF_HADOOP_PROXYUSER).entrySet()) {
params.put(ProxyUserAuthenticationFilter.PROXYUSER_PREFIX + proxyEntry.getKey(),
proxyEntry.getValue());
}
addGlobalFilter(SPNEGO_PROXYUSER_FILTER, ProxyUserAuthenticationFilter.class.getName(),
params);
} else {
addGlobalFilter(SPNEGO_FILTER, AuthenticationFilter.class.getName(), params);
}
}
/**
* Returns true if the argument is non-null and not whitespace
*/
private boolean isMissing(String value) {
if (null == value) {
return true;
}
return value.trim().isEmpty();
}
/**
* Extracts the value for the given key from the configuration of returns a string of zero length.
*/
private String getOrEmptyString(Configuration conf, String key) {
if (null == key) {
return EMPTY_STRING;
}
final String value = conf.get(key.trim());
return null == value ? EMPTY_STRING : value;
}
/**
* Start the server. Does not wait for the server to start.
*/
public void start() throws IOException {
try {
try {
openListeners();
webServer.start();
} catch (IOException ex) {
LOG.info("HttpServer.start() threw a non Bind IOException", ex);
throw ex;
} catch (MultiException ex) {
LOG.info("HttpServer.start() threw a MultiException", ex);
throw ex;
}
// Make sure there is no handler failures.
Handler[] handlers = webServer.getHandlers();
for (int i = 0; i < handlers.length; i++) {
if (handlers[i].isFailed()) {
throw new IOException("Problem in starting http server. Server handlers failed");
}
}
// Make sure there are no errors initializing the context.
Throwable unavailableException = webAppContext.getUnavailableException();
if (unavailableException != null) {
// Have to stop the webserver, or else its non-daemon threads
// will hang forever.
webServer.stop();
throw new IOException("Unable to initialize WebAppContext", unavailableException);
}
} catch (IOException e) {
throw e;
} catch (InterruptedException e) {
throw (IOException) new InterruptedIOException("Interrupted while starting HTTP server")
.initCause(e);
} catch (Exception e) {
throw new IOException("Problem starting http server", e);
}
}
private void loadListeners() {
for (ListenerInfo li : listeners) {
webServer.addConnector(li.listener);
}
}
/**
* Open the main listener for the server
* @throws Exception if the listener cannot be opened or the appropriate port is already in use
*/
void openListeners() throws Exception {
for (ListenerInfo li : listeners) {
ServerConnector listener = li.listener;
if (!li.isManaged || (li.listener.getLocalPort() != -1 && li.listener.getLocalPort() != -2)) {
// This listener is either started externally, or has not been opened, or has been closed
continue;
}
int port = listener.getPort();
while (true) {
// jetty has a bug where you can't reopen a listener that previously
// failed to open w/o issuing a close first, even if the port is changed
try {
listener.close();
listener.open();
LOG.info("Jetty bound to port " + listener.getLocalPort());
break;
} catch (IOException ex) {
if (!(ex instanceof BindException) && !(ex.getCause() instanceof BindException)) {
throw ex;
}
if (port == 0 || !findPort) {
BindException be =
new BindException("Port in use: " + listener.getHost() + ":" + listener.getPort());
be.initCause(ex);
throw be;
}
}
// try the next port number
listener.setPort(++port);
Thread.sleep(100);
}
}
}
/**
* stop the server
*/
public void stop() throws Exception {
MultiException exception = null;
for (ListenerInfo li : listeners) {
if (!li.isManaged) {
continue;
}
try {
li.listener.close();
} catch (Exception e) {
LOG.error("Error while stopping listener for webapp" + webAppContext.getDisplayName(), e);
exception = addMultiException(exception, e);
}
}
try {
// clear & stop webAppContext attributes to avoid memory leaks.
webAppContext.clearAttributes();
webAppContext.stop();
} catch (Exception e) {
LOG.error("Error while stopping web app context for webapp " + webAppContext.getDisplayName(),
e);
exception = addMultiException(exception, e);
}
try {
webServer.stop();
} catch (Exception e) {
LOG.error("Error while stopping web server for webapp " + webAppContext.getDisplayName(), e);
exception = addMultiException(exception, e);
}
if (exception != null) {
exception.ifExceptionThrow();
}
}
private MultiException addMultiException(MultiException exception, Exception e) {
if (exception == null) {
exception = new MultiException();
}
exception.add(e);
return exception;
}
public void join() throws InterruptedException {
webServer.join();
}
/**
* Test for the availability of the web server
* @return true if the web server is started, false otherwise
*/
public boolean isAlive() {
return webServer != null && webServer.isStarted();
}
/**
* Return the host and port of the HttpServer, if live
* @return the classname and any HTTP URL
*/
@Override
public String toString() {
if (listeners.isEmpty()) {
return "Inactive HttpServer";
} else {
StringBuilder sb = new StringBuilder("HttpServer (")
.append(isAlive() ? STATE_DESCRIPTION_ALIVE : STATE_DESCRIPTION_NOT_LIVE)
.append("), listening at:");
for (ListenerInfo li : listeners) {
ServerConnector l = li.listener;
sb.append(l.getHost()).append(":").append(l.getPort()).append("/,");
}
return sb.toString();
}
}
/**
* Checks the user has privileges to access to instrumentation servlets.
*
* If hadoop.security.instrumentation.requires.admin is set to FALSE (default value)
* it always returns TRUE.
*
*
* If hadoop.security.instrumentation.requires.admin is set to TRUE it will check
* that if the current user is in the admin ACLS. If the user is in the admin ACLs it returns
* TRUE, otherwise it returns FALSE.
*
* @param servletContext the servlet context.
* @param request the servlet request.
* @param response the servlet response.
* @return TRUE/FALSE based on the logic decribed above.
*/
public static boolean isInstrumentationAccessAllowed(ServletContext servletContext,
HttpServletRequest request, HttpServletResponse response) throws IOException {
Configuration conf = (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
boolean access = true;
boolean adminAccess = conf
.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, false);
if (adminAccess) {
access = hasAdministratorAccess(servletContext, request, response);
}
return access;
}
/**
* Does the user sending the HttpServletRequest has the administrator ACLs? If it isn't the case,
* response will be modified to send an error to the user.
* @param servletContext the {@link ServletContext} to use
* @param request the {@link HttpServletRequest} to check
* @param response used to send the error response if user does not have admin access.
* @return true if admin-authorized, false otherwise
* @throws IOException if an unauthenticated or unauthorized user tries to access the page
*/
public static boolean hasAdministratorAccess(ServletContext servletContext,
HttpServletRequest request, HttpServletResponse response) throws IOException {
Configuration conf = (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
AccessControlList acl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL);
return hasAdministratorAccess(conf, acl, request, response);
}
public static boolean hasAdministratorAccess(Configuration conf, AccessControlList acl,
HttpServletRequest request, HttpServletResponse response) throws IOException {
// If there is no authorization, anybody has administrator access.
if (!conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
return true;
}
String remoteUser = request.getRemoteUser();
if (remoteUser == null) {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
"Unauthenticated users are not " + "authorized to access this page.");
return false;
}
if (acl != null && !userHasAdministratorAccess(acl, remoteUser)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN,
"User " + remoteUser + " is unauthorized to access this page.");
return false;
}
return true;
}
/**
* Get the admin ACLs from the given ServletContext and check if the given user is in the ACL.
* @param servletContext the context containing the admin ACL.
* @param remoteUser the remote user to check for.
* @return true if the user is present in the ACL, false if no ACL is set or the user is not
* present
*/
public static boolean userHasAdministratorAccess(ServletContext servletContext,
String remoteUser) {
AccessControlList adminsAcl = (AccessControlList) servletContext.getAttribute(ADMINS_ACL);
return userHasAdministratorAccess(adminsAcl, remoteUser);
}
public static boolean userHasAdministratorAccess(AccessControlList acl, String remoteUser) {
UserGroupInformation remoteUserUGI = UserGroupInformation.createRemoteUser(remoteUser);
return acl != null && acl.isUserAllowed(remoteUserUGI);
}
/**
* A very simple servlet to serve up a text representation of the current stack traces. It both
* returns the stacks to the caller and logs them. Currently the stack traces are done
* sequentially rather than exactly the same data.
*/
public static class StackServlet extends HttpServlet {
private static final long serialVersionUID = -6284183679759467039L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(), request, response)) {
return;
}
response.setContentType("text/plain; charset=UTF-8");
try (PrintStream out = new PrintStream(response.getOutputStream(), false, "UTF-8")) {
Threads.printThreadInfo(out, "");
out.flush();
}
ReflectionUtils.logThreadInfo(LOG, "jsp requested", 1);
}
}
/**
* A Servlet input filter that quotes all HTML active characters in the parameter names and
* values. The goal is to quote the characters to make all of the servlets resistant to cross-site
* scripting attacks.
*/
@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
public static class QuotingInputFilter implements Filter {
private FilterConfig config;
public static class RequestQuoter extends HttpServletRequestWrapper {
private final HttpServletRequest rawRequest;
public RequestQuoter(HttpServletRequest rawRequest) {
super(rawRequest);
this.rawRequest = rawRequest;
}
/**
* Return the set of parameter names, quoting each name.
*/
@Override
public Enumeration getParameterNames() {
return new Enumeration() {
private Enumeration rawIterator = rawRequest.getParameterNames();
@Override
public boolean hasMoreElements() {
return rawIterator.hasMoreElements();
}
@Override
public String nextElement() {
return HtmlQuoting.quoteHtmlChars(rawIterator.nextElement());
}
};
}
/**
* Unquote the name and quote the value.
*/
@Override
public String getParameter(String name) {
return HtmlQuoting
.quoteHtmlChars(rawRequest.getParameter(HtmlQuoting.unquoteHtmlChars(name)));
}
@Override
public String[] getParameterValues(String name) {
String unquoteName = HtmlQuoting.unquoteHtmlChars(name);
String[] unquoteValue = rawRequest.getParameterValues(unquoteName);
if (unquoteValue == null) {
return null;
}
String[] result = new String[unquoteValue.length];
for (int i = 0; i < result.length; ++i) {
result[i] = HtmlQuoting.quoteHtmlChars(unquoteValue[i]);
}
return result;
}
@Override
public Map getParameterMap() {
Map result = new HashMap<>();
Map raw = rawRequest.getParameterMap();
for (Map.Entry item : raw.entrySet()) {
String[] rawValue = item.getValue();
String[] cookedValue = new String[rawValue.length];
for (int i = 0; i < rawValue.length; ++i) {
cookedValue[i] = HtmlQuoting.quoteHtmlChars(rawValue[i]);
}
result.put(HtmlQuoting.quoteHtmlChars(item.getKey()), cookedValue);
}
return result;
}
/**
* Quote the url so that users specifying the HOST HTTP header can't inject attacks.
*/
@Override
public StringBuffer getRequestURL() {
String url = rawRequest.getRequestURL().toString();
return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
}
/**
* Quote the server name so that users specifying the HOST HTTP header can't inject attacks.
*/
@Override
public String getServerName() {
return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
}
}
@Override
public void init(FilterConfig config) throws ServletException {
this.config = config;
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequestWrapper quoted = new RequestQuoter((HttpServletRequest) request);
HttpServletResponse httpResponse = (HttpServletResponse) response;
String mime = inferMimeType(request);
if (mime == null) {
httpResponse.setContentType("text/plain; charset=utf-8");
} else if (mime.startsWith("text/html")) {
// HTML with unspecified encoding, we want to
// force HTML with utf-8 encoding
// This is to avoid the following security issue:
// http://openmya.hacker.jp/hasegawa/security/utf7cs.html
httpResponse.setContentType("text/html; charset=utf-8");
} else if (mime.startsWith("application/xml")) {
httpResponse.setContentType("text/xml; charset=utf-8");
}
chain.doFilter(quoted, httpResponse);
}
/**
* Infer the mime type for the response based on the extension of the request URI. Returns null
* if unknown.
*/
private String inferMimeType(ServletRequest request) {
String path = ((HttpServletRequest) request).getRequestURI();
ServletContext context = config.getServletContext();
return context.getMimeType(path);
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy