You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by el...@apache.org on 2017/11/02 04:47:05 UTC
[3/4] hbase git commit: HBASE-19118 Use SaslUtil to set Sasl.QOP in
'Thrift'
HBASE-19118 Use SaslUtil to set Sasl.QOP in 'Thrift'
Signed-off-by: Josh Elser <el...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/01cb1d99
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/01cb1d99
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/01cb1d99
Branch: refs/heads/branch-1
Commit: 01cb1d99b722bb8dc017726a77e532bfc9a1a6e9
Parents: 61753bd
Author: Reid Chan <re...@outlook.com>
Authored: Mon Oct 30 17:25:59 2017 +0800
Committer: Josh Elser <el...@apache.org>
Committed: Thu Nov 2 00:42:03 2017 -0400
----------------------------------------------------------------------
.../apache/hadoop/hbase/security/SaslUtil.java | 2 +-
.../hadoop/hbase/thrift/ThriftServerRunner.java | 24 +++++++++++++-------
.../hadoop/hbase/thrift2/ThriftServer.java | 5 +---
3 files changed, 18 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
index aaa9d7a..54c1701 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
@@ -97,7 +97,7 @@ public class SaslUtil {
* @param rpcProtection Value of 'hbase.rpc.protection' configuration.
* @return Map with values for SASL properties.
*/
- static Map<String, String> initSaslProperties(String rpcProtection) {
+ public static Map<String, String> initSaslProperties(String rpcProtection) {
String saslQop;
if (rpcProtection.isEmpty()) {
saslQop = QualityOfProtection.AUTHENTICATION.getSaslQop();
http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index 90b9c5c..6d1dde8 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -81,6 +81,8 @@ import org.apache.hadoop.hbase.filter.ParseFilter;
import org.apache.hadoop.hbase.filter.PrefixFilter;
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
import org.apache.hadoop.hbase.jetty.SslSelectChannelConnectorSecure;
+import org.apache.hadoop.hbase.security.SaslUtil;
+import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection;
import org.apache.hadoop.hbase.security.SecurityUtil;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.thrift.CallQueue.Call;
@@ -197,7 +199,7 @@ public class ThriftServerRunner implements Runnable {
private final HBaseHandler hbaseHandler;
private final UserGroupInformation realUser;
- private final String qop;
+ private SaslUtil.QualityOfProtection qop;
private String host;
private final boolean securityEnabled;
@@ -324,7 +326,10 @@ public class ThriftServerRunner implements Runnable {
this.handler = HbaseHandlerMetricsProxy.newInstance(
hbaseHandler, metrics, conf);
this.realUser = userProvider.getCurrent().getUGI();
- qop = conf.get(THRIFT_QOP_KEY);
+ String strQop = conf.get(THRIFT_QOP_KEY);
+ if (strQop != null) {
+ this.qop = SaslUtil.getQop(strQop);
+ }
doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER, false);
if (doAsEnabled) {
if (!conf.getBoolean(USE_HTTP_CONF_KEY, false)) {
@@ -332,10 +337,14 @@ public class ThriftServerRunner implements Runnable {
}
}
if (qop != null) {
- if (!qop.equals("auth") && !qop.equals("auth-int")
- && !qop.equals("auth-conf")) {
- throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop
- + ", it must be 'auth', 'auth-int', or 'auth-conf'");
+ if (qop != QualityOfProtection.AUTHENTICATION &&
+ qop != QualityOfProtection.INTEGRITY &&
+ qop != QualityOfProtection.PRIVACY) {
+ throw new IOException(String.format("Invalide %s: It must be one of %s, %s, or %s.",
+ THRIFT_QOP_KEY,
+ QualityOfProtection.AUTHENTICATION.name(),
+ QualityOfProtection.INTEGRITY.name(),
+ QualityOfProtection.PRIVACY.name()));
}
if (!securityEnabled) {
throw new IOException("Thrift server must"
@@ -482,8 +491,7 @@ public class ThriftServerRunner implements Runnable {
// Extract the name from the principal
String name = SecurityUtil.getUserFromPrincipal(
conf.get("hbase.thrift.kerberos.principal"));
- Map<String, String> saslProperties = new HashMap<String, String>();
- saslProperties.put(Sasl.QOP, qop);
+ Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name());
TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
new SaslGssCallbackHandler() {
http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
index e1cb2b9..24bff56 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
@@ -23,7 +23,6 @@ import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
-import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutorService;
@@ -35,7 +34,6 @@ import java.util.concurrent.TimeUnit;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
-import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import org.apache.commons.cli.CommandLine;
@@ -197,8 +195,7 @@ public class ThriftServer {
} else if (qop == null) {
return new TTransportFactory();
} else {
- Map<String, String> saslProperties = new HashMap<String, String>();
- saslProperties.put(Sasl.QOP, qop.getSaslQop());
+ Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name());
TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
new SaslGssCallbackHandler() {