[SPARK-45522][BUILD][CORE][SQL][UI] Migrate from Jetty 9 to Jetty 10#43765
[SPARK-45522][BUILD][CORE][SQL][UI] Migrate from Jetty 9 to Jetty 10#43765HiuKwok wants to merge 19 commits into
Conversation
HiuKwok
force-pushed
the
ft-hf-SPARK-45522-jetty-upgradte
branch
from
0df2668 to
59809f6
Compare
HiuKwok
changed the title
|
Checking the build failure |
|
[error] /home/runner/work/spark/spark/core/src/test/scala/org/apache/spark/ui/UISuite.scala:415: File line length exceeds 100 characters |
|
I have fixed the code style and other miscellaneous linter errors, right now I'm investigating the Python test case fail, for PySpark connect. |
|
This is a good step - we should try to get to Jetty 11 next before Spark 4, or even Jetty 12 |
LuciferYang
changed the title
Co-authored-by: Kent Yao <yao@apache.org>
Co-authored-by: YangJie <yangjie01@baidu.com>
|
Resolved all comments. |
|
Merged to master |
|
@srowen @dongjoon-hyun @LuciferYang @yaooqinn @cloud-fan @HiuKwok Unfortunately, we identified the compatibility issue on Jetty 11, and it is likely to revert Jetty 11 upgrading, see details in SPARK-48238. If we downgrade Jetty, which version we want to keep, 9 or 10? I would prefer 9, because I think
jetty/jetty.project#10103 (comment)
|
+1 for 9.x |
Agree. |
|
Thanks for the discussion here! @HiuKwok are you going to do the revert work? If not please let us know and we can help. |
### What changes were proposed in this pull request? As a part of [SPARK-55556: Improve Web Security](https://issues.apache.org/jira/browse/SPARK-55556), this PR introduces a new configuration `spark.ui.jetty.sniHostCheckEnabled` that controls Jetty's SNI host check on the Spark UI HTTPS connector. `sniHostCheck` is recommended by Jetty community as we can see that the default value of Jetty is `true` already. The previously Spark-side hardcoded `SecureRequestCustomizer.setSniHostCheck(false)` call in `JettyUtils` is replaced with a value driven by this configuration. The default value is `false`, preserving the existing behavior introduced in SPARK-45522. - #43765 ### Why are the changes needed? In the Jetty usage, `jetty.ssl.sniHostCheck=false` is supposed to override the default behavior. However, since SPARK-45522 (Jetty 10+), Spark has set `SniHostCheck` to `false` strictly to preserve backward compatibility with standalone deployments. Operators who want stricter host checking for security have no way to enable it without patching source. Exposing this as a configuration lets users opt in to SNI host checking when desired. ### Does this PR introduce _any_ user-facing change? No. A new configuration `spark.ui.jetty.sniHostCheckEnabled` (default: `false`) is added in Spark 4.2.0. The default preserves the current behavior, so existing deployments are unaffected. ### How was this patch tested? Pass the CIs. ### Was this patch authored or co-authored using generative AI tooling? Generated-by: Claude Code (Opus 4.7) Closes #55396 from dongjoon-hyun/dongjoon/pensive-hugle-48097c. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
6 participants
What changes were proposed in this pull request?
This is an upgrade ticket to bump the Jetty version from 9 to 10.
This PR aims to bring incremental Jetty upgrades to Spark, as Jetty 9 support already reached EOL.
Why are the changes needed?
Jetty 9 is already beyond EOL, which means that we won't receive any security fix onward for Spark.
Does this PR introduce any user-facing change?
No, SNI host check is now defaulted to true on embedded Jetty, hence set it back to false to maintain backward compatibility.
Despite the redirect behaviour changed for trailing /, but modern browser should be able to pick up the 302 status code and perform redirect accordingly, hence there is no impact on user level.
How was this patch tested?
Junit test case.
Was this patch authored or co-authored using generative AI tooling?
No