Skip to content

Commit 55a5145

Browse files
HIVE-29603: Support SSL cipher suites inclusion for HS2 HTTP mode and Web UI (apache#6466)
1 parent 5ad73a6 commit 55a5145

4 files changed

Lines changed: 35 additions & 10 deletions

File tree

common/src/java/org/apache/hadoop/hive/conf/HiveConf.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3858,6 +3858,8 @@ public static enum ConfVars {
38583858
"SSL certificate keystore password for HiveServer2 WebUI."),
38593859
HIVE_SERVER2_WEBUI_SSL_KEYSTORE_TYPE("hive.server2.webui.keystore.type", "",
38603860
"SSL certificate keystore type for HiveServer2 WebUI."),
3861+
HIVE_SERVER2_WEBUI_SSL_INCLUDE_CIPHERSUITES("hive.server2.webui.include.ciphersuites", "",
3862+
"SSL a list of include cipher suite names separated by colon for HiveServer2 WebUI."),
38613863
HIVE_SERVER2_WEBUI_SSL_EXCLUDE_CIPHERSUITES("hive.server2.webui.exclude.ciphersuites", "",
38623864
"SSL a list of exclude cipher suite names or regular expressions separated by comma"
38633865
+ " for HiveServer2 WebUI."),
@@ -4375,6 +4377,8 @@ public static enum ConfVars {
43754377
"SSL certificate keystore type."),
43764378
HIVE_SERVER2_SSL_KEYMANAGERFACTORY_ALGORITHM("hive.server2.keymanagerfactory.algorithm", "",
43774379
"SSL certificate keystore algorithm."),
4380+
HIVE_SERVER2_SSL_HTTP_INCLUDE_CIPHERSUITES("hive.server2.http.include.ciphersuites", "",
4381+
"SSL a list of include cipher suite names separated by colon for HiveServer2 http server."),
43784382
HIVE_SERVER2_SSL_HTTP_EXCLUDE_CIPHERSUITES("hive.server2.http.exclude.ciphersuites", "",
43794383
"SSL a list of exclude cipher suite names or regular expressions separated by comma "
43804384
+ "for HiveServer2 http server."),

common/src/java/org/apache/hive/http/HttpServer.java

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,7 @@ public static class Builder {
163163
private String keyStorePath;
164164
private String keyStoreType;
165165
private String keyManagerFactoryAlgorithm;
166+
private String includeCiphersuites;
166167
private String excludeCiphersuites;
167168
private String spnegoPrincipal;
168169
private String spnegoKeytab;
@@ -246,6 +247,11 @@ public Builder setKeyManagerFactoryAlgorithm(String keyManagerFactoryAlgorithm)
246247
return this;
247248
}
248249

250+
public Builder setIncludeCiphersuites(String includeCiphersuites) {
251+
this.includeCiphersuites = includeCiphersuites;
252+
return this;
253+
}
254+
249255
public Builder setExcludeCiphersuites(String excludeCiphersuites) {
250256
this.excludeCiphersuites = excludeCiphersuites;
251257
return this;
@@ -668,12 +674,18 @@ ServerConnector createAndAddChannelConnector(int queueSize, Builder b) {
668674
sslContextFactory.setKeyManagerFactoryAlgorithm(
669675
b.keyManagerFactoryAlgorithm == null || b.keyManagerFactoryAlgorithm.isEmpty()?
670676
KeyManagerFactory.getDefaultAlgorithm() : b.keyManagerFactoryAlgorithm);
677+
if (b.includeCiphersuites != null && !b.includeCiphersuites.trim().isEmpty()) {
678+
Set<String> includeCS = Sets.newHashSet(
679+
Splitter.on(":").trimResults().omitEmptyStrings().split(b.includeCiphersuites));
680+
if (!includeCS.isEmpty()) {
681+
sslContextFactory.setIncludeCipherSuites(includeCS.toArray(new String[0]));
682+
}
683+
}
671684
if (b.excludeCiphersuites != null && !b.excludeCiphersuites.trim().isEmpty()) {
672685
Set<String> excludeCS = Sets.newHashSet(
673-
Splitter.on(",").trimResults().omitEmptyStrings().split(b.excludeCiphersuites.trim()));
674-
int eSize = excludeCS.size();
675-
if (eSize > 0) {
676-
sslContextFactory.setExcludeCipherSuites(excludeCS.toArray(new String[eSize]));
686+
Splitter.on(",").trimResults().omitEmptyStrings().split(b.excludeCiphersuites));
687+
if (!excludeCS.isEmpty()) {
688+
sslContextFactory.setExcludeCipherSuites(excludeCS.toArray(new String[0]));
677689
}
678690
}
679691
Set<String> excludedSSLProtocols = Sets.newHashSet(

service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -173,13 +173,21 @@ public void onClosed(Connection connection) {
173173
sslContextFactory.setKeyStorePassword(keyStorePassword);
174174
sslContextFactory.setKeyStoreType(keyStoreType);
175175
sslContextFactory.setKeyManagerFactoryAlgorithm(keyStoreAlgorithm);
176-
String excludeCiphersuites = hiveConf.getVar(ConfVars.HIVE_SERVER2_SSL_HTTP_EXCLUDE_CIPHERSUITES).trim();
177-
if (!excludeCiphersuites.trim().isEmpty()) {
176+
String includeCiphersuites = hiveConf.getVar(ConfVars.HIVE_SERVER2_SSL_HTTP_INCLUDE_CIPHERSUITES);
177+
if (includeCiphersuites != null && !includeCiphersuites.trim().isEmpty()) {
178+
Set<String> includeCS = Sets.newHashSet(
179+
Splitter.on(":").trimResults().omitEmptyStrings().split(includeCiphersuites));
180+
if (!includeCS.isEmpty()) {
181+
sslContextFactory.setIncludeCipherSuites(includeCS.toArray(new String[0]));
182+
}
183+
}
184+
185+
String excludeCiphersuites = hiveConf.getVar(ConfVars.HIVE_SERVER2_SSL_HTTP_EXCLUDE_CIPHERSUITES);
186+
if (excludeCiphersuites != null && !excludeCiphersuites.trim().isEmpty()) {
178187
Set<String> excludeCS = Sets.newHashSet(
179-
Splitter.on(",").trimResults().omitEmptyStrings().split(excludeCiphersuites.trim()));
180-
int eSize = excludeCS.size();
181-
if (eSize > 0) {
182-
sslContextFactory.setExcludeCipherSuites(excludeCS.toArray(new String[eSize]));
188+
Splitter.on(",").trimResults().omitEmptyStrings().split(excludeCiphersuites));
189+
if (!excludeCS.isEmpty()) {
190+
sslContextFactory.setExcludeCipherSuites(excludeCS.toArray(new String[0]));
183191
}
184192
}
185193
connector = new ServerConnector(server, sslContextFactory, http);

service/src/java/org/apache/hive/service/server/HiveServer2.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -489,6 +489,7 @@ private static HttpServer.Builder createHttpServerBuilder(String webHost, int po
489489
builder.setKeyStoreType(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYSTORE_TYPE));
490490
builder.setKeyManagerFactoryAlgorithm(
491491
hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_KEYMANAGERFACTORY_ALGORITHM));
492+
builder.setIncludeCiphersuites(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_INCLUDE_CIPHERSUITES));
492493
builder.setExcludeCiphersuites(hiveConf.getVar(ConfVars.HIVE_SERVER2_WEBUI_SSL_EXCLUDE_CIPHERSUITES));
493494
builder.setUseSSL(true);
494495
}

0 commit comments

Comments
 (0)