[SPARK-19220][UI] Make redirection to HTTPS apply to all URIs. #16582
Conversation
The redirect handler was installed only for the root of the server; any other context ended up being served directly through the HTTP port. Since every sub page (e.g. application UIs in the history server) is a separate servlet context, this meant that everything but the root was accessible via HTTP still. The change adds separate names to each connector, and binds contexts to specific connectors so that content is only served through the HTTPS connector when it's enabled. In that case, the only thing that binds to the HTTP connector is the redirect handler. Tested with new unit tests and by checking a live history server.
|
Test build #71353 has finished for PR 16582 at commit
|
|
Test build #71359 has finished for PR 16582 at commit
|
|
Pinging some (random?) people @ajbozarth @srowen @sarutak |
|
The code changes looks good to me, but my experience in code working with SSL is still small so someone with more experience should also double-check. |
|
I'll take a look at this within the weekend. |
|
@vanzin I'm looking into this change and it works well on standalone-mode but doesn't on yarn-mode. The change itself seems good to me. |
Yeah, that's a known issue with enabling SSL for the web UI on YARN with self-signed certificates. |
|
I understand. if there are no additional comments from anyone by tomorrow, I'll merge this. |
|
|
||
| // redirect the HTTP requests to HTTPS port | ||
| httpConnector.setName(REDIRECT_CONNECTOR_NAME) | ||
| collection.addHandler(createRedirectHttpsHandler(securePort, scheme)) |
There was a problem hiding this comment.
I noticed one point.
If a port is already used, collection.addHandler will take place more than twice leading redirection doesn't work properly.
Of course, it's not your fault. If you fix it in this PR together, it's good but it's a separate issue so I'll fix in another PR otherwise.
There was a problem hiding this comment.
Actually that is caused by my change, so let me fix it.
|
Test build #71748 has finished for PR 16582 at commit
|
sarutak
left a comment
sarutak
left a comment
There was a problem hiding this comment.
It almost LGTM.
I leave some comments and have one question.
Why not simply remove old redirect handler like collection.removeHandler ?
| gzipHandlers.foreach(collection.addHandler) | ||
| server.setHandler(collection) | ||
|
|
||
| server.setConnectors(connectors.toArray) |
There was a problem hiding this comment.
Why did you move server.setConnectors(connectors.toArray) and gzipHandlers.foreach(collection.addHandler)?
There was a problem hiding this comment.
Mostly for grouping. "This is where all handlers are added to the server."
In any case I have another change (#16625) that kinda moves all this stuff around anyway...
| addFilters(handlers, conf) | ||
|
|
||
| val gzipHandlers = handlers.map { h => | ||
| h.setVirtualHosts(Array("@" + SPARK_CONNECTOR_NAME)) |
There was a problem hiding this comment.
Do we need this code here? setVirtualHosts should always be called in addHandler for each handler right?
There was a problem hiding this comment.
ContextHandlerCollection.addHandler does not call setVirtualHosts.
There was a problem hiding this comment.
addHandler here means ServerInfo#addHandler, sorry for confusing.
And I noticed serverInfo in WebUI can be None and serverInfo.foreach(_.addHandler(handler)) is not called within WebUI#attachHandler in that case. So I understand it's reasonable change.
Can you add a test case for justification of this change?
There was a problem hiding this comment.
I don't understand what you mean. Without this change the UI does not work at all. The test I added already covers it.
There was a problem hiding this comment.
Without this change the UI does not work at all. The test I added already covers it.
Hmm, it's funny. I commented out this change and ran the test case you added (UISuite and UISeleniumSuite) but it passed.
There was a problem hiding this comment.
Of course I understand this change is needed. I've confirmed it manually.
I find it cleaner to just not do something than to do it then have to undo things when they fail. |
|
O.K, It's reasonable. |
|
|
||
| val (conf, sslOptions) = sslEnabledConf() | ||
| serverInfo = JettyUtils.startJettyServer( | ||
| "0.0.0.0", 0, sslOptions, Seq[ServletContextHandler](newContext("/")), conf) |
There was a problem hiding this comment.
To test the neseccity of setVirtualHost in JettyUtils#StartJettyServer correctly, you might need to add another ServletContextHandler instance like newContext("/test0") and corresponding assertion.
There was a problem hiding this comment.
See commit 67df755 (the second commit in this PR). Tests failed before that commit.
|
Test build #72000 has finished for PR 16582 at commit
|
|
The latest change LGTM. Merging into |
|
This change cannot be applied to |
|
I wasn't really planning to backport this, unless someone is really interested in this functionality. |
The redirect handler was installed only for the root of the server; any other context ended up being served directly through the HTTP port. Since every sub page (e.g. application UIs in the history server) is a separate servlet context, this meant that everything but the root was accessible via HTTP still. The change adds separate names to each connector, and binds contexts to specific connectors so that content is only served through the HTTPS connector when it's enabled. In that case, the only thing that binds to the HTTP connector is the redirect handler. Tested with new unit tests and by checking a live history server. Author: Marcelo Vanzin <[email protected]> Closes apache#16582 from vanzin/SPARK-19220. (cherry picked from commit d3dcb63)
The redirect handler was installed only for the root of the server; any other context ended up being served directly through the HTTP port. Since every sub page (e.g. application UIs in the history server) is a separate servlet context, this meant that everything but the root was accessible via HTTP still. The change adds separate names to each connector, and binds contexts to specific connectors so that content is only served through the HTTPS connector when it's enabled. In that case, the only thing that binds to the HTTP connector is the redirect handler. Tested with new unit tests and by checking a live history server. Author: Marcelo Vanzin <[email protected]> Closes apache#16582 from vanzin/SPARK-19220.
The redirect handler was installed only for the root of the server; any other context ended up being served directly through the HTTP port. Since every sub page (e.g. application UIs in the history server) is a separate servlet context, this meant that everything but the root was accessible via HTTP still. The change adds separate names to each connector, and binds contexts to specific connectors so that content is only served through the HTTPS connector when it's enabled. In that case, the only thing that binds to the HTTP connector is the redirect handler. Tested with new unit tests and by checking a live history server. Author: Marcelo Vanzin <[email protected]> Closes apache#16582 from vanzin/SPARK-19220.
4 participants
The redirect handler was installed only for the root of the server;
any other context ended up being served directly through the HTTP
port. Since every sub page (e.g. application UIs in the history
server) is a separate servlet context, this meant that everything
but the root was accessible via HTTP still.
The change adds separate names to each connector, and binds contexts
to specific connectors so that content is only served through the
HTTPS connector when it's enabled. In that case, the only thing that
binds to the HTTP connector is the redirect handler.
Tested with new unit tests and by checking a live history server.