You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by ap...@apache.org on 2015/09/16 03:56:36 UTC
[5/6] hbase git commit: HBASE-14400 Fix HBase RPC protection
documentation
HBASE-14400 Fix HBase RPC protection documentation
Signed-off-by: Andrew Purtell <ap...@apache.org>
Conflicts:
hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/1517deee
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/1517deee
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/1517deee
Branch: refs/heads/branch-1
Commit: 1517deee67fb9cd920faa146237f41049fc2ef60
Parents: 9e7f9b6
Author: Apekshit(Appy) Sharma <ap...@cloudera.com>
Authored: Thu Sep 10 12:32:24 2015 -0700
Committer: Andrew Purtell <ap...@apache.org>
Committed: Tue Sep 15 18:30:24 2015 -0700
----------------------------------------------------------------------
.../hbase/security/SaslClientHandler.java | 3 +-
.../apache/hadoop/hbase/security/SaslUtil.java | 47 ++++++++++++++++----
.../hbase/security/TestHBaseSaslRpcClient.java | 10 +++++
.../hadoop/hbase/thrift2/ThriftServer.java | 23 +++++-----
src/main/asciidoc/_chapters/security.adoc | 10 ++---
5 files changed, 67 insertions(+), 26 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hbase/blob/1517deee/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslClientHandler.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslClientHandler.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslClientHandler.java
index e2c9e02..f52987b 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslClientHandler.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslClientHandler.java
@@ -74,7 +74,8 @@ public class SaslClientHandler extends ChannelDuplexHandler {
* @param token for Sasl
* @param serverPrincipal Server's Kerberos principal name
* @param fallbackAllowed True if server may also fall back to less secure connection
- * @param rpcProtection Quality of protection. Integrity or privacy
+ * @param rpcProtection Quality of protection. Can be 'authentication', 'integrity' or
+ * 'privacy'.
* @param exceptionHandler handler for exceptions
* @param successfulConnectHandler handler for succesful connects
* @throws java.io.IOException if handler could not be created
http://git-wip-us.apache.org/repos/asf/hbase/blob/1517deee/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
index 9cde790..8033f7c 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
@@ -26,8 +26,14 @@ import java.util.TreeMap;
import javax.security.sasl.Sasl;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.hbase.classification.InterfaceAudience;
+
@InterfaceAudience.Private
public class SaslUtil {
+ private static final Log log = LogFactory.getLog(SaslUtil.class);
public static final String SASL_DEFAULT_REALM = "default";
public static final Map<String, String> SASL_PROPS =
new TreeMap<String, String>();
@@ -66,16 +72,41 @@ public class SaslUtil {
return new String(Base64.encodeBase64(password)).toCharArray();
}
- static void initSaslProperties(String rpcProtection) {
- QualityOfProtection saslQOP = QualityOfProtection.AUTHENTICATION;
- if (QualityOfProtection.INTEGRITY.name().toLowerCase()
- .equals(rpcProtection)) {
- saslQOP = QualityOfProtection.INTEGRITY;
- } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(
- rpcProtection)) {
- saslQOP = QualityOfProtection.PRIVACY;
+ /**
+ * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection}
+ * corresponding to the given {@code stringQop} value. Returns null if value is
+ * invalid.
+ */
+ public static QualityOfProtection getQop(String stringQop) {
+ QualityOfProtection qop = null;
+ if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop)
+ || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) {
+ qop = QualityOfProtection.AUTHENTICATION;
+ } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop)
+ || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) {
+ qop = QualityOfProtection.INTEGRITY;
+ } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop)
+ || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
+ qop = QualityOfProtection.PRIVACY;
+ }
+ if (qop == null) {
+ throw new IllegalArgumentException("Invalid qop: " + stringQop
+ + ". It must be one of 'authentication', 'integrity', 'privacy'.");
}
+ if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)
+ || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)
+ || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
+ log.warn("Use authentication/integrity/privacy as value for rpc protection "
+ + "configurations instead of auth/auth-int/auth-conf.");
+ }
+ return qop;
+ }
+ static void initSaslProperties(String rpcProtection) {
+ QualityOfProtection saslQOP = getQop(rpcProtection);
+ if (saslQOP == null) {
+ saslQOP = QualityOfProtection.AUTHENTICATION;
+ }
SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop());
SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true");
}
http://git-wip-us.apache.org/repos/asf/hbase/blob/1517deee/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
index 7125632..db4a8ee 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
@@ -52,8 +52,10 @@ import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.junit.BeforeClass;
+import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
+import org.junit.rules.ExpectedException;
import org.mockito.Mockito;
import com.google.common.base.Strings;
@@ -71,6 +73,10 @@ public class TestHBaseSaslRpcClient {
private static final Logger LOG = Logger.getLogger(TestHBaseSaslRpcClient.class);
+
+ @Rule
+ public ExpectedException exception = ExpectedException.none();
+
@BeforeClass
public static void before() {
Logger.getRootLogger().setLevel(Level.DEBUG);
@@ -100,6 +106,10 @@ public class TestHBaseSaslRpcClient {
"integrity");
assertTrue(SaslUtil.SASL_PROPS.get(Sasl.QOP).equals(SaslUtil.QualityOfProtection.
INTEGRITY.getSaslQop()));
+
+ exception.expect(IllegalArgumentException.class);
+ new HBaseSaslRpcClient(AuthMethod.DIGEST, token, "principal/host@DOMAIN.COM", false,
+ "wrongvalue");
}
@Test
http://git-wip-us.apache.org/repos/asf/hbase/blob/1517deee/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
index 9430503..f747dc8 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
@@ -53,6 +53,7 @@ import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.filter.ParseFilter;
import org.apache.hadoop.hbase.http.InfoServer;
+import org.apache.hadoop.hbase.security.SaslUtil;
import org.apache.hadoop.hbase.security.SecurityUtil;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.thrift.CallQueue;
@@ -96,9 +97,9 @@ public class ThriftServer {
/**
* Thrift quality of protection configuration key. Valid values can be:
- * auth-conf: authentication, integrity and confidentiality checking
- * auth-int: authentication and integrity checking
- * auth: authentication only
+ * privacy: authentication, integrity and confidentiality checking
+ * integrity: authentication and integrity checking
+ * authentication: authentication only
*
* This is used to authenticate the callers and support impersonation.
* The thrift server and the HBase cluster must run in secure mode.
@@ -161,7 +162,8 @@ public class ThriftServer {
}
private static TTransportFactory getTTransportFactory(
- String qop, String name, String host, boolean framed, int frameSize) {
+ SaslUtil.QualityOfProtection qop, String name, String host,
+ boolean framed, int frameSize) {
if (framed) {
if (qop != null) {
throw new RuntimeException("Thrift server authentication"
@@ -173,7 +175,7 @@ public class ThriftServer {
return new TTransportFactory();
} else {
Map<String, String> saslProperties = new HashMap<String, String>();
- saslProperties.put(Sasl.QOP, qop);
+ saslProperties.put(Sasl.QOP, qop.getSaslQop());
TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
new SaslGssCallbackHandler() {
@@ -371,13 +373,10 @@ public class ThriftServer {
}
UserGroupInformation realUser = userProvider.getCurrent().getUGI();
- String qop = conf.get(THRIFT_QOP_KEY);
- if (qop != null) {
- if (!qop.equals("auth") && !qop.equals("auth-int")
- && !qop.equals("auth-conf")) {
- throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop
- + ", it must be 'auth', 'auth-int', or 'auth-conf'");
- }
+ String stringQop = conf.get(THRIFT_QOP_KEY);
+ SaslUtil.QualityOfProtection qop = null;
+ if (stringQop != null) {
+ qop = SaslUtil.getQop(stringQop);
if (!securityEnabled) {
throw new IOException("Thrift server must"
+ " run in secure mode to support authentication");
http://git-wip-us.apache.org/repos/asf/hbase/blob/1517deee/src/main/asciidoc/_chapters/security.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index f9a4b8a..101affa 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -213,9 +213,9 @@ To enable it, do the following.
. Be sure that HBase is configured to allow proxy users, as described in <<security.rest.gateway>>.
. In _hbase-site.xml_ for each cluster node running a Thrift gateway, set the property `hbase.thrift.security.qop` to one of the following three values:
+
-* `auth-conf` - authentication, integrity, and confidentiality checking
-* `auth-int` - authentication and integrity checking
-* `auth` - authentication checking only
+* `privacy` - authentication, integrity, and confidentiality checking.
+* `integrity` - authentication and integrity checking
+* `authentication` - authentication checking only
. Restart the Thrift gateway processes for the changes to take effect.
If a node is running Thrift, the output of the `jps` command will list a `ThriftServer` process.
@@ -747,7 +747,7 @@ For an example of using both together, see <<security.example.config>>.
</property>
----
+
-Optionally, you can enable transport security, by setting `hbase.rpc.protection` to `auth-conf`.
+Optionally, you can enable transport security, by setting `hbase.rpc.protection` to `privacy`.
This requires HBase 0.98.4 or newer.
. Set up the Hadoop group mapper in the Hadoop namenode's _core-site.xml_.
@@ -1650,7 +1650,7 @@ All options have been discussed separately in the sections above.
<!-- Secure RPC Transport -->
<property>
<name>hbase.rpc.protection</name>
- <value>auth-conf</value>
+ <value>privacy</value>
</property>
<!-- Transparent Encryption -->
<property>