hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [6/6] hbase git commit: HBASE-14400 Fix HBase RPC protection documentation
Date Wed, 16 Sep 2015 01:56:37 GMT
HBASE-14400 Fix HBase RPC protection documentation

Signed-off-by: Andrew Purtell <apurtell@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/83f0b70c
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/83f0b70c
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/83f0b70c

Branch: refs/heads/0.98
Commit: 83f0b70c541a96e2a2bd4b22c17b983d2e35bd1e
Parents: 13af5d2
Author: Apekshit(Appy) Sharma <appy@cloudera.com>
Authored: Thu Sep 10 12:32:24 2015 -0700
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Tue Sep 15 18:34:06 2015 -0700

----------------------------------------------------------------------
 .../apache/hadoop/hbase/security/SaslUtil.java  | 44 ++++++++++++++++----
 .../hbase/security/TestHBaseSaslRpcClient.java  | 10 +++++
 .../hadoop/hbase/thrift2/ThriftServer.java      | 23 +++++-----
 src/main/asciidoc/_chapters/security.adoc       | 10 ++---
 4 files changed, 62 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/83f0b70c/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
index 9cde790..1c7a77d 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java
@@ -19,6 +19,8 @@
 package org.apache.hadoop.hbase.security;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.hbase.classification.InterfaceAudience;
 
 import java.util.Map;
@@ -28,6 +30,7 @@ import javax.security.sasl.Sasl;
 
 @InterfaceAudience.Private
 public class SaslUtil {
+  private static final Log log = LogFactory.getLog(SaslUtil.class);
   public static final String SASL_DEFAULT_REALM = "default";
   public static final Map<String, String> SASL_PROPS =
       new TreeMap<String, String>();
@@ -66,16 +69,41 @@ public class SaslUtil {
     return new String(Base64.encodeBase64(password)).toCharArray();
   }
 
-  static void initSaslProperties(String rpcProtection) {
-    QualityOfProtection saslQOP = QualityOfProtection.AUTHENTICATION;
-    if (QualityOfProtection.INTEGRITY.name().toLowerCase()
-        .equals(rpcProtection)) {
-      saslQOP = QualityOfProtection.INTEGRITY;
-    } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(
-        rpcProtection)) {
-      saslQOP = QualityOfProtection.PRIVACY;
+  /**
+   * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection}
+   * corresponding to the given {@code stringQop} value. Returns null if value is
+   * invalid.
+   */
+  public static QualityOfProtection getQop(String stringQop) {
+    QualityOfProtection qop = null;
+    if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop)
+        || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) {
+      qop = QualityOfProtection.AUTHENTICATION;
+    } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop)
+        || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) {
+      qop = QualityOfProtection.INTEGRITY;
+    } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop)
+        || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
+      qop = QualityOfProtection.PRIVACY;
+    }
+    if (qop == null) {
+      throw new IllegalArgumentException("Invalid qop: " +  stringQop
+          + ". It must be one of 'authentication', 'integrity', 'privacy'.");
+    }
+    if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)
+        || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)
+        || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
+      log.warn("Use authentication/integrity/privacy as value for rpc protection "
+          + "configurations instead of auth/auth-int/auth-conf.");
     }
+    return qop;
+  }
 
+  static void initSaslProperties(String rpcProtection) {
+    QualityOfProtection saslQOP = getQop(rpcProtection);
+    if (saslQOP == null) {
+      saslQOP = QualityOfProtection.AUTHENTICATION;
+    }
     SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop());
     SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true");
   }

http://git-wip-us.apache.org/repos/asf/hbase/blob/83f0b70c/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
index 67b1fa8..f2cf2fc 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/TestHBaseSaslRpcClient.java
@@ -52,8 +52,10 @@ import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.log4j.Level;
 import org.apache.log4j.Logger;
 import org.junit.BeforeClass;
+import org.junit.Rule;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
+import org.junit.rules.ExpectedException;
 import org.mockito.Mockito;
 
 import com.google.common.base.Strings;
@@ -71,6 +73,10 @@ public class TestHBaseSaslRpcClient {
 
   private static final Logger LOG = Logger.getLogger(TestHBaseSaslRpcClient.class);
 
+
+  @Rule
+  public ExpectedException exception = ExpectedException.none();
+
   @BeforeClass
   public static void before() {
     Logger.getRootLogger().setLevel(Level.DEBUG);
@@ -100,6 +106,10 @@ public class TestHBaseSaslRpcClient {
         "integrity");
     assertTrue(SaslUtil.SASL_PROPS.get(Sasl.QOP).equals(SaslUtil.QualityOfProtection.
         INTEGRITY.getSaslQop()));
+
+    exception.expect(IllegalArgumentException.class);
+    new HBaseSaslRpcClient(AuthMethod.DIGEST, token, "principal/host@DOMAIN.COM", false,
+        "wrongvalue");
   }
 
   @Test

http://git-wip-us.apache.org/repos/asf/hbase/blob/83f0b70c/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
index 1d95f06..c196711 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java
@@ -51,6 +51,7 @@ import org.apache.hadoop.hbase.classification.InterfaceAudience;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
 import org.apache.hadoop.hbase.filter.ParseFilter;
+import org.apache.hadoop.hbase.security.SaslUtil;
 import org.apache.hadoop.hbase.security.SecurityUtil;
 import org.apache.hadoop.hbase.security.UserProvider;
 import org.apache.hadoop.hbase.thrift.CallQueue;
@@ -95,9 +96,9 @@ public class ThriftServer {
 
   /**
    * Thrift quality of protection configuration key. Valid values can be:
-   * auth-conf: authentication, integrity and confidentiality checking
-   * auth-int: authentication and integrity checking
-   * auth: authentication only
+   * privacy: authentication, integrity and confidentiality checking
+   * integrity: authentication and integrity checking
+   * authentication: authentication only
    *
    * This is used to authenticate the callers and support impersonation.
    * The thrift server and the HBase cluster must run in secure mode.
@@ -157,7 +158,8 @@ public class ThriftServer {
   }
 
   private static TTransportFactory getTTransportFactory(
-      String qop, String name, String host, boolean framed, int frameSize) {
+      SaslUtil.QualityOfProtection qop, String name, String host,
+      boolean framed, int frameSize) {
     if (framed) {
       if (qop != null) {
         throw new RuntimeException("Thrift server authentication"
@@ -169,7 +171,7 @@ public class ThriftServer {
       return new TTransportFactory();
     } else {
       Map<String, String> saslProperties = new HashMap<String, String>();
-      saslProperties.put(Sasl.QOP, qop);
+      saslProperties.put(Sasl.QOP, qop.getSaslQop());
       TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
       saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
         new SaslGssCallbackHandler() {
@@ -347,13 +349,10 @@ public class ThriftServer {
     }
 
     UserGroupInformation realUser = userProvider.getCurrent().getUGI();
-    String qop = conf.get(THRIFT_QOP_KEY);
-    if (qop != null) {
-      if (!qop.equals("auth") && !qop.equals("auth-int")
-          && !qop.equals("auth-conf")) {
-        throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop
-          + ", it must be 'auth', 'auth-int', or 'auth-conf'");
-      }
+    String stringQop = conf.get(THRIFT_QOP_KEY);
+    SaslUtil.QualityOfProtection qop = null;
+    if (stringQop != null) {
+      qop = SaslUtil.getQop(stringQop);
       if (!securityEnabled) {
         throw new IOException("Thrift server must"
           + " run in secure mode to support authentication");

http://git-wip-us.apache.org/repos/asf/hbase/blob/83f0b70c/src/main/asciidoc/_chapters/security.adoc
----------------------------------------------------------------------
diff --git a/src/main/asciidoc/_chapters/security.adoc b/src/main/asciidoc/_chapters/security.adoc
index 40e8e16..3d9082c 100644
--- a/src/main/asciidoc/_chapters/security.adoc
+++ b/src/main/asciidoc/_chapters/security.adoc
@@ -222,9 +222,9 @@ To enable it, do the following.
 . Be sure that HBase is configured to allow proxy users, as described in <<security.rest.gateway>>.
 . In _hbase-site.xml_ for each cluster node running a Thrift gateway, set the property `hbase.thrift.security.qop`
to one of the following three values:
 +
-* `auth-conf` - authentication, integrity, and confidentiality checking
-* `auth-int` - authentication and integrity checking
-* `auth` - authentication checking only
+* `privacy` - authentication, integrity, and confidentiality checking.
+* `integrity` - authentication and integrity checking
+* `authentication` - authentication checking only
 
 . Restart the Thrift gateway processes for the changes to take effect.
   If a node is running Thrift, the output of the `jps` command will list a `ThriftServer`
process.
@@ -765,7 +765,7 @@ For an example of using both together, see <<security.example.config>>.
 </property>
 ----
 +
-Optionally, you can enable transport security, by setting `hbase.rpc.protection` to `auth-conf`.
+Optionally, you can enable transport security, by setting `hbase.rpc.protection` to `privacy`.
 This requires HBase 0.98.4 or newer.
 
 . Set up the Hadoop group mapper in the Hadoop namenode's _core-site.xml_.
@@ -1668,7 +1668,7 @@ All options have been discussed separately in the sections above.
 <!-- Secure RPC Transport -->
 <property>
   <name>hbase.rpc.protection</name>
-  <value>auth-conf</value>
+  <value>privacy</value>
  </property>
  <!-- Transparent Encryption -->
 <property>


Mime
View raw message