This is an automated email from the ASF dual-hosted git repository.
michaelsmith pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git
The following commit(s) were added to refs/heads/master by this push:
new c1a70701e IMPALA-14749: Fix warning with Python 3.12
c1a70701e is described below
commit c1a70701e55c068a7262815b064c4fe8206966bc
Author: Michael Smith <[email protected]>
AuthorDate: Tue Feb 17 13:04:49 2026 -0800
IMPALA-14749: Fix warning with Python 3.12
Updates Thrift to the latest release - allowing us to drop several
custom fixes - and removing the warning printed when impala-shell starts
up saying "using legacy validation callback".
Change-Id: Ib1dbbe1b12dc954725bafa55ec5c4b790db9c1b7
Reviewed-on: http://gerrit.cloudera.org:8080/23987
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Csaba Ringhofer <[email protected]>
Reviewed-by: Joe McDonnell <[email protected]>
---
shell/impala_shell/TSSLSocketWithFixes.py | 67 -------------------------------
shell/impala_shell/impala_client.py | 10 +++--
shell/requirements.txt | 2 +-
tests/util/thrift_util.py | 10 ++---
4 files changed, 11 insertions(+), 78 deletions(-)
diff --git a/shell/impala_shell/TSSLSocketWithFixes.py
b/shell/impala_shell/TSSLSocketWithFixes.py
deleted file mode 100644
index b66699acf..000000000
--- a/shell/impala_shell/TSSLSocketWithFixes.py
+++ /dev/null
@@ -1,67 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-from __future__ import absolute_import, print_function, unicode_literals
-import ssl
-
-from thrift.transport.TSSLSocket import TSSLSocket
-
-
-def openssl_fallback(*_args):
- return True
-
-
-class TSSLSocketWithFixes(TSSLSocket):
- """
- This is a subclass of Thrift 0.16.0's TSSLSocket
-
https://github.com/apache/thrift/blob/0.16.0/lib/py/src/transport/TSSLSocket.py
- that fixes isOpen (THRIFT-5595) and adds support for Python 3.12+.
-
- Requires Python 2.7.9+ or Python 3.2+. For Python 2.7 and 3.2-3.9, uses
match_hostname
- and PROTOCOL_TLS. For Python 3.10 and 3.11, uses match_hostname and
PROTOCOL_TLS_CLIENT.
- For Python 3.12+, relies solely on OpenSSL's built-in hostname validation,
enabled by
- PROTOCOL_TLS_CLIENT.
- """
- def __init__(self, host, port, cert_reqs, ca_certs=None):
- # Implement Python 3.12 override from Thrift 0.22.0
- #
https://github.com/apache/thrift/commit/23e0e5ce75300451f49727ee438edbc76fcbb372
- # Earlier versions continue to use ssl.match_hostname, which is available
in
- # Python 2.7.9+ and Python 3.2+.
- ssl_version = ssl.PROTOCOL_SSLv23
- try:
- from ssl import match_hostname
- validate_callback = match_hostname
- except ImportError:
- validate_callback = openssl_fallback
- # ssl.PROTOCOL_TLS_CLIENT is available in Python 3.6+ and enables secure
defaults
- # (CERT_REQUIRED, check_hostname). Only use it when match_hostname is
unavailable
- # (i.e. Python 3.12+) to avoid regressing the clarity of error messages
in earlier
- # versions. See https://issues.apache.org/jira/browse/THRIFT-792 for
future work.
- assert hasattr(ssl, "PROTOCOL_TLS_CLIENT")
- if cert_reqs == ssl.CERT_NONE:
- # If no cert verification is requested, use the most compatible option.
- ssl_version = ssl.PROTOCOL_TLS
- else:
- # This also enables CERT_REQUIRED and check_hostname by default.
- ssl_version = ssl.PROTOCOL_TLS_CLIENT
-
- TSSLSocket.__init__(self, host=host, port=port, cert_reqs=cert_reqs,
- ca_certs=ca_certs, ssl_version=ssl_version,
- validate_callback=validate_callback)
-
- # THRIFT-5595: override TSocket.isOpen because it's broken for TSSLSocket
- def isOpen(self):
- return self.handle is not None
diff --git a/shell/impala_shell/impala_client.py
b/shell/impala_shell/impala_client.py
index c56e88b15..5ccf1a463 100644
--- a/shell/impala_shell/impala_client.py
+++ b/shell/impala_shell/impala_client.py
@@ -33,6 +33,7 @@ import sasl
from thrift.protocol import TBinaryProtocol
from thrift.Thrift import TApplicationException, TException
from thrift.transport.TSocket import TSocket
+from thrift.transport.TSSLSocket import TSSLSocket
from thrift.transport.TTransport import TBufferedTransport, TTransportException
from thrift_sasl import TSaslClientTransport
@@ -49,7 +50,6 @@ from impala_shell.shell_exceptions import (
RPCException,
)
from impala_shell.thrift_printer import ThriftPrettyPrinter
-from impala_shell.TSSLSocketWithFixes import TSSLSocketWithFixes
from impala_shell.value_converter import HS2ValueConverter
from impala_thrift_gen.beeswax import BeeswaxService
from impala_thrift_gen.beeswax.BeeswaxService import QueryState
@@ -508,10 +508,12 @@ class ImpalaClient(object):
sock_port = self.impalad_port
if self.use_ssl:
if self.ca_cert is None:
- # No CA cert means don't try to verify the certificate
- sock = TSSLSocketWithFixes(sock_host, sock_port,
cert_reqs=ssl.CERT_NONE)
+ # No CA cert means don't try to verify the certificate. TSSLSocket
defaults to
+ # ssl.PROTOCOL_TLS_CLIENT - which verifies certs - so override to
PROTOCOL_TLS.
+ sock = TSSLSocket(
+ sock_host, sock_port, cert_reqs=ssl.CERT_NONE,
ssl_version=ssl.PROTOCOL_TLS)
else:
- sock = TSSLSocketWithFixes(
+ sock = TSSLSocket(
sock_host, sock_port, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=self.ca_cert)
else:
sock = TSocket(sock_host, sock_port)
diff --git a/shell/requirements.txt b/shell/requirements.txt
index 66069d03d..32585ea4c 100644
--- a/shell/requirements.txt
+++ b/shell/requirements.txt
@@ -7,6 +7,6 @@ sasl==0.4a1
setuptools>=36.8.0
six==1.17.0
sqlparse==0.3.1
-thrift==0.16.0
+thrift==0.22.0
thrift_sasl==0.4.3
wcwidth==0.2.14; python_version >= "3"
diff --git a/tests/util/thrift_util.py b/tests/util/thrift_util.py
index 427769849..73dfdd7c8 100644
--- a/tests/util/thrift_util.py
+++ b/tests/util/thrift_util.py
@@ -19,9 +19,11 @@
from __future__ import absolute_import, division, print_function
import getpass
import sasl
+import ssl
import struct
from thrift.transport.TSocket import TSocket
+from thrift.transport.TSSLSocket import TSSLSocket
from thrift.transport.TTransport import TBufferedTransport
from thrift_sasl import TSaslClientTransport
@@ -40,14 +42,10 @@ def create_transport(host, port, service,
transport_type="buffered", user=None,
"""
port = int(port)
if use_ssl:
- from thrift.transport import TSSLSocket
if ssl_cert is None:
- sock = TSSLSocket.TSSLSocket(host, port, validate=False)
+ sock = TSSLSocket(host, port, cert_reqs=ssl.CERT_NONE,
ssl_version=ssl.PROTOCOL_TLS)
else:
- sock = TSSLSocket.TSSLSocket(host, port, validate=True,
ca_certs=ssl_cert)
- # Set allowed SSL / TLS protocols to a permissive set to connect to any
Impala server.
- import ssl
- sock.SSL_VERSION = ssl.PROTOCOL_SSLv23
+ sock = TSSLSocket(host, port, cert_reqs=ssl.CERT_REQUIRED,
ca_certs=ssl_cert)
else:
sock = TSocket(host, port)
if transport_type.lower() == "buffered":
