You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2015/10/03 03:14:37 UTC
[2/6] hbase git commit: HBASE-13770 Programmatic JAAS configuration
option for secure zookeeper may be broken
HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken
Signed-off-by: Andrew Purtell <ap...@apache.org>
Conflicts:
hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/373c75dd
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/373c75dd
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/373c75dd
Branch: refs/heads/branch-1
Commit: 373c75dde654ad280c248928d2e2a1f35dede717
Parents: d7c7cc8
Author: smaddineni <sm...@salesforce.com>
Authored: Tue Sep 22 11:19:14 2015 +0530
Committer: Andrew Purtell <ap...@apache.org>
Committed: Fri Oct 2 18:00:47 2015 -0700
----------------------------------------------------------------------
.../hadoop/hbase/zookeeper/HQuorumPeer.java | 18 +++++-----
.../apache/hadoop/hbase/zookeeper/ZKUtil.java | 5 ++-
.../org/apache/hadoop/hbase/HConstants.java | 10 ++++++
.../hadoop/hbase/master/HMasterCommandLine.java | 4 +--
.../hbase/regionserver/HRegionServer.java | 4 +--
.../hbase/zookeeper/TestZooKeeperACL.java | 38 +++++++++++++++++++-
6 files changed, 64 insertions(+), 15 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
index f0d6ba2..738c9c2 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
@@ -18,10 +18,15 @@
*/
package org.apache.hadoop.hbase.zookeeper;
-import org.apache.hadoop.hbase.classification.InterfaceAudience;
-import org.apache.hadoop.hbase.classification.InterfaceStability;
+import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
+import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
+
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.classification.InterfaceAudience;
+import org.apache.hadoop.hbase.classification.InterfaceStability;
import org.apache.hadoop.hbase.util.Strings;
import org.apache.hadoop.net.DNS;
import org.apache.hadoop.util.StringUtils;
@@ -42,11 +47,6 @@ import java.util.List;
import java.util.Map.Entry;
import java.util.Properties;
-import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
-import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
-import org.apache.hadoop.hbase.classification.InterfaceAudience;
-import org.apache.hadoop.hbase.classification.InterfaceStability;
-import org.apache.hadoop.hbase.HBaseInterfaceAudience;
/**
* HBase's version of ZooKeeper's QuorumPeer. When HBase is set to manage
@@ -72,8 +72,8 @@ public class HQuorumPeer {
zkConfig.parseProperties(zkProperties);
// login the zookeeper server principal (if using security)
- ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
- "hbase.zookeeper.server.kerberos.principal",
+ ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+ HConstants.ZK_SERVER_KERBEROS_PRINCIPAL,
zkConfig.getClientPortAddress().getHostName());
runZKServer(zkConfig);
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 97b86a6..c4c9819 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -1005,7 +1005,10 @@ public class ZKUtil {
&& testConfig.getAppConfigurationEntry(
JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
&& testConfig.getAppConfigurationEntry(
- JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) {
+ JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null
+ && conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null
+ && conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) {
+
return false;
}
} catch(Exception e) {
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
index 64bd8c5..a5c1d5c 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
@@ -1231,6 +1231,16 @@ public final class HConstants {
public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
"hbase.canary.write.table.check.period";
+
+ /**
+ * Configuration keys for programmatic JAAS configuration for secured ZK interaction
+ */
+ public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file";
+ public static final String ZK_CLIENT_KERBEROS_PRINCIPAL =
+ "hbase.zookeeper.client.kerberos.principal";
+ public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file";
+ public static final String ZK_SERVER_KERBEROS_PRINCIPAL =
+ "hbase.zookeeper.server.kerberos.principal";
private HConstants() {
// Can't be instantiated with this ctor.
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
index d6b436c..7e9a5cd 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
@@ -198,8 +198,8 @@ public class HMasterCommandLine extends ServerCommandLine {
}
// login the zookeeper server principal (if using security)
- ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
- "hbase.zookeeper.server.kerberos.principal", null);
+ ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+ HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null);
int localZKClusterSessionTimeout =
conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000);
conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout);
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
index b0eb3bc..7bd13dd 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
@@ -544,8 +544,8 @@ public class HRegionServer extends HasThread implements
rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf);
// login the zookeeper client principal (if using security)
- ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
- "hbase.zookeeper.client.kerberos.principal", hostName);
+ ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
+ HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, hostName);
// login the server principal (if using secure Hadoop)
login(userProvider, hostName);
http://git-wip-us.apache.org/repos/asf/hbase/blob/373c75dd/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
index 26bba14..954c5d2 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
@@ -25,6 +25,8 @@ import java.io.FileWriter;
import java.io.IOException;
import java.util.List;
+import javax.security.auth.login.AppConfigurationEntry;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
@@ -33,7 +35,6 @@ import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Stat;
-
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
@@ -283,5 +284,40 @@ public class TestZooKeeperACL {
assertEquals(testJaasConfig, false);
saslConfFile.delete();
}
+
+ /**
+ * Check if Programmatic way of setting zookeeper security settings is valid.
+ */
+ @Test
+ public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception {
+
+ javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration());
+
+ Configuration config = new Configuration(HBaseConfiguration.create());
+ boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+ assertEquals(testJaasConfig, false);
+
+ // Now set authentication scheme to Kerberos still it should return false
+ // because no configuration set
+ config.set("hbase.security.authentication", "kerberos");
+ testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+ assertEquals(testJaasConfig, false);
+
+ // Now set programmatic options related to security
+ config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file");
+ config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy");
+ config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file");
+ config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy");
+ testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+ assertEquals(true, testJaasConfig);
+ }
+
+ private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration {
+ @Override
+ public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+ return null;
+ }
+ }
+
}