You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ga...@apache.org on 2013/06/20 08:40:58 UTC
svn commit: r1494871 - in /hbase/branches/0.94: security/src/main/java/org/apache/hadoop/hbase/ipc/ security/src/main/java/org/apache/hadoop/hbase/security/ src/main/resources/ src/test/resources/

Author: garyh
Date: Thu Jun 20 06:40:58 2013
New Revision: 1494871

URL: http://svn.apache.org/r1494871
Log:
Fix up RPC handling

Modified:
    hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java
    hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java
    hbase/branches/0.94/src/main/resources/hbase-default.xml
    hbase/branches/0.94/src/test/resources/hbase-site.xml

Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/ipc/SecureClient.java Thu Jun 20 06:40:58 2013
@@ -72,6 +72,10 @@ public class SecureClient extends HBaseC
   private static final Log LOG =
     LogFactory.getLog("org.apache.hadoop.ipc.SecureClient");
 
+  public static final String IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY =
+      "hbase.ipc.client.fallback-to-simple-auth-allowed";
+  public static final boolean IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT = false;
+
   protected static Map<String,TokenSelector<? extends TokenIdentifier>> tokenHandlers =
       new HashMap<String,TokenSelector<? extends TokenIdentifier>>();
   static {
@@ -173,7 +177,7 @@ public class SecureClient extends HBaseC
     private synchronized boolean setupSaslConnection(final InputStream in2,
         final OutputStream out2)
         throws IOException {
-      saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal);
+      saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal, fallbackAllowed);
       return saslRpcClient.saslConnect(in2, out2);
     }
 
@@ -451,6 +455,8 @@ public class SecureClient extends HBaseC
     }
   }
 
+  private final boolean fallbackAllowed;
+
   /**
    * Construct an IPC client whose values are of the given {@link org.apache.hadoop.io.Writable}
    * class.
@@ -461,6 +467,12 @@ public class SecureClient extends HBaseC
   public SecureClient(Class<? extends Writable> valueClass, Configuration conf,
       SocketFactory factory) {
     super(valueClass, conf, factory);
+    this.fallbackAllowed =
+      conf.getBoolean(IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY,
+        IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT);
+    if (LOG.isDebugEnabled()) {
+      LOG.debug("fallbackAllowed=" + this.fallbackAllowed);
+    }
   }
 
   /**

Modified: hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java (original)
+++ hbase/branches/0.94/security/src/main/java/org/apache/hadoop/hbase/security/HBaseSaslRpcClient.java Thu Jun 20 06:40:58 2013
@@ -56,6 +56,7 @@ public class HBaseSaslRpcClient {
   public static final Log LOG = LogFactory.getLog(HBaseSaslRpcClient.class);
 
   private final SaslClient saslClient;
+  private final boolean fallbackAllowed;
 
   /**
    * Create a HBaseSaslRpcClient for an authentication method
@@ -66,8 +67,9 @@ public class HBaseSaslRpcClient {
    *          token to use if needed by the authentication method
    */
   public HBaseSaslRpcClient(AuthMethod method,
-      Token<? extends TokenIdentifier> token, String serverPrincipal)
-      throws IOException {
+      Token<? extends TokenIdentifier> token, String serverPrincipal,
+      boolean fallbackAllowed) throws IOException {
+    this.fallbackAllowed = fallbackAllowed;
     switch (method) {
     case DIGEST:
       if (LOG.isDebugEnabled())
@@ -148,8 +150,14 @@ public class HBaseSaslRpcClient {
         readStatus(inStream);
         int len = inStream.readInt();
         if (len == HBaseSaslRpcServer.SWITCH_TO_SIMPLE_AUTH) {
-          if (LOG.isDebugEnabled())
+          if (!fallbackAllowed) {
+            throw new IOException("Server asks us to fall back to SIMPLE auth,"
+              + " but this client is configured to only allow secure"
+              + " connections.");
+          }
+          if (LOG.isDebugEnabled()) {
             LOG.debug("Server asks us to fall back to simple auth.");
+          }
           saslClient.dispose();
           return false;
         }

Modified: hbase/branches/0.94/src/main/resources/hbase-default.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/src/main/resources/hbase-default.xml?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/src/main/resources/hbase-default.xml (original)
+++ hbase/branches/0.94/src/main/resources/hbase-default.xml Thu Jun 20 06:40:58 2013
@@ -657,6 +657,21 @@
     </description>
   </property>
 
+   <property>
+    <name>hbase.ipc.client.fallback-to-simple-auth-allowed</name>
+    <value>false</value>
+    <description>
+      When a client is configured to attempt a secure connection, but
+      attempts to connect to an insecure server, that server may instruct the
+      client to switch to SASL SIMPLE (unsecure) authentication. This setting
+      controls whether or not the client will accept this instruction from the
+      server. When false (the default), the client will not allow the fallback
+      to SIMPLE authentication, and will abort the connection.
+
+      This setting is only used by the secure RPC engine.
+    </description>
+  </property>
+
   <property>
     <name>zookeeper.znode.acl.parent</name>
     <value>acl</value>

Modified: hbase/branches/0.94/src/test/resources/hbase-site.xml
URL: http://svn.apache.org/viewvc/hbase/branches/0.94/src/test/resources/hbase-site.xml?rev=1494871&r1=1494870&r2=1494871&view=diff
==============================================================================
--- hbase/branches/0.94/src/test/resources/hbase-site.xml (original)
+++ hbase/branches/0.94/src/test/resources/hbase-site.xml Thu Jun 20 06:40:58 2013
@@ -134,4 +134,8 @@
     version is X.X.X-SNAPSHOT"
     </description>
   </property>
+  <property>
+    <name>hbase.ipc.client.fallback-to-simple-auth-allowed</name>
+    <value>true</value>
+  </property>
 </configuration>