You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ga...@apache.org on 2013/06/20 08:40:58 UTC
svn commit: r1494871 - in /hbase/branches/0.94:
security/src/main/java/org/apache/hadoop/hbase/ipc/
security/src/main/java/org/apache/hadoop/hbase/security/
src/main/resources/ src/test/resources/
Author: garyh
Date: Thu Jun 20 06:40:58 2013
New Revision: 1494871
URL: http://svn.apache.org/r1494871
Log:
Fix up RPC handling
Modified:
hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java
hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java
hbase/branches/0.94/src/main/resources/hbase-default.xml
hbase/branches/0.94/src/test/resources/hbase-site.xml
Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java Thu Jun 20 06:40:58 2013
@@ -72,6 +72,10 @@ public class SecureClient extends HBaseC
private static final Log LOG =
LogFactory.getLog("org.apache.hadoop.ipc.SecureClient");
+ public static final String IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY =
+ "hbase.ipc.client.fallback-to-simple-auth-allowed";
+ public static final boolean IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT = false;
+
protected static Map<String,TokenSelector<? extends TokenIdentifier>> tokenHandlers =
new HashMap<String,TokenSelector<? extends TokenIdentifier>>();
static {
@@ -173,7 +177,7 @@ public class SecureClient extends HBaseC
private synchronized boolean setupSaslConnection(final InputStream in2,
final OutputStream out2)
throws IOException {
- saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal);
+ saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal, fallbackAllowed);
return saslRpcClient.saslConnect(in2, out2);
}
@@ -451,6 +455,8 @@ public class SecureClient extends HBaseC
}
}
+ private final boolean fallbackAllowed;
+
/**
* Construct an IPC client whose values are of the given {@link org.apache.hadoop.io.Writable}
* class.
@@ -461,6 +467,12 @@ public class SecureClient extends HBaseC
public SecureClient(Class<? extends Writable> valueClass, Configuration conf,
SocketFactory factory) {
super(valueClass, conf, factory);
+ this.fallbackAllowed =
+ conf.getBoolean(IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
+ IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("fallbackAllowed=" + this.fallbackAllowed);
+ }
}
/**
Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java Thu Jun 20 06:40:58 2013
@@ -56,6 +56,7 @@ public class HBaseSaslRpcClient {
public static final Log LOG = LogFactory.getLog(HBaseSaslRpcClient.class);
private final SaslClient saslClient;
+ private final boolean fallbackAllowed;
/**
* Create a HBaseSaslRpcClient for an authentication method
@@ -66,8 +67,9 @@ public class HBaseSaslRpcClient {
* token to use if needed by the authentication method
*/
public HBaseSaslRpcClient(AuthMethod method,
- Token<? extends TokenIdentifier> token, String serverPrincipal)
- throws IOException {
+ Token<? extends TokenIdentifier> token, String serverPrincipal,
+ boolean fallbackAllowed) throws IOException {
+ this.fallbackAllowed = fallbackAllowed;
switch (method) {
case DIGEST:
if (LOG.isDebugEnabled())
@@ -148,8 +150,14 @@ public class HBaseSaslRpcClient {
readStatus(inStream);
int len = inStream.readInt();
if (len == HBaseSaslRpcServer.SWITCH_TO_SIMPLE_AUTH) {
- if (LOG.isDebugEnabled())
+ if (!fallbackAllowed) {
+ throw new IOException("Server asks us to fall back to SIMPLE auth,"
+ + " but this client is configured to only allow secure"
+ + " connections.");
+ }
+ if (LOG.isDebugEnabled()) {
LOG.debug("Server asks us to fall back to simple auth.");
+ }
saslClient.dispose();
return false;
}
Modified: hbase/branches/0.94/src/main/resources/hbase-default.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/src/main/resources/hbase-default.xml?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/src/main/resources/hbase-default.xml (original)
+++ hbase/branches/0.94/src/main/resources/hbase-default.xml Thu Jun 20 06:40:58 2013
@@ -657,6 +657,21 @@
</description>
</property>
+ <property>
+ <name>hbase.ipc.client.fallback-to-simple-auth-allowed</name>
+ <value>false</value>
+ <description>
+ When a client is configured to attempt a secure connection, but
+ attempts to connect to an insecure server, that server may instruct the
+ client to switch to SASL SIMPLE (unsecure) authentication. This setting
+ controls whether or not the client will accept this instruction from the
+ server. When false (the default), the client will not allow the fallback
+ to SIMPLE authentication, and will abort the connection.
+
+ This setting is only used by the secure RPC engine.
+ </description>
+ </property>
+
<property>
<name>zookeeper.znode.acl.parent</name>
<value>acl</value>
Modified: hbase/branches/0.94/src/test/resources/hbase-site.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/src/test/resources/hbase-site.xml?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/src/test/resources/hbase-site.xml (original)
+++ hbase/branches/0.94/src/test/resources/hbase-site.xml Thu Jun 20 06:40:58 2013
@@ -134,4 +134,8 @@
version is X.X.X-SNAPSHOT"
</description>
</property>
+ <property>
+ <name>hbase.ipc.client.fallback-to-simple-auth-allowed</name>
+ <value>true</value>
+ </property>
</configuration>