Skip to content

HTTP SSL Verification flag not passed to SpooledSegment class which fails HTTP requests #543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
JustinObanor opened this issue Mar 28, 2025 · 1 comment
Open
1 task done

HTTP SSL Verification flag not passed to SpooledSegment class which fails HTTP requests #543

JustinObanor opened this issue Mar 28, 2025 · 1 comment

Comments

@JustinObanor
Copy link

JustinObanor commented Mar 28, 2025
edited
Loading

Expected behavior

SSL Verification flag set to False when initialising a connection to Trino is used in HTTP requests for spooled segments.

Actual behavior

SSL Verification flag set to False when initialising a connection to Trino is not passed to HTTP requests for spooled segments and therefore fails with HTTP SSL errors

Steps To Reproduce

Configure Trino spooling manager properties

[trino@trino-0 /]$ cat /etc/trino/spooling-manager.properties
spooling-manager.name=filesystem
fs.gcs.enabled=true
fs.location=gs://xyz-base-trino-1/spooling-segments/product

Configure Trino to use Spooling

[trino@trino-0 /]$ cat /etc/trino/config.properties
...TRUNCATED...
protocol.spooling.enabled=true
protocol.spooling.shared-secret-key=<secret-key>
protocol.spooling.retrieval-mode=COORDINATOR_STORAGE_REDIRECT

Initialise a connection to Trino

from trino.dbapi import connect
from xyzplatform.sql import xyzTrinoAuth
import logging
import warnings
import requests

logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)

session = requests.Session()
session.verify = False

conn = connect(
    http_scheme="https",
    host="trino.trino",
    port=443,
    catalog="hive",
    schema="tpcds_europe_west1_1000",
    verify=False,
    auth=xyzTrinoAuth(),
    encoding="json+zstd",
    http_session=session,
)

Make a request

warnings.filterwarnings(
    "ignore", message=f"Unverified HTTPS request is being made to host https"
    )

cur = conn.cursor()
cur.execute("SELECT * FROM hive.tpcds_europe_west1_1000.date_dim")
rows = cur.fetchall()

With a debug session, we see Verify is False, which is correct
Image

But right before we make a request to send_spooling_segment, Verify is True, which wasn't expected
Image

Log output

STORAGE mode

ERROR:trino.client:Failed to acknowledge spooling request for segment SpooledSegment(metadata={'segmentSize': 151242, 'uncompressedSize': 1261742, 'rowsCount': 7514, 'expiresAt': '2025-03-29T02:30:56.641', 'rowOffset': 65535}): HTTPSConnectionPool(host='trino.trino-product-primary', port=443): Max retries exceeded with url: /v1/spooled/ack/BknNfrjG9rI6GsNoAlSOKB9yZ6zxt-SyPySruC9HMHI= (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))

COORDINATOR_STORAGE_REDIRECT mode

INFO:trino.client:failed after 3 attempts
Traceback (most recent call last):
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1222, in __next__
    return next(self._rows)
           ^^^^^^^^^^^^^^^^
StopIteration
....TRUNCATED....
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1226, in __next__
    self._load_next_segment()
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1239, in _load_next_segment
    self._rows = iter(self._decoder.decode(self._current_segment.segment))
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1254, in decode
    return self._decoder.decode(spooled_data.data, spooled_data.metadata)
                                ^^^^^^^^^^^^^^^^^
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1134, in data
    http_response = self._send_spooling_request(self.uri)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/trino/client.py", line 1168, in _send_spooling_request
    return self._request._get(uri, headers=headers_with_single_value, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
....TRUNCATED....
  File "/opt/conda/envs/python3/lib/python3.11/site-packages/requests/adapters.py", line 698, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='trino.trino-product-primary', port=443): Max retries exceeded with url: /v1/spooled/download/8lBbwpZIUaXfOYFoXbcdCR9yZ6zxt-SyPySruC9HMHI= (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))

Operating System

PRETTY_NAME="Ubuntu 22.04.5 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.5 LTS (Jammy Jellyfish)"

Trino Python client version

0.333.0

Trino Server version

472

Python version

Python 3.11.11

Are you willing to submit PR?

  • Yes I am willing to submit a PR!
@JustinObanor
Copy link
Author

I've submitted a PR for this: #546

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JustinObanor