Skip to content

[SPARK-56528][CORE] Make Jetty SniHostCheck configurable #55396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dongjoon-hyun wants to merge 1 commit into from
Closed

[SPARK-56528][CORE] Make Jetty SniHostCheck configurable #55396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions core/src/main/scala/org/apache/spark/internal/config/UI.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,16 @@ private[spark] object UI {
.bytesConf(ByteUnit.BYTE)
.createWithDefaultString("8k")

val UI_JETTY_SNI_HOST_CHECK = ConfigBuilder("spark.ui.jetty.sniHostCheckEnabled")
.internal()
.doc("Whether to enable Jetty's SNI host check on the Spark UI HTTPS connector. " +
"Since SPARK-45522 (Jetty 10+), Spark has disabled SNI host check to preserve " +
"backward compatibility with standalone deployments. Set to true to enforce " +
"SNI host checking for stricter security.")
.version("4.2.0")
.booleanConf
.createWithDefault(false)

val UI_TIMELINE_ENABLED = ConfigBuilder("spark.ui.timelineEnabled")
.doc("Whether to display event timeline data on UI pages.")
.version("3.4.0")
Expand Down
6 changes: 4 additions & 2 deletions core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -335,9 +335,11 @@ private[spark] object JettyUtils extends Logging {
val securePort = sslOptions.createJettySslContextFactoryServer().map { factory =>

// SPARK-45522: SniHostCheck defaulted to true since Jetty 10,
// this will affect the standalone deployment.
// this will affect the standalone deployment. Exposed via
// spark.ui.jetty.sniHostCheckEnabled so operators can enable
// it when stricter host checking is desired.
val src = new SecureRequestCustomizer()
src.setSniHostCheck(false)
src.setSniHostCheck(conf.get(UI_JETTY_SNI_HOST_CHECK))
httpConfig.addCustomizer(src)

val securePort = sslOptions.port.getOrElse(if (port > 0) Utils.userPort(port, 400) else 0)
Expand Down
1 change: 1 addition & 0 deletions ...c/test/resources/conf/binding-policy-exceptions/configs-without-binding-policy-exceptions
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1189,6 +1189,7 @@ spark.ui.enabled
spark.ui.filters
spark.ui.groupSQLSubExecutionEnabled
spark.ui.heapHistogramEnabled
spark.ui.jetty.sniHostCheckEnabled
spark.ui.jetty.stopTimeout
spark.ui.killEnabled
spark.ui.liveUpdate.minFlushPeriod
Expand Down