hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [6/6] hbase git commit: HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken
Date Sat, 03 Oct 2015 01:14:41 GMT
HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken

Signed-off-by: Andrew Purtell <apurtell@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/aa60e800
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/aa60e800
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/aa60e800

Branch: refs/heads/0.98
Commit: aa60e800a4cd01972d1bdb68a083b2d995f4acc5
Parents: 92e3f97
Author: smaddineni <smaddineni@salesforce.com>
Authored: Tue Sep 22 11:19:14 2015 +0530
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Fri Oct 2 18:03:55 2015 -0700

----------------------------------------------------------------------
 .../hadoop/hbase/zookeeper/HQuorumPeer.java     |  5 +--
 .../apache/hadoop/hbase/zookeeper/ZKUtil.java   |  4 ++-
 .../org/apache/hadoop/hbase/HConstants.java     | 10 ++++++
 .../org/apache/hadoop/hbase/master/HMaster.java |  4 +--
 .../hadoop/hbase/master/HMasterCommandLine.java |  4 +--
 .../hbase/regionserver/HRegionServer.java       |  4 +--
 .../hbase/zookeeper/TestZooKeeperACL.java       | 38 +++++++++++++++++++-
 7 files changed, 59 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
index b2e71e1..fefea2b 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
@@ -22,6 +22,7 @@ import org.apache.hadoop.hbase.classification.InterfaceAudience;
 import org.apache.hadoop.hbase.classification.InterfaceStability;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.util.Strings;
 import org.apache.hadoop.net.DNS;
 import org.apache.hadoop.util.StringUtils;
@@ -69,8 +70,8 @@ public class HQuorumPeer {
       zkConfig.parseProperties(zkProperties);
 
       // login the zookeeper server principal (if using security)
-      ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-        "hbase.zookeeper.server.kerberos.principal",
+      ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+        HConstants.ZK_SERVER_KERBEROS_PRINCIPAL,
         zkConfig.getClientPortAddress().getHostName());
 
       runZKServer(zkConfig);

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 263ec95..fcce509 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -947,7 +947,9 @@ public class ZKUtil {
           && testConfig.getAppConfigurationEntry(
             JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
           && testConfig.getAppConfigurationEntry(
-              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) {
+              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null 
+          && conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null
+          && conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) {
         return false;
       }
     } catch(Exception e) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
index 85b4112..2a18f70 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
@@ -1133,6 +1133,16 @@ public final class HConstants {
 
   public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
       "hbase.canary.write.table.check.period";
+  
+  /**
+   * Config keys for programmatic JAAS config for secured ZK interaction
+   */
+  public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file";
+  public static final String ZK_CLIENT_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.client.kerberos.principal";
+  public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file";
+  public static final String ZK_SERVER_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.server.kerberos.principal";
 
   private HConstants() {
     // Can't be instantiated with this ctor.

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
index aaaef80..52c1c2b 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMaster.java
@@ -522,8 +522,8 @@ MasterServices, Server {
       conf.getLong("hbase.master.buffer.for.rs.fatals", 1*1024*1024));
 
     // login the zookeeper client principal (if using security)
-    ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
-      "hbase.zookeeper.client.kerberos.principal", this.isa.getHostName());
+    ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
+      HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, this.isa.getHostName());
 
     // initialize server principal (if using secure Hadoop)
     UserProvider provider = UserProvider.instantiate(conf);

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
index c89385a..4403815 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
@@ -164,8 +164,8 @@ public class HMasterCommandLine extends ServerCommandLine {
         }
 
         // login the zookeeper server principal (if using security)
-        ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-          "hbase.zookeeper.server.kerberos.principal", null);
+        ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+          HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null);
 
         int clientPort = zooKeeperCluster.startup(zkDataPath);
         if (clientPort != zkClientPort) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
index fe006ef..3240ea2 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
@@ -640,8 +640,8 @@ public class HRegionServer implements ClientProtos.ClientService.BlockingInterfa
     useZKForAssignment = ConfigUtil.useZKForAssignment(conf);
 
     // login the zookeeper client principal (if using security)
-    ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
-      "hbase.zookeeper.client.kerberos.principal", this.isa.getHostName());
+    ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
+      HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, this.isa.getHostName());
 
     // login the server principal (if using secure Hadoop)
     userProvider.login("hbase.regionserver.keytab.file",

http://git-wip-us.apache.org/repos/asf/hbase/blob/aa60e800/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
index 26bba14..7767b4b 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
@@ -25,6 +25,8 @@ import java.io.FileWriter;
 import java.io.IOException;
 import java.util.List;
 
+import javax.security.auth.login.AppConfigurationEntry;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -33,7 +35,6 @@ import org.apache.hadoop.hbase.testclassification.MediumTests;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Stat;
-
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -283,5 +284,40 @@ public class TestZooKeeperACL {
     assertEquals(testJaasConfig, false);
     saslConfFile.delete();
   }
+  
+  /**
+   * Check if Programmatic way of setting zookeeper security settings is valid.
+   */
+  @Test
+  public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception {
+
+    javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration());
+
+    Configuration config = new Configuration(HBaseConfiguration.create());
+    boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set authentication scheme to kerberos still it should return false
+    // because no config set
+    config.set("hbase.security.authentication", "kerberos");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set programmatic options related to security
+    config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy");
+    config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(true, testJaasConfig);
+  }
+
+  private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration
{
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+      return null;
+    }
+  }
+  
 }
 


Mime
View raw message