Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / testdevapidocs / src-html / org / apache / hadoop / hbase / security / HBaseKerberosUtils.html
blob: 2a829f5359c708923762ce5fb3d33c42c388a954 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.security, class: HBaseKerberosUtils">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import java.io.File;</span>
<span class="source-line-no">021</span><span id="line-21">import java.io.IOException;</span>
<span class="source-line-no">022</span><span id="line-22">import java.net.InetAddress;</span>
<span class="source-line-no">023</span><span id="line-23">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">024</span><span id="line-24">import org.apache.hadoop.fs.CommonConfigurationKeys;</span>
<span class="source-line-no">025</span><span id="line-25">import org.apache.hadoop.hbase.AuthUtil;</span>
<span class="source-line-no">026</span><span id="line-26">import org.apache.hadoop.hbase.HBaseCommonTestingUtil;</span>
<span class="source-line-no">027</span><span id="line-27">import org.apache.hadoop.hbase.HBaseConfiguration;</span>
<span class="source-line-no">028</span><span id="line-28">import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil;</span>
<span class="source-line-no">029</span><span id="line-29">import org.apache.hadoop.hdfs.DFSConfigKeys;</span>
<span class="source-line-no">030</span><span id="line-30">import org.apache.hadoop.http.HttpConfig;</span>
<span class="source-line-no">031</span><span id="line-31">import org.apache.hadoop.security.UserGroupInformation;</span>
<span class="source-line-no">032</span><span id="line-32">import org.apache.hadoop.yarn.conf.YarnConfiguration;</span>
<span class="source-line-no">033</span><span id="line-33">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">034</span><span id="line-34">import org.slf4j.Logger;</span>
<span class="source-line-no">035</span><span id="line-35">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">036</span><span id="line-36"></span>
<span class="source-line-no">037</span><span id="line-37">import org.apache.hbase.thirdparty.com.google.common.base.Strings;</span>
<span class="source-line-no">038</span><span id="line-38"></span>
<span class="source-line-no">039</span><span id="line-39">@InterfaceAudience.Private</span>
<span class="source-line-no">040</span><span id="line-40">public final class HBaseKerberosUtils {</span>
<span class="source-line-no">041</span><span id="line-41"> private static final Logger LOG = LoggerFactory.getLogger(HBaseKerberosUtils.class);</span>
<span class="source-line-no">042</span><span id="line-42"></span>
<span class="source-line-no">043</span><span id="line-43"> public static final String KRB_PRINCIPAL = SecurityConstants.REGIONSERVER_KRB_PRINCIPAL;</span>
<span class="source-line-no">044</span><span id="line-44"> public static final String MASTER_KRB_PRINCIPAL = SecurityConstants.MASTER_KRB_PRINCIPAL;</span>
<span class="source-line-no">045</span><span id="line-45"> public static final String KRB_KEYTAB_FILE = SecurityConstants.REGIONSERVER_KRB_KEYTAB_FILE;</span>
<span class="source-line-no">046</span><span id="line-46"> public static final String CLIENT_PRINCIPAL = AuthUtil.HBASE_CLIENT_KERBEROS_PRINCIPAL;</span>
<span class="source-line-no">047</span><span id="line-47"> public static final String CLIENT_KEYTAB = AuthUtil.HBASE_CLIENT_KEYTAB_FILE;</span>
<span class="source-line-no">048</span><span id="line-48"></span>
<span class="source-line-no">049</span><span id="line-49"> private HBaseKerberosUtils() {</span>
<span class="source-line-no">050</span><span id="line-50"> }</span>
<span class="source-line-no">051</span><span id="line-51"></span>
<span class="source-line-no">052</span><span id="line-52"> public static boolean isKerberosPropertySetted() {</span>
<span class="source-line-no">053</span><span id="line-53"> String krbPrincipal = System.getProperty(KRB_PRINCIPAL);</span>
<span class="source-line-no">054</span><span id="line-54"> String krbKeytab = System.getProperty(KRB_KEYTAB_FILE);</span>
<span class="source-line-no">055</span><span id="line-55"> if (Strings.isNullOrEmpty(krbPrincipal) || Strings.isNullOrEmpty(krbKeytab)) {</span>
<span class="source-line-no">056</span><span id="line-56"> return false;</span>
<span class="source-line-no">057</span><span id="line-57"> }</span>
<span class="source-line-no">058</span><span id="line-58"> return true;</span>
<span class="source-line-no">059</span><span id="line-59"> }</span>
<span class="source-line-no">060</span><span id="line-60"></span>
<span class="source-line-no">061</span><span id="line-61"> public static void setPrincipalForTesting(String principal) {</span>
<span class="source-line-no">062</span><span id="line-62"> setSystemProperty(KRB_PRINCIPAL, principal);</span>
<span class="source-line-no">063</span><span id="line-63"> }</span>
<span class="source-line-no">064</span><span id="line-64"></span>
<span class="source-line-no">065</span><span id="line-65"> public static void setKeytabFileForTesting(String keytabFile) {</span>
<span class="source-line-no">066</span><span id="line-66"> setSystemProperty(KRB_KEYTAB_FILE, keytabFile);</span>
<span class="source-line-no">067</span><span id="line-67"> }</span>
<span class="source-line-no">068</span><span id="line-68"></span>
<span class="source-line-no">069</span><span id="line-69"> public static void setClientPrincipalForTesting(String clientPrincipal) {</span>
<span class="source-line-no">070</span><span id="line-70"> setSystemProperty(CLIENT_PRINCIPAL, clientPrincipal);</span>
<span class="source-line-no">071</span><span id="line-71"> }</span>
<span class="source-line-no">072</span><span id="line-72"></span>
<span class="source-line-no">073</span><span id="line-73"> public static void setClientKeytabForTesting(String clientKeytab) {</span>
<span class="source-line-no">074</span><span id="line-74"> setSystemProperty(CLIENT_KEYTAB, clientKeytab);</span>
<span class="source-line-no">075</span><span id="line-75"> }</span>
<span class="source-line-no">076</span><span id="line-76"></span>
<span class="source-line-no">077</span><span id="line-77"> public static void setSystemProperty(String propertyName, String propertyValue) {</span>
<span class="source-line-no">078</span><span id="line-78"> System.setProperty(propertyName, propertyValue);</span>
<span class="source-line-no">079</span><span id="line-79"> }</span>
<span class="source-line-no">080</span><span id="line-80"></span>
<span class="source-line-no">081</span><span id="line-81"> public static String getKeytabFileForTesting() {</span>
<span class="source-line-no">082</span><span id="line-82"> return System.getProperty(KRB_KEYTAB_FILE);</span>
<span class="source-line-no">083</span><span id="line-83"> }</span>
<span class="source-line-no">084</span><span id="line-84"></span>
<span class="source-line-no">085</span><span id="line-85"> public static String getPrincipalForTesting() {</span>
<span class="source-line-no">086</span><span id="line-86"> return System.getProperty(KRB_PRINCIPAL);</span>
<span class="source-line-no">087</span><span id="line-87"> }</span>
<span class="source-line-no">088</span><span id="line-88"></span>
<span class="source-line-no">089</span><span id="line-89"> public static String getClientPrincipalForTesting() {</span>
<span class="source-line-no">090</span><span id="line-90"> return System.getProperty(CLIENT_PRINCIPAL);</span>
<span class="source-line-no">091</span><span id="line-91"> }</span>
<span class="source-line-no">092</span><span id="line-92"></span>
<span class="source-line-no">093</span><span id="line-93"> public static String getClientKeytabForTesting() {</span>
<span class="source-line-no">094</span><span id="line-94"> return System.getProperty(CLIENT_KEYTAB);</span>
<span class="source-line-no">095</span><span id="line-95"> }</span>
<span class="source-line-no">096</span><span id="line-96"></span>
<span class="source-line-no">097</span><span id="line-97"> public static Configuration getConfigurationWoPrincipal() {</span>
<span class="source-line-no">098</span><span id="line-98"> Configuration conf = HBaseConfiguration.create();</span>
<span class="source-line-no">099</span><span id="line-99"> conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");</span>
<span class="source-line-no">100</span><span id="line-100"> conf.set(User.HBASE_SECURITY_CONF_KEY, "kerberos");</span>
<span class="source-line-no">101</span><span id="line-101"> conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true);</span>
<span class="source-line-no">102</span><span id="line-102"> return conf;</span>
<span class="source-line-no">103</span><span id="line-103"> }</span>
<span class="source-line-no">104</span><span id="line-104"></span>
<span class="source-line-no">105</span><span id="line-105"> public static Configuration getSecuredConfiguration() {</span>
<span class="source-line-no">106</span><span id="line-106"> Configuration conf = HBaseConfiguration.create();</span>
<span class="source-line-no">107</span><span id="line-107"> setSecuredConfiguration(conf);</span>
<span class="source-line-no">108</span><span id="line-108"> return conf;</span>
<span class="source-line-no">109</span><span id="line-109"> }</span>
<span class="source-line-no">110</span><span id="line-110"></span>
<span class="source-line-no">111</span><span id="line-111"> /**</span>
<span class="source-line-no">112</span><span id="line-112"> * Set up configuration for a secure HDFS+HBase cluster.</span>
<span class="source-line-no">113</span><span id="line-113"> * @param conf configuration object.</span>
<span class="source-line-no">114</span><span id="line-114"> * @param servicePrincipal service principal used by NN, HM and RS.</span>
<span class="source-line-no">115</span><span id="line-115"> * @param spnegoPrincipal SPNEGO principal used by NN web UI.</span>
<span class="source-line-no">116</span><span id="line-116"> */</span>
<span class="source-line-no">117</span><span id="line-117"> public static void setSecuredConfiguration(Configuration conf, String servicePrincipal,</span>
<span class="source-line-no">118</span><span id="line-118"> String spnegoPrincipal) {</span>
<span class="source-line-no">119</span><span id="line-119"> setPrincipalForTesting(servicePrincipal);</span>
<span class="source-line-no">120</span><span id="line-120"> setSecuredConfiguration(conf);</span>
<span class="source-line-no">121</span><span id="line-121"> setSecuredHadoopConfiguration(conf, spnegoPrincipal);</span>
<span class="source-line-no">122</span><span id="line-122"> }</span>
<span class="source-line-no">123</span><span id="line-123"></span>
<span class="source-line-no">124</span><span id="line-124"> public static void setSecuredConfiguration(Configuration conf) {</span>
<span class="source-line-no">125</span><span id="line-125"> conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");</span>
<span class="source-line-no">126</span><span id="line-126"> conf.set(User.HBASE_SECURITY_CONF_KEY, "kerberos");</span>
<span class="source-line-no">127</span><span id="line-127"> conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true);</span>
<span class="source-line-no">128</span><span id="line-128"> conf.set(KRB_KEYTAB_FILE, System.getProperty(KRB_KEYTAB_FILE));</span>
<span class="source-line-no">129</span><span id="line-129"> conf.set(KRB_PRINCIPAL, System.getProperty(KRB_PRINCIPAL));</span>
<span class="source-line-no">130</span><span id="line-130"> conf.set(MASTER_KRB_PRINCIPAL, System.getProperty(KRB_PRINCIPAL));</span>
<span class="source-line-no">131</span><span id="line-131"> }</span>
<span class="source-line-no">132</span><span id="line-132"></span>
<span class="source-line-no">133</span><span id="line-133"> private static void setSecuredHadoopConfiguration(Configuration conf,</span>
<span class="source-line-no">134</span><span id="line-134"> String spnegoServerPrincipal) {</span>
<span class="source-line-no">135</span><span id="line-135"> String serverPrincipal = System.getProperty(KRB_PRINCIPAL);</span>
<span class="source-line-no">136</span><span id="line-136"> String keytabFilePath = System.getProperty(KRB_KEYTAB_FILE);</span>
<span class="source-line-no">137</span><span id="line-137"> // HDFS</span>
<span class="source-line-no">138</span><span id="line-138"> conf.set(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, serverPrincipal);</span>
<span class="source-line-no">139</span><span id="line-139"> conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, keytabFilePath);</span>
<span class="source-line-no">140</span><span id="line-140"> conf.set(DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, serverPrincipal);</span>
<span class="source-line-no">141</span><span id="line-141"> conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, keytabFilePath);</span>
<span class="source-line-no">142</span><span id="line-142"> conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);</span>
<span class="source-line-no">143</span><span id="line-143"> // YARN</span>
<span class="source-line-no">144</span><span id="line-144"> conf.set(YarnConfiguration.RM_PRINCIPAL, KRB_PRINCIPAL);</span>
<span class="source-line-no">145</span><span id="line-145"> conf.set(YarnConfiguration.NM_PRINCIPAL, KRB_PRINCIPAL);</span>
<span class="source-line-no">146</span><span id="line-146"></span>
<span class="source-line-no">147</span><span id="line-147"> if (spnegoServerPrincipal != null) {</span>
<span class="source-line-no">148</span><span id="line-148"> conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoServerPrincipal);</span>
<span class="source-line-no">149</span><span id="line-149"> }</span>
<span class="source-line-no">150</span><span id="line-150"></span>
<span class="source-line-no">151</span><span id="line-151"> conf.setBoolean("ignore.secure.ports.for.testing", true);</span>
<span class="source-line-no">152</span><span id="line-152"></span>
<span class="source-line-no">153</span><span id="line-153"> UserGroupInformation.setConfiguration(conf);</span>
<span class="source-line-no">154</span><span id="line-154"> }</span>
<span class="source-line-no">155</span><span id="line-155"></span>
<span class="source-line-no">156</span><span id="line-156"> /**</span>
<span class="source-line-no">157</span><span id="line-157"> * Set up SSL configuration for HDFS NameNode and DataNode.</span>
<span class="source-line-no">158</span><span id="line-158"> * @param utility a HBaseTestingUtility object.</span>
<span class="source-line-no">159</span><span id="line-159"> * @param clazz the caller test class.</span>
<span class="source-line-no">160</span><span id="line-160"> * @throws Exception if unable to set up SSL configuration</span>
<span class="source-line-no">161</span><span id="line-161"> */</span>
<span class="source-line-no">162</span><span id="line-162"> public static void setSSLConfiguration(HBaseCommonTestingUtil utility, Class&lt;?&gt; clazz)</span>
<span class="source-line-no">163</span><span id="line-163"> throws Exception {</span>
<span class="source-line-no">164</span><span id="line-164"> Configuration conf = utility.getConfiguration();</span>
<span class="source-line-no">165</span><span id="line-165"> conf.set(DFSConfigKeys.DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());</span>
<span class="source-line-no">166</span><span id="line-166"> conf.set(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");</span>
<span class="source-line-no">167</span><span id="line-167"> conf.set(DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");</span>
<span class="source-line-no">168</span><span id="line-168"></span>
<span class="source-line-no">169</span><span id="line-169"> File keystoresDir = new File(utility.getDataTestDir("keystore").toUri().getPath());</span>
<span class="source-line-no">170</span><span id="line-170"> keystoresDir.mkdirs();</span>
<span class="source-line-no">171</span><span id="line-171"> String sslConfDir = KeyStoreTestUtil.getClasspathDir(clazz);</span>
<span class="source-line-no">172</span><span id="line-172"> KeyStoreTestUtil.setupSSLConfig(keystoresDir.getAbsolutePath(), sslConfDir, conf, false);</span>
<span class="source-line-no">173</span><span id="line-173"> }</span>
<span class="source-line-no">174</span><span id="line-174"></span>
<span class="source-line-no">175</span><span id="line-175"> public static UserGroupInformation loginAndReturnUGI(Configuration conf, String username)</span>
<span class="source-line-no">176</span><span id="line-176"> throws IOException {</span>
<span class="source-line-no">177</span><span id="line-177"> String hostname = InetAddress.getLocalHost().getHostName();</span>
<span class="source-line-no">178</span><span id="line-178"> String keyTabFileConfKey = "hbase." + username + ".keytab.file";</span>
<span class="source-line-no">179</span><span id="line-179"> String keyTabFileLocation = conf.get(keyTabFileConfKey);</span>
<span class="source-line-no">180</span><span id="line-180"> String principalConfKey = "hbase." + username + ".kerberos.principal";</span>
<span class="source-line-no">181</span><span id="line-181"> String principal = org.apache.hadoop.security.SecurityUtil</span>
<span class="source-line-no">182</span><span id="line-182"> .getServerPrincipal(conf.get(principalConfKey), hostname);</span>
<span class="source-line-no">183</span><span id="line-183"> if (keyTabFileLocation == null || principal == null) {</span>
<span class="source-line-no">184</span><span id="line-184"> LOG.warn(</span>
<span class="source-line-no">185</span><span id="line-185"> "Principal or key tab file null for : " + principalConfKey + ", " + keyTabFileConfKey);</span>
<span class="source-line-no">186</span><span id="line-186"> }</span>
<span class="source-line-no">187</span><span id="line-187"> UserGroupInformation ugi =</span>
<span class="source-line-no">188</span><span id="line-188"> UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTabFileLocation);</span>
<span class="source-line-no">189</span><span id="line-189"> return ugi;</span>
<span class="source-line-no">190</span><span id="line-190"> }</span>
<span class="source-line-no">191</span><span id="line-191"></span>
<span class="source-line-no">192</span><span id="line-192"> public static UserGroupInformation loginKerberosPrincipal(String krbKeytab, String krbPrincipal)</span>
<span class="source-line-no">193</span><span id="line-193"> throws Exception {</span>
<span class="source-line-no">194</span><span id="line-194"> Configuration conf = new Configuration();</span>
<span class="source-line-no">195</span><span id="line-195"> conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");</span>
<span class="source-line-no">196</span><span id="line-196"> UserGroupInformation.setConfiguration(conf);</span>
<span class="source-line-no">197</span><span id="line-197"> UserGroupInformation.loginUserFromKeytab(krbPrincipal, krbKeytab);</span>
<span class="source-line-no">198</span><span id="line-198"> return UserGroupInformation.getLoginUser();</span>
<span class="source-line-no">199</span><span id="line-199"> }</span>
<span class="source-line-no">200</span><span id="line-200">}</span>
</pre>
</div>
</main>
</body>
</html>