[SPARK-54293][SQL] Make ThriftHttpCLIService SNI host check configurable#55308
Closed
yadavay-amzn wants to merge 4 commits into
Closed
[SPARK-54293][SQL] Make ThriftHttpCLIService SNI host check configurable#55308yadavay-amzn wants to merge 4 commits into
yadavay-amzn wants to merge 4 commits into
Conversation
yadavay-amzn
force-pushed
the
fix/SPARK-54293-sni-host-check
branch
2 times, most recently
from
1a3a880 to
1f7e24c
Compare
Contributor
Author
|
@LuciferYang Could you take a look when you get a chance? Thanks! |
LuciferYang
reviewed
May 5, 2026
| Arrays.toString(sslContextFactoryServer.getExcludeProtocols())); | ||
| sslContextFactoryServer.setKeyStorePath(keyStorePath); | ||
| sslContextFactoryServer.setKeyStorePassword(keyStorePassword); | ||
| // SPARK-54293: Disable SNI host check, which defaults to true since Jetty 10. |
Member
|
can we follow SPARK-56528 (#55396) to make it configurable? |
yadavay-amzn
added a commit
to yadavay-amzn/spark
that referenced
this pull request
May 6, 2026
Address review feedback from @pan3793 (PR apache#55308): follow the pattern established in SPARK-56528 and make the SNI host check configurable rather than unconditionally disabled. Introduces spark.sql.hive.thriftServer.http.sniHostCheckEnabled (default: false, preserving the behavior from the first commit on this branch). Operators who want stricter host checking for security can opt in by setting the flag to true.
yadavay-amzn
force-pushed
the
fix/SPARK-54293-sni-host-check
branch
2 times, most recently
from
63c708a to
2a05403
Compare
yadavay-amzn
added a commit
to yadavay-amzn/spark
that referenced
this pull request
May 11, 2026
Address review feedback from @pan3793 (PR apache#55308): follow the pattern established in SPARK-56528 and make the SNI host check configurable rather than unconditionally disabled. Introduces spark.sql.hive.thriftServer.http.sniHostCheckEnabled (default: false, preserving the behavior from the first commit on this branch). Operators who want stricter host checking for security can opt in by setting the flag to true.
Contributor
Author
|
Done — updated to follow the SPARK-56528 pattern. Added |
pan3793
approved these changes
May 11, 2026
pan3793
reviewed
May 11, 2026
| "connector. Since SPARK-45522 (Jetty 10+), Spark has disabled SNI host check to " + | ||
| "preserve backward compatibility. Set to true to enforce SNI host checking for " + | ||
| "stricter security. See SPARK-54293.") | ||
| .version("4.2.0") |
Member
There was a problem hiding this comment.
code change lgtm, this requires a PMC member to justify whether to include this in 4.2 as a late-arriving feature.
yadavay-amzn
added a commit
to yadavay-amzn/spark
that referenced
this pull request
May 11, 2026
Address review feedback from @pan3793 (PR apache#55308): follow the pattern established in SPARK-56528 and make the SNI host check configurable rather than unconditionally disabled. Introduces spark.sql.hive.thriftServer.http.sniHostCheckEnabled (default: false, preserving the behavior from the first commit on this branch). Operators who want stricter host checking for security can opt in by setting the flag to true.
yadavay-amzn
force-pushed
the
fix/SPARK-54293-sni-host-check
branch
from
2a05403 to
b648511
Compare
Contributor
Author
|
Updated |
Contributor
Author
|
@pan3793 Gentle reminder, could you please take a look when you get a chance and see if this PR is ready to merge? |
Disable SNI host check in ThriftHttpCLIService's Jetty SSL connector, consistent with the fix applied to JettyUtils.scala in SPARK-45522. Since Jetty 10, SniHostCheck defaults to true. This was fixed in the Spark UI server but not in ThriftHttpCLIService, which also creates a Jetty server with SSL support. Note: RestSubmissionServer (also mentioned in the JIRA) does not have SSL support, so it does not need this fix.
yadavay-amzn
added a commit
to yadavay-amzn/spark
that referenced
this pull request
May 18, 2026
Address review feedback from @pan3793 (PR apache#55308): follow the pattern established in SPARK-56528 and make the SNI host check configurable rather than unconditionally disabled. Introduces spark.sql.hive.thriftServer.http.sniHostCheckEnabled (default: false, preserving the behavior from the first commit on this branch). Operators who want stricter host checking for security can opt in by setting the flag to true.
yadavay-amzn
force-pushed
the
fix/SPARK-54293-sni-host-check
branch
from
b648511 to
8b88fe0
Compare
pan3793
reviewed
May 18, 2026
Comment on lines
+131
to
+132
| "stricter security. See SPARK-54293.") | ||
| .version("5.0.0") |
Member
There was a problem hiding this comment.
as default value does not change the current behavior, we can deliver this in 4.3.0. and it's not necessary to mention which JIRA ticket added the config in doc.
Suggested change
| "stricter security. See SPARK-54293.") | |
| .version("5.0.0") | |
| "stricter security.") | |
| .version("4.3.0") |
Address review feedback from @pan3793 (PR apache#55308): follow the pattern established in SPARK-56528 and make the SNI host check configurable rather than unconditionally disabled. Introduces spark.sql.hive.thriftServer.http.sniHostCheckEnabled (default: false, preserving the behavior from the first commit on this branch). Operators who want stricter host checking for security can opt in by setting the flag to true.
yadavay-amzn
force-pushed
the
fix/SPARK-54293-sni-host-check
branch
from
8b88fe0 to
49892b4
Compare
Contributor
Author
|
Done, removed JIRA references from the doc string and updated version to 4.3.0. Thanks @pan3793! |
pan3793
reviewed
May 18, 2026
Member
|
PR title needs to be updated. |
Co-authored-by: Cheng Pan <pan3793@gmail.com>
yadavay-amzn
changed the title
Contributor
Author
|
@pan3793 Sorry for not applying the recommended change as is earlier, I used the apply suggestion button this time to do so. |
pan3793
approved these changes
May 19, 2026
pan3793
left a comment
pan3793
left a comment
Member
There was a problem hiding this comment.
LGTM, will leave this open for another one day before merging.
pan3793
pushed a commit
that referenced
this pull request
May 21, 2026
### What changes were proposed in this pull request? Make the SNI host check in `ThriftHttpCLIService` configurable via `spark.sql.hive.thriftServer.http.sniHostCheckEnabled`, following the same pattern as SPARK-56528 which made it configurable for the Spark UI. ### Why are the changes needed? SPARK-45522 (Jetty 10+ upgrade) silently enabled SNI host checking, which causes HTTPS connection failures when the certificate CN does not match the hostname. This was made configurable in the Spark UI server (SPARK-56528) but `ThriftHttpCLIService` had no way to disable it. This PR adds the same configurability: default `true` (preserving the current SPARK-45522 behavior), with the option to set `false` to restore pre-SPARK-45522 behavior. ### Does this PR introduce _any_ user-facing change? A new internal configuration `spark.sql.hive.thriftServer.http.sniHostCheckEnabled` (default: `true`) is added. Users who need to disable SNI host checking can set it to `false`. ### How was this patch tested? Added `ThriftHttpCLIServiceSuite` with 3 tests: - SNI host check enabled by default - SNI host check disabled when configured - Jetty 10+ default behavior verification ### Was this patch authored or co-authored using generative AI tooling? Yes Closes #55308 from yadavay-amzn/fix/SPARK-54293-sni-host-check. Authored-by: Anupam Yadav <anupamya@amazon.com> Signed-off-by: Cheng Pan <chengpan@apache.org> (cherry picked from commit fa1373e) Signed-off-by: Cheng Pan <chengpan@apache.org>
Member
|
thanks, merged to master/4.x |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Make the SNI host check in
ThriftHttpCLIServiceconfigurable viaspark.sql.hive.thriftServer.http.sniHostCheckEnabled, following the same pattern as SPARK-56528 which made it configurable for the Spark UI.Why are the changes needed?
SPARK-45522 (Jetty 10+ upgrade) silently enabled SNI host checking, which causes HTTPS connection failures when the certificate CN does not match the hostname. This was made configurable in the Spark UI server (SPARK-56528) but
ThriftHttpCLIServicehad no way to disable it.This PR adds the same configurability: default
true(preserving the current SPARK-45522 behavior), with the option to setfalseto restore pre-SPARK-45522 behavior.Does this PR introduce any user-facing change?
A new internal configuration
spark.sql.hive.thriftServer.http.sniHostCheckEnabled(default:true) is added. Users who need to disable SNI host checking can set it tofalse.How was this patch tested?
Added
ThriftHttpCLIServiceSuitewith 3 tests:Was this patch authored or co-authored using generative AI tooling?
Yes