From 0795828f2632bc79f6fa1ada0e617000ae648d63 Mon Sep 17 00:00:00 2001 From: Balazs Meszaros Date: Mon, 27 Feb 2023 14:14:59 +0100 Subject: [PATCH 1/2] HBASE-27673 Fix mTLS client authentication --- .../hadoop/hbase/ipc/NettyRpcServer.java | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java index a79941e4a7bf..70cdbee06fee 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java @@ -19,10 +19,12 @@ import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_ENABLED; import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT; +import static org.apache.hadoop.hbase.io.crypto.tls.X509Util.TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED; import java.io.IOException; import java.io.InterruptedIOException; import java.net.InetSocketAddress; +import java.net.SocketAddress; import java.util.List; import java.util.concurrent.CountDownLatch; import java.util.concurrent.atomic.AtomicReference; @@ -56,6 +58,7 @@ import org.apache.hbase.thirdparty.io.netty.handler.codec.FixedLengthFrameDecoder; import org.apache.hbase.thirdparty.io.netty.handler.ssl.OptionalSslHandler; import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslContext; +import org.apache.hbase.thirdparty.io.netty.handler.ssl.SslHandler; import org.apache.hbase.thirdparty.io.netty.util.concurrent.GlobalEventExecutor; /** @@ -243,7 +246,29 @@ private void initSSL(ChannelPipeline p, boolean supportPlaintext) p.addLast("ssl", new OptionalSslHandler(nettySslContext)); LOG.debug("Dual mode SSL handler added for channel: {}", p.channel()); } else { - p.addLast("ssl", nettySslContext.newHandler(p.channel().alloc())); + SocketAddress remoteAddress = p.channel().remoteAddress(); + SslHandler sslHandler; + + if (remoteAddress instanceof InetSocketAddress) { + InetSocketAddress remoteInetAddress = (InetSocketAddress) remoteAddress; + String host; + + if (conf.getBoolean(TLS_CONFIG_REVERSE_DNS_LOOKUP_ENABLED, true)) { + host = remoteInetAddress.getHostName(); + } else { + host = remoteInetAddress.getHostString(); + } + + int port = remoteInetAddress.getPort(); + + /* our HostnameVerifier gets the host name from SSLEngine, so we have to construct the + * engine properly by passing the remote address */ + sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port); + } else { + sslHandler = nettySslContext.newHandler(p.channel().alloc()); + } + + p.addLast("ssl", sslHandler); LOG.debug("SSL handler added for channel: {}", p.channel()); } } From 0f2c7e3869d54cc2f2ffcc889769639951addd8a Mon Sep 17 00:00:00 2001 From: Balazs Meszaros Date: Tue, 28 Feb 2023 09:27:07 +0100 Subject: [PATCH 2/2] spotless fix --- .../java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java index 70cdbee06fee..dd5afe92c4e5 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java @@ -261,8 +261,10 @@ private void initSSL(ChannelPipeline p, boolean supportPlaintext) int port = remoteInetAddress.getPort(); - /* our HostnameVerifier gets the host name from SSLEngine, so we have to construct the - * engine properly by passing the remote address */ + /* + * our HostnameVerifier gets the host name from SSLEngine, so we have to construct the + * engine properly by passing the remote address + */ sslHandler = nettySslContext.newHandler(p.channel().alloc(), host, port); } else { sslHandler = nettySslContext.newHandler(p.channel().alloc());