hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From apurt...@apache.org
Subject [1/6] hbase git commit: HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken
Date Sat, 03 Oct 2015 01:14:36 GMT
Repository: hbase
Updated Branches:
  refs/heads/0.98 92e3f97a0 -> aa60e800a
  refs/heads/branch-1 d7c7cc8c8 -> 373c75dde
  refs/heads/branch-1.0 5331b5484 -> 0c351cbbf
  refs/heads/branch-1.1 612c19a46 -> 8ee8cf504
  refs/heads/branch-1.2 085530518 -> 8b8b9c523
  refs/heads/master 0e4d1671f -> 44b880972


HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken

Signed-off-by: Andrew Purtell <apurtell@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/44b88097
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/44b88097
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/44b88097

Branch: refs/heads/master
Commit: 44b8809726baf514c39fd620a273b016ba816fde
Parents: 0e4d167
Author: smaddineni <smaddineni@salesforce.com>
Authored: Tue Sep 22 11:19:14 2015 +0530
Committer: Andrew Purtell <apurtell@apache.org>
Committed: Fri Oct 2 17:50:54 2015 -0700

----------------------------------------------------------------------
 .../hadoop/hbase/zookeeper/HQuorumPeer.java     |  5 +--
 .../apache/hadoop/hbase/zookeeper/ZKUtil.java   |  5 ++-
 .../org/apache/hadoop/hbase/HConstants.java     | 10 ++++++
 .../hadoop/hbase/master/HMasterCommandLine.java |  4 +--
 .../hbase/regionserver/HRegionServer.java       |  4 +--
 .../hbase/zookeeper/TestZooKeeperACL.java       | 38 +++++++++++++++++++-
 6 files changed, 58 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
index 2ad1f33..b83f0e7 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
@@ -36,6 +36,7 @@ import java.util.Properties;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
 import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.classification.InterfaceAudience;
 import org.apache.hadoop.hbase.classification.InterfaceStability;
 import org.apache.hadoop.hbase.util.Strings;
@@ -70,8 +71,8 @@ public class HQuorumPeer {
       zkConfig.parseProperties(zkProperties);
 
       // login the zookeeper server principal (if using security)
-      ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-        "hbase.zookeeper.server.kerberos.principal",
+      ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+        HConstants.ZK_SERVER_KERBEROS_PRINCIPAL,
         zkConfig.getClientPortAddress().getHostName());
 
       runZKServer(zkConfig);

http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
----------------------------------------------------------------------
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
index 7f8d82a..27c3bba 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@@ -1003,7 +1003,10 @@ public class ZKUtil {
           && testConfig.getAppConfigurationEntry(
             JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
           && testConfig.getAppConfigurationEntry(
-              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) {
+              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null
+          && conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null
+          && conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) {
+              
         return false;
       }
     } catch(Exception e) {

http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
----------------------------------------------------------------------
diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
index 3a5dd39..de4964c 100644
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
@@ -1241,6 +1241,16 @@ public final class HConstants {
 
   public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
       "hbase.canary.write.table.check.period";
+  
+  /**
+   * Configuration keys for programmatic JAAS configuration for secured ZK interaction
+   */
+  public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file";
+  public static final String ZK_CLIENT_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.client.kerberos.principal";
+  public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file";
+  public static final String ZK_SERVER_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.server.kerberos.principal";  
 
   private HConstants() {
     // Can't be instantiated with this ctor.

http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
index 0407877..674ba58 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
@@ -199,8 +199,8 @@ public class HMasterCommandLine extends ServerCommandLine {
         }
 
         // login the zookeeper server principal (if using security)
-        ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-          "hbase.zookeeper.server.kerberos.principal", null);
+        ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+          HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null);
         int localZKClusterSessionTimeout =
           conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000);
         conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout);

http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
index 0ba7b94..7653fa1 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
@@ -549,8 +549,8 @@ public class HRegionServer extends HasThread implements
     rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf);
 
     // login the zookeeper client principal (if using security)
-    ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
-      "hbase.zookeeper.client.kerberos.principal", hostName);
+    ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
+      HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, hostName);
     // login the server principal (if using secure Hadoop)
     login(userProvider, hostName);
 

http://git-wip-us.apache.org/repos/asf/hbase/blob/44b88097/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
index 93a6291..50e886a 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
@@ -25,6 +25,8 @@ import java.io.FileWriter;
 import java.io.IOException;
 import java.util.List;
 
+import javax.security.auth.login.AppConfigurationEntry;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@@ -34,7 +36,6 @@ import org.apache.hadoop.hbase.testclassification.MiscTests;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Stat;
-
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -284,5 +285,40 @@ public class TestZooKeeperACL {
     assertEquals(testJaasConfig, false);
     saslConfFile.delete();
   }
+  
+  /**
+   * Check if Programmatic way of setting zookeeper security settings is valid.
+   */
+  @Test
+  public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception {
+
+    javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration());
+
+    Configuration config = new Configuration(HBaseConfiguration.create());
+    boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set authentication scheme to Kerberos still it should return false
+    // because no configuration set
+    config.set("hbase.security.authentication", "kerberos");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set programmatic options related to security
+    config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy");
+    config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(true, testJaasConfig);
+  }
+
+  private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration
{
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+      return null;
+    }
+  }
+
 }
 


Mime
View raw message