IMPALA-8407: Warn when Impala shell fails to connect due to tlsv1.2

When impala-shell is used to connect to an impala cluster with --ssl_minimum_version=tlsv1.2, if the Python version being used is < 2.7.9 the connection will fail due to a limitation of TSSLSocket. See IMPALA-6990 for more details. Currently, when this occurs, the error that gets printed is "EOF occurred in violation of protocol", which is not very helpful. This patch detect this situation and prints a more informative warning. Testing: - Updated test_tls_v12 so that instead of being skipped on affected platforms, it runs and checks for the presence of the warning. Change-Id: I3feddaccb9be3a15220ce9e59aa7ed41d41b8ab6 Reviewed-on: http://gerrit.cloudera.org:8080/13003 Reviewed-by: Thomas Marshall <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> Reviewed-on: https://gerrit.sjc.cloudera.com/c/cdh/impala/+/49584 Tested-by: Jenkins User <[email protected]> Reviewed-by: Laszlo Gaal <[email protected]> CDH-Build: Laszlo Gaal <[email protected]> Quasar-L0: Laszlo Gaal <[email protected]>
pumawind · Jun 21, 2019 · 38ba150 · 38ba150
1 parent 74814b0
commit 38ba150
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/shell/impala_shell.py b/shell/impala_shell.py
@@ -840,6 +840,9 @@ def _connect(self):
           self.ldap_password.endswith('\n'):
         print_to_stderr("Warning: LDAP password contains a trailing newline. "
                       "Did you use 'echo' instead of 'echo -n'?")
+      if self.use_ssl and sys.version_info < (2,7,9) \
+          and "EOF occurred in violation of protocol" in str(e):
+        print_to_stderr("Warning: TLSv1.2 is not supported for Python < 2.7.9")
       print_to_stderr("Error connecting: %s, %s" % (type(e).__name__, e))
       # A secure connection may still be open. So we explicitly close it.
       self.imp_client.close_connection()

diff --git a/tests/custom_cluster/test_client_ssl.py b/tests/custom_cluster/test_client_ssl.py
@@ -165,10 +165,14 @@ def test_tls_ecdh(self, vector):
                                     statestored_args=TLS_V12_ARGS,
                                     catalogd_args=TLS_V12_ARGS)
   @pytest.mark.skipif(SKIP_SSL_MSG is not None, reason=SKIP_SSL_MSG)
-  @pytest.mark.skipif(sys.version_info < REQUIRED_MIN_PYTHON_VERSION_FOR_TLSV12, \
-      reason="Python version too old to allow Thrift client to use TLSv1.2")
   def test_tls_v12(self, vector):
-    self._validate_positive_cases("%s/server-cert.pem" % self.CERT_DIR)
+    if sys.version_info < REQUIRED_MIN_PYTHON_VERSION_FOR_TLSV12:
+      result = run_impala_shell_cmd_no_expect(
+          "--ssl -q 'select 1 + 2'", wait_until_connected=False)
+      assert "Warning: TLSv1.2 is not supported for Python < 2.7.9" in result.stderr, \
+          result.stderr
+    else:
+      self._validate_positive_cases("%s/server-cert.pem" % self.CERT_DIR)
 
   @pytest.mark.execute_serially
   @CustomClusterTestSuite.with_args(impalad_args=SSL_WILDCARD_ARGS,