(doris) branch master updated: [fix](auth)fix be enable http auth, some request link never return. (#44959)

gavinchou Tue, 03 Dec 2024 22:51:49 -0800

This is an automated email from the ASF dual-hosted git repository.

gavinchou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/master by this push:
     new 06466c891bf [fix](auth)fix be enable http auth, some request link 
never return. (#44959)
06466c891bf is described below

commit 06466c891bf3fe86bd02e99a4f5cdd4895d4c8f5
Author: daidai <changyu...@selectdb.com>
AuthorDate: Wed Dec 4 14:51:26 2024 +0800

    [fix](auth)fix be enable http auth, some request link never return. (#44959)
    
    if you `enable_all_http_auth = true` in be.conf, then restart be, and
    keep using `curl -u "xxxx:xxxx" http://127.0.0.1:8040/api/health` while
    be is starting. You may encounter a situation where the link does not
    return.
    Reason:
    When be is still starting, there is no information about fe master. When
    you make an api request to be http port, be needs to request
    authentication information from fe, which will cause it to request a
    machine with empty ip and port 0. This rpc call will definitely fail
    (this is not equivalent to a password error). After receiving this
    failure, be does not `send_reply` to the api requester, so this api
    request cannot be returned.
---
 be/src/http/http_handler_with_auth.cpp | 11 +++++++++++
 be/test/http/http_client_test.cpp      |  8 ++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/be/src/http/http_handler_with_auth.cpp 
b/be/src/http/http_handler_with_auth.cpp
index 518b9868de1..ae5c024e76d 100644
--- a/be/src/http/http_handler_with_auth.cpp
+++ b/be/src/http/http_handler_with_auth.cpp
@@ -35,6 +35,7 @@ HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, 
TPrivilegeHier::type
         : _exec_env(exec_env), _hier(hier), _type(type) {}
 
 int HttpHandlerWithAuth::on_header(HttpRequest* req) {
+    //if u return value isn't 0,u should `send_reply`,Avoid requesting links 
that never return.
     TCheckAuthRequest auth_request;
     TCheckAuthResult auth_result;
     AuthInfo auth_info;
@@ -83,6 +84,11 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
 
 #ifndef BE_TEST
     TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
+    if (master_addr.hostname.empty() || master_addr.port == 0) {
+        LOG(WARNING) << "Not found master fe, Can't auth API request: " << 
req->debug_string();
+        HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
+        return -1;
+    }
     {
         auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
                 master_addr.hostname, master_addr.port,
@@ -90,6 +96,10 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
                     client->checkAuth(auth_result, auth_request);
                 });
         if (!status) {
+            LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
+                         << ", Fe port:" << master_addr.port << ".Status:" << 
status.to_string()
+                         << ".Request: " << req->debug_string();
+            HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
             return -1;
         }
     }
@@ -98,6 +108,7 @@ int HttpHandlerWithAuth::on_header(HttpRequest* req) {
         auth_result.status.status_code = TStatusCode::type::OK;
         auth_result.status.error_msgs.clear();
     } else {
+        HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
         return -1;
     }
 #endif
diff --git a/be/test/http/http_client_test.cpp 
b/be/test/http/http_client_test.cpp
index d42e0a6775e..c98328d7c8e 100644
--- a/be/test/http/http_client_test.cpp
+++ b/be/test/http/http_client_test.cpp
@@ -413,7 +413,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
         EXPECT_TRUE(!st.ok());
         std::cout << "response = " << response << "\n";
         std::cout << "st.msg() = " << st.msg() << "\n";
-        EXPECT_TRUE(st.msg().find("Operation timed out after") != 
std::string::npos);
+        EXPECT_TRUE(st.msg().find("403") != std::string::npos);
     }
 
     {
@@ -474,7 +474,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
         EXPECT_TRUE(!st.ok());
         std::cout << "response = " << response << "\n";
         std::cout << "st.msg() = " << st.msg() << "\n";
-        EXPECT_TRUE(st.msg().find("Operation timed out after") != 
std::string::npos);
+        EXPECT_TRUE(st.msg().find("403") != std::string::npos);
     }
 
     // valid token
@@ -521,7 +521,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
         EXPECT_TRUE(!st.ok());
         std::cout << "response = " << response << "\n";
         std::cout << "st.msg() = " << st.msg() << "\n";
-        EXPECT_TRUE(st.msg().find("Operation timed out after") != 
std::string::npos);
+        EXPECT_TRUE(st.msg().find("403") != std::string::npos);
     }
 
     std::vector<std::string> check_get_list = {"/api/clear_cache/aa",
@@ -566,7 +566,7 @@ TEST_F(HttpClientTest, enable_http_auth) {
             EXPECT_TRUE(!st.ok());
             std::cout << "response = " << response << "\n";
             std::cout << "st.msg() = " << st.msg() << "\n";
-            EXPECT_TRUE(st.msg().find("Operation timed out after") != 
std::string::npos);
+            EXPECT_TRUE(st.msg().find("403") != std::string::npos);
         }
     }
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

(doris) branch master updated: [fix](auth)fix be enable http auth, some request link never return. (#44959)

Reply via email to