View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *     http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing, software
13   * distributed under the License is distributed on an "AS IS" BASIS,
14   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   * See the License for the specific language governing permissions and
16   * limitations under the License.
17   */
18  package org.apache.hadoop.hbase.http;
19  
20  import java.io.FileNotFoundException;
21  import java.io.IOException;
22  import java.io.InterruptedIOException;
23  import java.io.PrintStream;
24  import java.io.PrintWriter;
25  import java.net.BindException;
26  import java.net.InetSocketAddress;
27  import java.net.URI;
28  import java.net.URISyntaxException;
29  import java.net.URL;
30  import java.util.ArrayList;
31  import java.util.Collections;
32  import java.util.Enumeration;
33  import java.util.HashMap;
34  import java.util.List;
35  import java.util.Map;
36  
37  import javax.servlet.Filter;
38  import javax.servlet.FilterChain;
39  import javax.servlet.FilterConfig;
40  import javax.servlet.ServletContext;
41  import javax.servlet.ServletException;
42  import javax.servlet.ServletRequest;
43  import javax.servlet.ServletResponse;
44  import javax.servlet.http.HttpServlet;
45  import javax.servlet.http.HttpServletRequest;
46  import javax.servlet.http.HttpServletRequestWrapper;
47  import javax.servlet.http.HttpServletResponse;
48  
49  import org.apache.commons.logging.Log;
50  import org.apache.commons.logging.LogFactory;
51  import org.apache.hadoop.HadoopIllegalArgumentException;
52  import org.apache.hadoop.hbase.classification.InterfaceAudience;
53  import org.apache.hadoop.hbase.classification.InterfaceStability;
54  import org.apache.hadoop.conf.Configuration;
55  import org.apache.hadoop.fs.CommonConfigurationKeys;
56  import org.apache.hadoop.hbase.HBaseInterfaceAudience;
57  import org.apache.hadoop.hbase.http.conf.ConfServlet;
58  import org.apache.hadoop.hbase.http.jmx.JMXJsonServlet;
59  import org.apache.hadoop.hbase.http.log.LogLevel;
60  import org.apache.hadoop.hbase.util.Threads;
61  import org.apache.hadoop.metrics.MetricsServlet;
62  import org.apache.hadoop.security.SecurityUtil;
63  import org.apache.hadoop.security.UserGroupInformation;
64  import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
65  import org.apache.hadoop.security.authorize.AccessControlList;
66  import org.apache.hadoop.util.ReflectionUtils;
67  import org.apache.hadoop.util.Shell;
68  import org.mortbay.io.Buffer;
69  import org.mortbay.jetty.Connector;
70  import org.mortbay.jetty.Handler;
71  import org.mortbay.jetty.MimeTypes;
72  import org.mortbay.jetty.RequestLog;
73  import org.mortbay.jetty.Server;
74  import org.mortbay.jetty.handler.ContextHandler;
75  import org.mortbay.jetty.handler.ContextHandlerCollection;
76  import org.mortbay.jetty.handler.HandlerCollection;
77  import org.mortbay.jetty.handler.RequestLogHandler;
78  import org.mortbay.jetty.nio.SelectChannelConnector;
79  import org.mortbay.jetty.security.SslSocketConnector;
80  import org.mortbay.jetty.servlet.Context;
81  import org.mortbay.jetty.servlet.DefaultServlet;
82  import org.mortbay.jetty.servlet.FilterHolder;
83  import org.mortbay.jetty.servlet.FilterMapping;
84  import org.mortbay.jetty.servlet.ServletHandler;
85  import org.mortbay.jetty.servlet.ServletHolder;
86  import org.mortbay.jetty.webapp.WebAppContext;
87  import org.mortbay.thread.QueuedThreadPool;
88  import org.mortbay.util.MultiException;
89  
90  import com.google.common.base.Preconditions;
91  import com.google.common.collect.Lists;
92  import com.sun.jersey.spi.container.servlet.ServletContainer;
93  
94  /**
95   * Create a Jetty embedded server to answer http requests. The primary goal
96   * is to serve up status information for the server.
97   * There are three contexts:
98   *   "/logs/" -> points to the log directory
99   *   "/static/" -> points to common static files (src/webapps/static)
100  *   "/" -> the jsp server code from (src/webapps/<name>)
101  */
102 @InterfaceAudience.Private
103 @InterfaceStability.Evolving
104 public class HttpServer implements FilterContainer {
105   public static final Log LOG = LogFactory.getLog(HttpServer.class);
106 
107   static final String FILTER_INITIALIZERS_PROPERTY
108       = "hbase.http.filter.initializers";
109   static final String HTTP_MAX_THREADS = "hbase.http.max.threads";
110 
111   // The ServletContext attribute where the daemon Configuration
112   // gets stored.
113   public static final String CONF_CONTEXT_ATTRIBUTE = "hbase.conf";
114   public static final String ADMINS_ACL = "admins.acl";
115   public static final String BIND_ADDRESS = "bind.address";
116   public static final String SPNEGO_FILTER = "SpnegoFilter";
117   public static final String NO_CACHE_FILTER = "NoCacheFilter";
118   public static final String APP_DIR = "webapps";
119 
120   private final AccessControlList adminsAcl;
121 
122   protected final Server webServer;
123   protected String appDir;
124   protected String logDir;
125 
126   private static class ListenerInfo {
127     /**
128      * Boolean flag to determine whether the HTTP server should clean up the
129      * listener in stop().
130      */
131     private final boolean isManaged;
132     private final Connector listener;
133     private ListenerInfo(boolean isManaged, Connector listener) {
134       this.isManaged = isManaged;
135       this.listener = listener;
136     }
137   }
138 
139   private final List<ListenerInfo> listeners = Lists.newArrayList();
140 
141   protected final WebAppContext webAppContext;
142   protected final boolean findPort;
143   protected final Map<Context, Boolean> defaultContexts =
144       new HashMap<Context, Boolean>();
145   protected final List<String> filterNames = new ArrayList<String>();
146   static final String STATE_DESCRIPTION_ALIVE = " - alive";
147   static final String STATE_DESCRIPTION_NOT_LIVE = " - not live";
148 
149   /**
150    * Class to construct instances of HTTP server with specific options.
151    */
152   public static class Builder {
153     private ArrayList<URI> endpoints = Lists.newArrayList();
154     private Connector connector;
155     private Configuration conf;
156     private String[] pathSpecs;
157     private AccessControlList adminsAcl;
158     private boolean securityEnabled = false;
159     private String usernameConfKey;
160     private String keytabConfKey;
161     private boolean needsClientAuth;
162 
163     private String hostName;
164     private String appDir = APP_DIR;
165     private String logDir;
166     private boolean findPort;
167 
168     private String trustStore;
169     private String trustStorePassword;
170     private String trustStoreType;
171 
172     private String keyStore;
173     private String keyStorePassword;
174     private String keyStoreType;
175 
176     // The -keypass option in keytool
177     private String keyPassword;
178 
179     @Deprecated
180     private String name;
181     @Deprecated
182     private String bindAddress;
183     @Deprecated
184     private int port = -1;
185 
186     /**
187      * Add an endpoint that the HTTP server should listen to.
188      *
189      * @param endpoint
190      *          the endpoint of that the HTTP server should listen to. The
191      *          scheme specifies the protocol (i.e. HTTP / HTTPS), the host
192      *          specifies the binding address, and the port specifies the
193      *          listening port. Unspecified or zero port means that the server
194      *          can listen to any port.
195      */
196     public Builder addEndpoint(URI endpoint) {
197       endpoints.add(endpoint);
198       return this;
199     }
200 
201     /**
202      * Set the hostname of the http server. The host name is used to resolve the
203      * _HOST field in Kerberos principals. The hostname of the first listener
204      * will be used if the name is unspecified.
205      */
206     public Builder hostName(String hostName) {
207       this.hostName = hostName;
208       return this;
209     }
210 
211     public Builder trustStore(String location, String password, String type) {
212       this.trustStore = location;
213       this.trustStorePassword = password;
214       this.trustStoreType = type;
215       return this;
216     }
217 
218     public Builder keyStore(String location, String password, String type) {
219       this.keyStore = location;
220       this.keyStorePassword = password;
221       this.keyStoreType = type;
222       return this;
223     }
224 
225     public Builder keyPassword(String password) {
226       this.keyPassword = password;
227       return this;
228     }
229 
230     /**
231      * Specify whether the server should authorize the client in SSL
232      * connections.
233      */
234     public Builder needsClientAuth(boolean value) {
235       this.needsClientAuth = value;
236       return this;
237     }
238 
239     /**
240      * Use setAppDir() instead.
241      */
242     @Deprecated
243     public Builder setName(String name){
244       this.name = name;
245       return this;
246     }
247 
248     /**
249      * Use addEndpoint() instead.
250      */
251     @Deprecated
252     public Builder setBindAddress(String bindAddress){
253       this.bindAddress = bindAddress;
254       return this;
255     }
256 
257     /**
258      * Use addEndpoint() instead.
259      */
260     @Deprecated
261     public Builder setPort(int port) {
262       this.port = port;
263       return this;
264     }
265 
266     public Builder setFindPort(boolean findPort) {
267       this.findPort = findPort;
268       return this;
269     }
270 
271     public Builder setConf(Configuration conf) {
272       this.conf = conf;
273       return this;
274     }
275 
276     public Builder setConnector(Connector connector) {
277       this.connector = connector;
278       return this;
279     }
280 
281     public Builder setPathSpec(String[] pathSpec) {
282       this.pathSpecs = pathSpec;
283       return this;
284     }
285 
286     public Builder setACL(AccessControlList acl) {
287       this.adminsAcl = acl;
288       return this;
289     }
290 
291     public Builder setSecurityEnabled(boolean securityEnabled) {
292       this.securityEnabled = securityEnabled;
293       return this;
294     }
295 
296     public Builder setUsernameConfKey(String usernameConfKey) {
297       this.usernameConfKey = usernameConfKey;
298       return this;
299     }
300 
301     public Builder setKeytabConfKey(String keytabConfKey) {
302       this.keytabConfKey = keytabConfKey;
303       return this;
304     }
305 
306     public Builder setAppDir(String appDir) {
307         this.appDir = appDir;
308         return this;
309       }
310 
311     public Builder setLogDir(String logDir) {
312         this.logDir = logDir;
313         return this;
314       }
315 
316     public HttpServer build() throws IOException {
317 
318       // Do we still need to assert this non null name if it is deprecated?
319       if (this.name == null) {
320         throw new HadoopIllegalArgumentException("name is not set");
321       }
322 
323       // Make the behavior compatible with deprecated interfaces
324       if (bindAddress != null && port != -1) {
325         try {
326           endpoints.add(0, new URI("http", "", bindAddress, port, "", "", ""));
327         } catch (URISyntaxException e) {
328           throw new HadoopIllegalArgumentException("Invalid endpoint: "+ e);
329         }
330       }
331 
332       if (endpoints.size() == 0 && connector == null) {
333         throw new HadoopIllegalArgumentException("No endpoints specified");
334       }
335 
336       if (hostName == null) {
337         hostName = endpoints.size() == 0 ? connector.getHost() : endpoints.get(
338             0).getHost();
339       }
340 
341       if (this.conf == null) {
342         conf = new Configuration();
343       }
344 
345       HttpServer server = new HttpServer(this);
346 
347       if (this.securityEnabled) {
348         server.initSpnego(conf, hostName, usernameConfKey, keytabConfKey);
349       }
350 
351       if (connector != null) {
352         server.addUnmanagedListener(connector);
353       }
354 
355       for (URI ep : endpoints) {
356         Connector listener = null;
357         String scheme = ep.getScheme();
358         if ("http".equals(scheme)) {
359           listener = HttpServer.createDefaultChannelConnector();
360         } else if ("https".equals(scheme)) {
361           SslSocketConnector c = new SslSocketConnectorSecure();
362           c.setNeedClientAuth(needsClientAuth);
363           c.setKeyPassword(keyPassword);
364 
365           if (keyStore != null) {
366             c.setKeystore(keyStore);
367             c.setKeystoreType(keyStoreType);
368             c.setPassword(keyStorePassword);
369           }
370 
371           if (trustStore != null) {
372             c.setTruststore(trustStore);
373             c.setTruststoreType(trustStoreType);
374             c.setTrustPassword(trustStorePassword);
375           }
376           listener = c;
377 
378         } else {
379           throw new HadoopIllegalArgumentException(
380               "unknown scheme for endpoint:" + ep);
381         }
382         listener.setHost(ep.getHost());
383         listener.setPort(ep.getPort() == -1 ? 0 : ep.getPort());
384         server.addManagedListener(listener);
385       }
386 
387       server.loadListeners();
388       return server;
389 
390     }
391 
392   }
393 
394   /** Same as this(name, bindAddress, port, findPort, null); */
395   @Deprecated
396   public HttpServer(String name, String bindAddress, int port, boolean findPort
397       ) throws IOException {
398     this(name, bindAddress, port, findPort, new Configuration());
399   }
400 
401   @Deprecated
402   public HttpServer(String name, String bindAddress, int port,
403       boolean findPort, Configuration conf, Connector connector) throws IOException {
404     this(name, bindAddress, port, findPort, conf, null, connector, null);
405   }
406 
407   /**
408    * Create a status server on the given port. Allows you to specify the
409    * path specifications that this server will be serving so that they will be
410    * added to the filters properly.
411    *
412    * @param name The name of the server
413    * @param bindAddress The address for this server
414    * @param port The port to use on the server
415    * @param findPort whether the server should start at the given port and
416    *        increment by 1 until it finds a free port.
417    * @param conf Configuration
418    * @param pathSpecs Path specifications that this httpserver will be serving.
419    *        These will be added to any filters.
420    */
421   @Deprecated
422   public HttpServer(String name, String bindAddress, int port,
423       boolean findPort, Configuration conf, String[] pathSpecs) throws IOException {
424     this(name, bindAddress, port, findPort, conf, null, null, pathSpecs);
425   }
426 
427   /**
428    * Create a status server on the given port.
429    * The jsp scripts are taken from src/webapps/<name>.
430    * @param name The name of the server
431    * @param port The port to use on the server
432    * @param findPort whether the server should start at the given port and
433    *        increment by 1 until it finds a free port.
434    * @param conf Configuration
435    */
436   @Deprecated
437   public HttpServer(String name, String bindAddress, int port,
438       boolean findPort, Configuration conf) throws IOException {
439     this(name, bindAddress, port, findPort, conf, null, null, null);
440   }
441 
442   @Deprecated
443   public HttpServer(String name, String bindAddress, int port,
444       boolean findPort, Configuration conf, AccessControlList adminsAcl)
445       throws IOException {
446     this(name, bindAddress, port, findPort, conf, adminsAcl, null, null);
447   }
448 
449   /**
450    * Create a status server on the given port.
451    * The jsp scripts are taken from src/webapps/<name>.
452    * @param name The name of the server
453    * @param bindAddress The address for this server
454    * @param port The port to use on the server
455    * @param findPort whether the server should start at the given port and
456    *        increment by 1 until it finds a free port.
457    * @param conf Configuration
458    * @param adminsAcl {@link AccessControlList} of the admins
459    * @param connector The jetty {@link Connector} to use
460    */
461   @Deprecated
462   public HttpServer(String name, String bindAddress, int port,
463       boolean findPort, Configuration conf, AccessControlList adminsAcl,
464       Connector connector) throws IOException {
465     this(name, bindAddress, port, findPort, conf, adminsAcl, connector, null);
466   }
467 
468   /**
469    * Create a status server on the given port.
470    * The jsp scripts are taken from src/webapps/<name>.
471    * @param name The name of the server
472    * @param bindAddress The address for this server
473    * @param port The port to use on the server
474    * @param findPort whether the server should start at the given port and
475    *        increment by 1 until it finds a free port.
476    * @param conf Configuration
477    * @param adminsAcl {@link AccessControlList} of the admins
478    * @param connector A jetty connection listener
479    * @param pathSpecs Path specifications that this httpserver will be serving.
480    *        These will be added to any filters.
481    */
482   @Deprecated
483   public HttpServer(String name, String bindAddress, int port,
484       boolean findPort, Configuration conf, AccessControlList adminsAcl,
485       Connector connector, String[] pathSpecs) throws IOException {
486     this(new Builder().setName(name)
487         .addEndpoint(URI.create("http://" + bindAddress + ":" + port))
488         .setFindPort(findPort).setConf(conf).setACL(adminsAcl)
489         .setConnector(connector).setPathSpec(pathSpecs));
490   }
491 
492   private HttpServer(final Builder b) throws IOException {
493     this.appDir = b.appDir;
494     this.logDir = b.logDir;
495     final String appDir = getWebAppsPath(b.name);
496     this.webServer = new Server();
497     this.adminsAcl = b.adminsAcl;
498     this.webAppContext = createWebAppContext(b.name, b.conf, adminsAcl, appDir);
499     this.findPort = b.findPort;
500     initializeWebServer(b.name, b.hostName, b.conf, b.pathSpecs);
501   }
502 
503   private void initializeWebServer(String name, String hostName,
504       Configuration conf, String[] pathSpecs)
505       throws FileNotFoundException, IOException {
506 
507     Preconditions.checkNotNull(webAppContext);
508 
509     int maxThreads = conf.getInt(HTTP_MAX_THREADS, -1);
510     // If HTTP_MAX_THREADS is not configured, QueueThreadPool() will use the
511     // default value (currently 250).
512     QueuedThreadPool threadPool = maxThreads == -1 ? new QueuedThreadPool()
513         : new QueuedThreadPool(maxThreads);
514     threadPool.setDaemon(true);
515     webServer.setThreadPool(threadPool);
516 
517     ContextHandlerCollection contexts = new ContextHandlerCollection();
518     RequestLog requestLog = HttpRequestLog.getRequestLog(name);
519 
520     if (requestLog != null) {
521       RequestLogHandler requestLogHandler = new RequestLogHandler();
522       requestLogHandler.setRequestLog(requestLog);
523       HandlerCollection handlers = new HandlerCollection();
524       handlers.setHandlers(new Handler[] { requestLogHandler, contexts });
525       webServer.setHandler(handlers);
526     } else {
527       webServer.setHandler(contexts);
528     }
529 
530     final String appDir = getWebAppsPath(name);
531 
532     webServer.addHandler(webAppContext);
533 
534     addDefaultApps(contexts, appDir, conf);
535 
536     addGlobalFilter("safety", QuotingInputFilter.class.getName(), null);
537     final FilterInitializer[] initializers = getFilterInitializers(conf);
538     if (initializers != null) {
539       conf = new Configuration(conf);
540       conf.set(BIND_ADDRESS, hostName);
541       for (FilterInitializer c : initializers) {
542         c.initFilter(this, conf);
543       }
544     }
545 
546     addDefaultServlets();
547 
548     if (pathSpecs != null) {
549       for (String path : pathSpecs) {
550         LOG.info("adding path spec: " + path);
551         addFilterPathMapping(path, webAppContext);
552       }
553     }
554   }
555 
556   private void addUnmanagedListener(Connector connector) {
557     listeners.add(new ListenerInfo(false, connector));
558   }
559 
560   private void addManagedListener(Connector connector) {
561     listeners.add(new ListenerInfo(true, connector));
562   }
563 
564   private static WebAppContext createWebAppContext(String name,
565       Configuration conf, AccessControlList adminsAcl, final String appDir) {
566     WebAppContext ctx = new WebAppContext();
567     ctx.setDisplayName(name);
568     ctx.setContextPath("/");
569     ctx.setWar(appDir + "/" + name);
570     ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf);
571     ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
572     addNoCacheFilter(ctx);
573     return ctx;
574   }
575 
576   private static void addNoCacheFilter(WebAppContext ctxt) {
577     defineFilter(ctxt, NO_CACHE_FILTER, NoCacheFilter.class.getName(),
578         Collections.<String, String> emptyMap(), new String[] { "/*" });
579   }
580 
581   /**
582    * Create a required listener for the Jetty instance listening on the port
583    * provided. This wrapper and all subclasses must create at least one
584    * listener.
585    */
586   public Connector createBaseListener(Configuration conf) throws IOException {
587     return HttpServer.createDefaultChannelConnector();
588   }
589 
590   @InterfaceAudience.Private
591   public static Connector createDefaultChannelConnector() {
592     SelectChannelConnector ret = new SelectChannelConnector();
593     ret.setLowResourceMaxIdleTime(10000);
594     ret.setAcceptQueueSize(128);
595     ret.setResolveNames(false);
596     ret.setUseDirectBuffers(false);
597     if(Shell.WINDOWS) {
598       // result of setting the SO_REUSEADDR flag is different on Windows
599       // http://msdn.microsoft.com/en-us/library/ms740621(v=vs.85).aspx
600       // without this 2 NN's can start on the same machine and listen on
601       // the same port with indeterminate routing of incoming requests to them
602       ret.setReuseAddress(false);
603     }
604     ret.setHeaderBufferSize(1024*64);
605     return ret;
606   }
607 
608   /** Get an array of FilterConfiguration specified in the conf */
609   private static FilterInitializer[] getFilterInitializers(Configuration conf) {
610     if (conf == null) {
611       return null;
612     }
613 
614     Class<?>[] classes = conf.getClasses(FILTER_INITIALIZERS_PROPERTY);
615     if (classes == null) {
616       return null;
617     }
618 
619     FilterInitializer[] initializers = new FilterInitializer[classes.length];
620     for(int i = 0; i < classes.length; i++) {
621       initializers[i] = (FilterInitializer)ReflectionUtils.newInstance(
622           classes[i], conf);
623     }
624     return initializers;
625   }
626 
627   /**
628    * Add default apps.
629    * @param appDir The application directory
630    * @throws IOException
631    */
632   protected void addDefaultApps(ContextHandlerCollection parent,
633       final String appDir, Configuration conf) throws IOException {
634     // set up the context for "/logs/" if "hadoop.log.dir" property is defined.
635     String logDir = this.logDir;
636     if (logDir == null) {
637         logDir = System.getProperty("hadoop.log.dir");
638     }
639     if (logDir != null) {
640       Context logContext = new Context(parent, "/logs");
641       logContext.setResourceBase(logDir);
642       logContext.addServlet(AdminAuthorizedServlet.class, "/*");
643       if (conf.getBoolean(
644           ServerConfigurationKeys.HBASE_JETTY_LOGS_SERVE_ALIASES,
645           ServerConfigurationKeys.DEFAULT_HBASE_JETTY_LOGS_SERVE_ALIASES)) {
646         @SuppressWarnings("unchecked")
647         Map<String, String> params = logContext.getInitParams();
648         params.put(
649             "org.mortbay.jetty.servlet.Default.aliases", "true");
650       }
651       logContext.setDisplayName("logs");
652       setContextAttributes(logContext, conf);
653       addNoCacheFilter(webAppContext);
654       defaultContexts.put(logContext, true);
655     }
656     // set up the context for "/static/*"
657     Context staticContext = new Context(parent, "/static");
658     staticContext.setResourceBase(appDir + "/static");
659     staticContext.addServlet(DefaultServlet.class, "/*");
660     staticContext.setDisplayName("static");
661     setContextAttributes(staticContext, conf);
662     defaultContexts.put(staticContext, true);
663   }
664 
665   private void setContextAttributes(Context context, Configuration conf) {
666     context.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf);
667     context.getServletContext().setAttribute(ADMINS_ACL, adminsAcl);
668   }
669 
670   /**
671    * Add default servlets.
672    */
673   protected void addDefaultServlets() {
674     // set up default servlets
675     addServlet("stacks", "/stacks", StackServlet.class);
676     addServlet("logLevel", "/logLevel", LogLevel.Servlet.class);
677     addServlet("metrics", "/metrics", MetricsServlet.class);
678     addServlet("jmx", "/jmx", JMXJsonServlet.class);
679     addServlet("conf", "/conf", ConfServlet.class);
680   }
681 
682   public void addContext(Context ctxt, boolean isFiltered)
683       throws IOException {
684     webServer.addHandler(ctxt);
685     addNoCacheFilter(webAppContext);
686     defaultContexts.put(ctxt, isFiltered);
687   }
688 
689   /**
690    * Add a context
691    * @param pathSpec The path spec for the context
692    * @param dir The directory containing the context
693    * @param isFiltered if true, the servlet is added to the filter path mapping
694    * @throws IOException
695    */
696   protected void addContext(String pathSpec, String dir, boolean isFiltered) throws IOException {
697     if (0 == webServer.getHandlers().length) {
698       throw new RuntimeException("Couldn't find handler");
699     }
700     WebAppContext webAppCtx = new WebAppContext();
701     webAppCtx.setContextPath(pathSpec);
702     webAppCtx.setWar(dir);
703     addContext(webAppCtx, true);
704   }
705 
706   /**
707    * Set a value in the webapp context. These values are available to the jsp
708    * pages as "application.getAttribute(name)".
709    * @param name The name of the attribute
710    * @param value The value of the attribute
711    */
712   public void setAttribute(String name, Object value) {
713     webAppContext.setAttribute(name, value);
714   }
715 
716   /**
717    * Add a Jersey resource package.
718    * @param packageName The Java package name containing the Jersey resource.
719    * @param pathSpec The path spec for the servlet
720    */
721   public void addJerseyResourcePackage(final String packageName,
722       final String pathSpec) {
723     LOG.info("addJerseyResourcePackage: packageName=" + packageName
724         + ", pathSpec=" + pathSpec);
725     final ServletHolder sh = new ServletHolder(ServletContainer.class);
726     sh.setInitParameter("com.sun.jersey.config.property.resourceConfigClass",
727         "com.sun.jersey.api.core.PackagesResourceConfig");
728     sh.setInitParameter("com.sun.jersey.config.property.packages", packageName);
729     webAppContext.addServlet(sh, pathSpec);
730   }
731 
732   /**
733    * Add a servlet in the server.
734    * @param name The name of the servlet (can be passed as null)
735    * @param pathSpec The path spec for the servlet
736    * @param clazz The servlet class
737    */
738   public void addServlet(String name, String pathSpec,
739       Class<? extends HttpServlet> clazz) {
740     addInternalServlet(name, pathSpec, clazz, false);
741     addFilterPathMapping(pathSpec, webAppContext);
742   }
743 
744   /**
745    * Add an internal servlet in the server.
746    * Note: This method is to be used for adding servlets that facilitate
747    * internal communication and not for user facing functionality. For
748    * servlets added using this method, filters are not enabled.
749    *
750    * @param name The name of the servlet (can be passed as null)
751    * @param pathSpec The path spec for the servlet
752    * @param clazz The servlet class
753    */
754   public void addInternalServlet(String name, String pathSpec,
755       Class<? extends HttpServlet> clazz) {
756     addInternalServlet(name, pathSpec, clazz, false);
757   }
758 
759   /**
760    * Add an internal servlet in the server, specifying whether or not to
761    * protect with Kerberos authentication.
762    * Note: This method is to be used for adding servlets that facilitate
763    * internal communication and not for user facing functionality. For
764    +   * servlets added using this method, filters (except internal Kerberos
765    * filters) are not enabled.
766    *
767    * @param name The name of the servlet (can be passed as null)
768    * @param pathSpec The path spec for the servlet
769    * @param clazz The servlet class
770    * @param requireAuth Require Kerberos authenticate to access servlet
771    */
772   public void addInternalServlet(String name, String pathSpec,
773       Class<? extends HttpServlet> clazz, boolean requireAuth) {
774     ServletHolder holder = new ServletHolder(clazz);
775     if (name != null) {
776       holder.setName(name);
777     }
778     webAppContext.addServlet(holder, pathSpec);
779 
780     if(requireAuth && UserGroupInformation.isSecurityEnabled()) {
781        LOG.info("Adding Kerberos (SPNEGO) filter to " + name);
782        ServletHandler handler = webAppContext.getServletHandler();
783        FilterMapping fmap = new FilterMapping();
784        fmap.setPathSpec(pathSpec);
785        fmap.setFilterName(SPNEGO_FILTER);
786        fmap.setDispatches(Handler.ALL);
787        handler.addFilterMapping(fmap);
788     }
789   }
790 
791   @Override
792   public void addFilter(String name, String classname,
793       Map<String, String> parameters) {
794 
795     final String[] USER_FACING_URLS = { "*.html", "*.jsp" };
796     defineFilter(webAppContext, name, classname, parameters, USER_FACING_URLS);
797     LOG.info("Added filter " + name + " (class=" + classname
798         + ") to context " + webAppContext.getDisplayName());
799     final String[] ALL_URLS = { "/*" };
800     for (Map.Entry<Context, Boolean> e : defaultContexts.entrySet()) {
801       if (e.getValue()) {
802         Context ctx = e.getKey();
803         defineFilter(ctx, name, classname, parameters, ALL_URLS);
804         LOG.info("Added filter " + name + " (class=" + classname
805             + ") to context " + ctx.getDisplayName());
806       }
807     }
808     filterNames.add(name);
809   }
810 
811   @Override
812   public void addGlobalFilter(String name, String classname,
813       Map<String, String> parameters) {
814     final String[] ALL_URLS = { "/*" };
815     defineFilter(webAppContext, name, classname, parameters, ALL_URLS);
816     for (Context ctx : defaultContexts.keySet()) {
817       defineFilter(ctx, name, classname, parameters, ALL_URLS);
818     }
819     LOG.info("Added global filter '" + name + "' (class=" + classname + ")");
820   }
821 
822   /**
823    * Define a filter for a context and set up default url mappings.
824    */
825   public static void defineFilter(Context ctx, String name,
826       String classname, Map<String,String> parameters, String[] urls) {
827 
828     FilterHolder holder = new FilterHolder();
829     holder.setName(name);
830     holder.setClassName(classname);
831     holder.setInitParameters(parameters);
832     FilterMapping fmap = new FilterMapping();
833     fmap.setPathSpecs(urls);
834     fmap.setDispatches(Handler.ALL);
835     fmap.setFilterName(name);
836     ServletHandler handler = ctx.getServletHandler();
837     handler.addFilter(holder, fmap);
838   }
839 
840   /**
841    * Add the path spec to the filter path mapping.
842    * @param pathSpec The path spec
843    * @param webAppCtx The WebApplicationContext to add to
844    */
845   protected void addFilterPathMapping(String pathSpec,
846       Context webAppCtx) {
847     ServletHandler handler = webAppCtx.getServletHandler();
848     for(String name : filterNames) {
849       FilterMapping fmap = new FilterMapping();
850       fmap.setPathSpec(pathSpec);
851       fmap.setFilterName(name);
852       fmap.setDispatches(Handler.ALL);
853       handler.addFilterMapping(fmap);
854     }
855   }
856 
857   /**
858    * Get the value in the webapp context.
859    * @param name The name of the attribute
860    * @return The value of the attribute
861    */
862   public Object getAttribute(String name) {
863     return webAppContext.getAttribute(name);
864   }
865 
866   public WebAppContext getWebAppContext(){
867     return this.webAppContext;
868   }
869 
870   public String getWebAppsPath(String appName) throws FileNotFoundException {
871       return getWebAppsPath(this.appDir, appName);
872   }
873 
874   /**
875    * Get the pathname to the webapps files.
876    * @param appName eg "secondary" or "datanode"
877    * @return the pathname as a URL
878    * @throws FileNotFoundException if 'webapps' directory cannot be found on CLASSPATH.
879    */
880   protected String getWebAppsPath(String webapps, String appName) throws FileNotFoundException {
881     URL url = getClass().getClassLoader().getResource(webapps + "/" + appName);
882     if (url == null)
883       throw new FileNotFoundException(webapps + "/" + appName
884           + " not found in CLASSPATH");
885     String urlString = url.toString();
886     return urlString.substring(0, urlString.lastIndexOf('/'));
887   }
888 
889   /**
890    * Get the port that the server is on
891    * @return the port
892    */
893   @Deprecated
894   public int getPort() {
895     return webServer.getConnectors()[0].getLocalPort();
896   }
897 
898   /**
899    * Get the address that corresponds to a particular connector.
900    *
901    * @return the corresponding address for the connector, or null if there's no
902    *         such connector or the connector is not bounded.
903    */
904   public InetSocketAddress getConnectorAddress(int index) {
905     Preconditions.checkArgument(index >= 0);
906     if (index > webServer.getConnectors().length)
907       return null;
908 
909     Connector c = webServer.getConnectors()[index];
910     if (c.getLocalPort() == -1) {
911       // The connector is not bounded
912       return null;
913     }
914 
915     return new InetSocketAddress(c.getHost(), c.getLocalPort());
916   }
917 
918   /**
919    * Set the min, max number of worker threads (simultaneous connections).
920    */
921   public void setThreads(int min, int max) {
922     QueuedThreadPool pool = (QueuedThreadPool) webServer.getThreadPool();
923     pool.setMinThreads(min);
924     pool.setMaxThreads(max);
925   }
926 
927   private void initSpnego(Configuration conf, String hostName,
928       String usernameConfKey, String keytabConfKey) throws IOException {
929     Map<String, String> params = new HashMap<String, String>();
930     String principalInConf = conf.get(usernameConfKey);
931     if (principalInConf != null && !principalInConf.isEmpty()) {
932       params.put("kerberos.principal", SecurityUtil.getServerPrincipal(
933           principalInConf, hostName));
934     }
935     String httpKeytab = conf.get(keytabConfKey);
936     if (httpKeytab != null && !httpKeytab.isEmpty()) {
937       params.put("kerberos.keytab", httpKeytab);
938     }
939     params.put(AuthenticationFilter.AUTH_TYPE, "kerberos");
940 
941     defineFilter(webAppContext, SPNEGO_FILTER,
942                  AuthenticationFilter.class.getName(), params, null);
943   }
944 
945   /**
946    * Start the server. Does not wait for the server to start.
947    */
948   public void start() throws IOException {
949     try {
950       try {
951         openListeners();
952         webServer.start();
953       } catch (IOException ex) {
954         LOG.info("HttpServer.start() threw a non Bind IOException", ex);
955         throw ex;
956       } catch (MultiException ex) {
957         LOG.info("HttpServer.start() threw a MultiException", ex);
958         throw ex;
959       }
960       // Make sure there is no handler failures.
961       Handler[] handlers = webServer.getHandlers();
962       for (int i = 0; i < handlers.length; i++) {
963         if (handlers[i].isFailed()) {
964           throw new IOException(
965               "Problem in starting http server. Server handlers failed");
966         }
967       }
968       // Make sure there are no errors initializing the context.
969       Throwable unavailableException = webAppContext.getUnavailableException();
970       if (unavailableException != null) {
971         // Have to stop the webserver, or else its non-daemon threads
972         // will hang forever.
973         webServer.stop();
974         throw new IOException("Unable to initialize WebAppContext",
975             unavailableException);
976       }
977     } catch (IOException e) {
978       throw e;
979     } catch (InterruptedException e) {
980       throw (IOException) new InterruptedIOException(
981           "Interrupted while starting HTTP server").initCause(e);
982     } catch (Exception e) {
983       throw new IOException("Problem starting http server", e);
984     }
985   }
986 
987   private void loadListeners() {
988     for (ListenerInfo li : listeners) {
989       webServer.addConnector(li.listener);
990     }
991   }
992 
993   /**
994    * Open the main listener for the server
995    * @throws Exception
996    */
997   void openListeners() throws Exception {
998     for (ListenerInfo li : listeners) {
999       Connector listener = li.listener;
1000       if (!li.isManaged || li.listener.getLocalPort() != -1) {
1001         // This listener is either started externally or has been bound
1002         continue;
1003       }
1004       int port = listener.getPort();
1005       while (true) {
1006         // jetty has a bug where you can't reopen a listener that previously
1007         // failed to open w/o issuing a close first, even if the port is changed
1008         try {
1009           listener.close();
1010           listener.open();
1011           LOG.info("Jetty bound to port " + listener.getLocalPort());
1012           break;
1013         } catch (BindException ex) {
1014           if (port == 0 || !findPort) {
1015             BindException be = new BindException("Port in use: "
1016                 + listener.getHost() + ":" + listener.getPort());
1017             be.initCause(ex);
1018             throw be;
1019           }
1020         }
1021         // try the next port number
1022         listener.setPort(++port);
1023         Thread.sleep(100);
1024       }
1025     }
1026   }
1027 
1028   /**
1029    * stop the server
1030    */
1031   public void stop() throws Exception {
1032     MultiException exception = null;
1033     for (ListenerInfo li : listeners) {
1034       if (!li.isManaged) {
1035         continue;
1036       }
1037 
1038       try {
1039         li.listener.close();
1040       } catch (Exception e) {
1041         LOG.error(
1042             "Error while stopping listener for webapp"
1043                 + webAppContext.getDisplayName(), e);
1044         exception = addMultiException(exception, e);
1045       }
1046     }
1047 
1048     try {
1049       // clear & stop webAppContext attributes to avoid memory leaks.
1050       webAppContext.clearAttributes();
1051       webAppContext.stop();
1052     } catch (Exception e) {
1053       LOG.error("Error while stopping web app context for webapp "
1054           + webAppContext.getDisplayName(), e);
1055       exception = addMultiException(exception, e);
1056     }
1057 
1058     try {
1059       webServer.stop();
1060     } catch (Exception e) {
1061       LOG.error("Error while stopping web server for webapp "
1062           + webAppContext.getDisplayName(), e);
1063       exception = addMultiException(exception, e);
1064     }
1065 
1066     if (exception != null) {
1067       exception.ifExceptionThrow();
1068     }
1069 
1070   }
1071 
1072   private MultiException addMultiException(MultiException exception, Exception e) {
1073     if(exception == null){
1074       exception = new MultiException();
1075     }
1076     exception.add(e);
1077     return exception;
1078   }
1079 
1080   public void join() throws InterruptedException {
1081     webServer.join();
1082   }
1083 
1084   /**
1085    * Test for the availability of the web server
1086    * @return true if the web server is started, false otherwise
1087    */
1088   public boolean isAlive() {
1089     return webServer != null && webServer.isStarted();
1090   }
1091 
1092   /**
1093    * Return the host and port of the HttpServer, if live
1094    * @return the classname and any HTTP URL
1095    */
1096   @Override
1097   public String toString() {
1098     if (listeners.size() == 0) {
1099       return "Inactive HttpServer";
1100     } else {
1101       StringBuilder sb = new StringBuilder("HttpServer (")
1102         .append(isAlive() ? STATE_DESCRIPTION_ALIVE : STATE_DESCRIPTION_NOT_LIVE).append("), listening at:");
1103       for (ListenerInfo li : listeners) {
1104         Connector l = li.listener;
1105         sb.append(l.getHost()).append(":").append(l.getPort()).append("/,");
1106       }
1107       return sb.toString();
1108     }
1109   }
1110 
1111   /**
1112    * Checks the user has privileges to access to instrumentation servlets.
1113    * <p/>
1114    * If <code>hadoop.security.instrumentation.requires.admin</code> is set to FALSE
1115    * (default value) it always returns TRUE.
1116    * <p/>
1117    * If <code>hadoop.security.instrumentation.requires.admin</code> is set to TRUE
1118    * it will check that if the current user is in the admin ACLS. If the user is
1119    * in the admin ACLs it returns TRUE, otherwise it returns FALSE.
1120    *
1121    * @param servletContext the servlet context.
1122    * @param request the servlet request.
1123    * @param response the servlet response.
1124    * @return TRUE/FALSE based on the logic decribed above.
1125    */
1126   public static boolean isInstrumentationAccessAllowed(
1127     ServletContext servletContext, HttpServletRequest request,
1128     HttpServletResponse response) throws IOException {
1129     Configuration conf =
1130       (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
1131 
1132     boolean access = true;
1133     boolean adminAccess = conf.getBoolean(
1134       CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
1135       false);
1136     if (adminAccess) {
1137       access = hasAdministratorAccess(servletContext, request, response);
1138     }
1139     return access;
1140   }
1141 
1142   /**
1143    * Does the user sending the HttpServletRequest has the administrator ACLs? If
1144    * it isn't the case, response will be modified to send an error to the user.
1145    *
1146    * @param servletContext
1147    * @param request
1148    * @param response used to send the error response if user does not have admin access.
1149    * @return true if admin-authorized, false otherwise
1150    * @throws IOException
1151    */
1152   public static boolean hasAdministratorAccess(
1153       ServletContext servletContext, HttpServletRequest request,
1154       HttpServletResponse response) throws IOException {
1155     Configuration conf =
1156         (Configuration) servletContext.getAttribute(CONF_CONTEXT_ATTRIBUTE);
1157     // If there is no authorization, anybody has administrator access.
1158     if (!conf.getBoolean(
1159         CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false)) {
1160       return true;
1161     }
1162 
1163     String remoteUser = request.getRemoteUser();
1164     if (remoteUser == null) {
1165       response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
1166                          "Unauthenticated users are not " +
1167                          "authorized to access this page.");
1168       return false;
1169     }
1170 
1171     if (servletContext.getAttribute(ADMINS_ACL) != null &&
1172         !userHasAdministratorAccess(servletContext, remoteUser)) {
1173       response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User "
1174           + remoteUser + " is unauthorized to access this page.");
1175       return false;
1176     }
1177 
1178     return true;
1179   }
1180 
1181   /**
1182    * Get the admin ACLs from the given ServletContext and check if the given
1183    * user is in the ACL.
1184    *
1185    * @param servletContext the context containing the admin ACL.
1186    * @param remoteUser the remote user to check for.
1187    * @return true if the user is present in the ACL, false if no ACL is set or
1188    *         the user is not present
1189    */
1190   public static boolean userHasAdministratorAccess(ServletContext servletContext,
1191       String remoteUser) {
1192     AccessControlList adminsAcl = (AccessControlList) servletContext
1193         .getAttribute(ADMINS_ACL);
1194     UserGroupInformation remoteUserUGI =
1195         UserGroupInformation.createRemoteUser(remoteUser);
1196     return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
1197   }
1198 
1199   /**
1200    * A very simple servlet to serve up a text representation of the current
1201    * stack traces. It both returns the stacks to the caller and logs them.
1202    * Currently the stack traces are done sequentially rather than exactly the
1203    * same data.
1204    */
1205   public static class StackServlet extends HttpServlet {
1206     private static final long serialVersionUID = -6284183679759467039L;
1207 
1208     @Override
1209     public void doGet(HttpServletRequest request, HttpServletResponse response)
1210       throws ServletException, IOException {
1211       if (!HttpServer.isInstrumentationAccessAllowed(getServletContext(),
1212                                                      request, response)) {
1213         return;
1214       }
1215       response.setContentType("text/plain; charset=UTF-8");
1216       PrintWriter out = response.getWriter();
1217       PrintStream ps = new PrintStream(response.getOutputStream(), false, "UTF-8");
1218       Threads.printThreadInfo(ps, "");
1219       ps.flush();
1220       out.close();
1221       ReflectionUtils.logThreadInfo(LOG, "jsp requested", 1);
1222     }
1223   }
1224 
1225   /**
1226    * A Servlet input filter that quotes all HTML active characters in the
1227    * parameter names and values. The goal is to quote the characters to make
1228    * all of the servlets resistant to cross-site scripting attacks.
1229    */
1230   @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)
1231   public static class QuotingInputFilter implements Filter {
1232     private FilterConfig config;
1233 
1234     public static class RequestQuoter extends HttpServletRequestWrapper {
1235       private final HttpServletRequest rawRequest;
1236       public RequestQuoter(HttpServletRequest rawRequest) {
1237         super(rawRequest);
1238         this.rawRequest = rawRequest;
1239       }
1240 
1241       /**
1242        * Return the set of parameter names, quoting each name.
1243        */
1244       @SuppressWarnings("unchecked")
1245       @Override
1246       public Enumeration<String> getParameterNames() {
1247         return new Enumeration<String>() {
1248           private Enumeration<String> rawIterator =
1249             rawRequest.getParameterNames();
1250           @Override
1251           public boolean hasMoreElements() {
1252             return rawIterator.hasMoreElements();
1253           }
1254 
1255           @Override
1256           public String nextElement() {
1257             return HtmlQuoting.quoteHtmlChars(rawIterator.nextElement());
1258           }
1259         };
1260       }
1261 
1262       /**
1263        * Unquote the name and quote the value.
1264        */
1265       @Override
1266       public String getParameter(String name) {
1267         return HtmlQuoting.quoteHtmlChars(rawRequest.getParameter
1268                                      (HtmlQuoting.unquoteHtmlChars(name)));
1269       }
1270 
1271       @Override
1272       public String[] getParameterValues(String name) {
1273         String unquoteName = HtmlQuoting.unquoteHtmlChars(name);
1274         String[] unquoteValue = rawRequest.getParameterValues(unquoteName);
1275         if (unquoteValue == null) {
1276           return null;
1277         }
1278         String[] result = new String[unquoteValue.length];
1279         for(int i=0; i < result.length; ++i) {
1280           result[i] = HtmlQuoting.quoteHtmlChars(unquoteValue[i]);
1281         }
1282         return result;
1283       }
1284 
1285       @SuppressWarnings("unchecked")
1286       @Override
1287       public Map<String, String[]> getParameterMap() {
1288         Map<String, String[]> result = new HashMap<String,String[]>();
1289         Map<String, String[]> raw = rawRequest.getParameterMap();
1290         for (Map.Entry<String,String[]> item: raw.entrySet()) {
1291           String[] rawValue = item.getValue();
1292           String[] cookedValue = new String[rawValue.length];
1293           for(int i=0; i< rawValue.length; ++i) {
1294             cookedValue[i] = HtmlQuoting.quoteHtmlChars(rawValue[i]);
1295           }
1296           result.put(HtmlQuoting.quoteHtmlChars(item.getKey()), cookedValue);
1297         }
1298         return result;
1299       }
1300 
1301       /**
1302        * Quote the url so that users specifying the HOST HTTP header
1303        * can't inject attacks.
1304        */
1305       @Override
1306       public StringBuffer getRequestURL(){
1307         String url = rawRequest.getRequestURL().toString();
1308         return new StringBuffer(HtmlQuoting.quoteHtmlChars(url));
1309       }
1310 
1311       /**
1312        * Quote the server name so that users specifying the HOST HTTP header
1313        * can't inject attacks.
1314        */
1315       @Override
1316       public String getServerName() {
1317         return HtmlQuoting.quoteHtmlChars(rawRequest.getServerName());
1318       }
1319     }
1320 
1321     @Override
1322     public void init(FilterConfig config) throws ServletException {
1323       this.config = config;
1324     }
1325 
1326     @Override
1327     public void destroy() {
1328     }
1329 
1330     @Override
1331     public void doFilter(ServletRequest request,
1332                          ServletResponse response,
1333                          FilterChain chain
1334                          ) throws IOException, ServletException {
1335       HttpServletRequestWrapper quoted =
1336         new RequestQuoter((HttpServletRequest) request);
1337       HttpServletResponse httpResponse = (HttpServletResponse) response;
1338 
1339       String mime = inferMimeType(request);
1340       if (mime == null) {
1341         httpResponse.setContentType("text/plain; charset=utf-8");
1342       } else if (mime.startsWith("text/html")) {
1343         // HTML with unspecified encoding, we want to
1344         // force HTML with utf-8 encoding
1345         // This is to avoid the following security issue:
1346         // http://openmya.hacker.jp/hasegawa/security/utf7cs.html
1347         httpResponse.setContentType("text/html; charset=utf-8");
1348       } else if (mime.startsWith("application/xml")) {
1349         httpResponse.setContentType("text/xml; charset=utf-8");
1350       }
1351       chain.doFilter(quoted, httpResponse);
1352     }
1353 
1354     /**
1355      * Infer the mime type for the response based on the extension of the request
1356      * URI. Returns null if unknown.
1357      */
1358     private String inferMimeType(ServletRequest request) {
1359       String path = ((HttpServletRequest)request).getRequestURI();
1360       ContextHandler.SContext sContext = (ContextHandler.SContext)config.getServletContext();
1361       MimeTypes mimes = sContext.getContextHandler().getMimeTypes();
1362       Buffer mimeBuffer = mimes.getMimeByExtension(path);
1363       return (mimeBuffer == null) ? null : mimeBuffer.toString();
1364     }
1365 
1366   }
1367 
1368 }