HBASE-27812 Provide option in HBase UI to disable stack trace for security (#5205)

ydodeja365 · web-flow · commit cf9684de445c · 2023-05-21T19:46:10.000+08:00
Signed-off-by: Duo Zhang &lt;zhangduo@apache.org&gt;
diff --git a/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java
@@ -81,6 +81,7 @@
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.ServerConnector;
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.SslConnectionFactory;
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.ContextHandlerCollection;
+import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.ErrorHandler;
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.HandlerCollection;
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.RequestLogHandler;
 import org.apache.hbase.thirdparty.org.eclipse.jetty.server.handler.gzip.GzipHandler;
@@ -153,6 +154,7 @@ public class HttpServer implements FilterContainer {
   public static final String SPNEGO_PROXYUSER_FILTER = "SpnegoProxyUserFilter";
   public static final String NO_CACHE_FILTER = "NoCacheFilter";
   public static final String APP_DIR = "webapps";
+  public static final String HTTP_UI_SHOW_STACKTRACE_KEY = "hbase.ui.show-stack-traces";
 
   public static final String METRIC_SERVLETS_CONF_KEY = "hbase.http.metrics.servlets";
   public static final String[] METRICS_SERVLETS_DEFAULT = { "jmx", "metrics", "prometheus" };
@@ -652,6 +654,14 @@ private void initializeWebServer(String name, String hostName, Configuration con
         addFilterPathMapping(path, webAppContext);
       }
     }
+    // Check if disable stack trace property is configured
+    if (!conf.getBoolean(HTTP_UI_SHOW_STACKTRACE_KEY, true)) {
+      // Disable stack traces for server errors in UI
+      webServer.setErrorHandler(new ErrorHandler());
+      webServer.getErrorHandler().setShowStacks(false);
+      // Disable stack traces for web app errors in UI
+      webAppContext.getErrorHandler().setShowStacks(false);
+    }
   }
 
   private void addManagedListener(ServerConnector connector) {
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
@@ -261,6 +261,15 @@ Users who wish to change this would set the following in their hbase-site.xml:
 </property>
 ----
 
+To disable showing stack traces in HBase UI for hiding sensitive information, set the following in hbase-site:
+[source,xml]
+----
+<property>
+  <name>hbase.ui.show-stack-traces</name>
+  <value>false</value>
+</property>
+----
+
 [[hbase.secure.configuration]]
 == Secure Client Access to Apache HBase
 
