hbase-client/src/main/java/org/apache/hadoop/hbase/security/token/ClientTokenUtil.java - hbase - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.hbase.security.token;

 import java.io.IOException;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.security.PrivilegedExceptionAction;
 import java.util.concurrent.CompletableFuture;
 import org.apache.hadoop.hbase.HConstants;
 import org.apache.hadoop.hbase.TableName;
 import org.apache.hadoop.hbase.client.AsyncConnection;
 import org.apache.hadoop.hbase.client.AsyncTable;
 import org.apache.hadoop.hbase.client.Connection;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
 import org.apache.hadoop.hbase.security.User;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.token.Token;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
 import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;

 import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
 import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos;

 /**
  * Utility methods for obtaining authentication tokens, that do not require hbase-server.
  */
 @InterfaceAudience.Public
 public final class ClientTokenUtil {
   private static final Logger LOG = LoggerFactory.getLogger(ClientTokenUtil.class);

   // Set in TestClientTokenUtil via reflection
   private static ServiceException injectedException;

   private ClientTokenUtil() {
   }

   private static void injectFault() throws ServiceException {
     if (injectedException != null) {
       throw injectedException;
     }
   }

   /**
    * Obtain and return an authentication token for the current user.
    * @param conn The async HBase cluster connection
    * @return the authentication token instance, wrapped by a {@link CompletableFuture}.
    */
   @InterfaceAudience.Private
   public static CompletableFuture<Token<AuthenticationTokenIdentifier>>
     obtainToken(AsyncConnection conn) {
     CompletableFuture<Token<AuthenticationTokenIdentifier>> future = new CompletableFuture<>();
     if (injectedException != null) {
       future.completeExceptionally(ProtobufUtil.handleRemoteException(injectedException));
       return future;
     }
     AsyncTable<?> table = conn.getTable(TableName.META_TABLE_NAME);
     table.<AuthenticationProtos.AuthenticationService.Interface,
       AuthenticationProtos.GetAuthenticationTokenResponse> coprocessorService(
         AuthenticationProtos.AuthenticationService::newStub,
         (s, c, r) -> s.getAuthenticationToken(c,
           AuthenticationProtos.GetAuthenticationTokenRequest.getDefaultInstance(), r),
         HConstants.EMPTY_START_ROW)
       .whenComplete((resp, error) -> {
         if (error != null) {
           future.completeExceptionally(ProtobufUtil.handleRemoteException(error));
         } else {
           future.complete(toToken(resp.getToken()));
         }
       });
     return future;
   }

   /**
    * Obtain and return an authentication token for the current user.
    * @param conn The HBase cluster connection
    * @throws IOException if a remote error or serialization problem occurs.
    * @return the authentication token instance
    */
   @InterfaceAudience.Private
   static Token<AuthenticationTokenIdentifier> obtainToken(Connection conn) throws IOException {
     Table meta = null;
     try {
       injectFault();

       meta = conn.getTable(TableName.META_TABLE_NAME);
       CoprocessorRpcChannel rpcChannel = meta.coprocessorService(HConstants.EMPTY_START_ROW);
       AuthenticationProtos.AuthenticationService.BlockingInterface service =
         AuthenticationProtos.AuthenticationService.newBlockingStub(rpcChannel);
       AuthenticationProtos.GetAuthenticationTokenResponse response = service.getAuthenticationToken(
         null, AuthenticationProtos.GetAuthenticationTokenRequest.getDefaultInstance());

       return toToken(response.getToken());
     } catch (ServiceException se) {
       throw ProtobufUtil.handleRemoteException(se);
     } finally {
       if (meta != null) {
         meta.close();
       }
     }
   }

   /**
    * Converts a Token instance (with embedded identifier) to the protobuf representation.
    * @param token the Token instance to copy
    * @return the protobuf Token message
    */
   @InterfaceAudience.Private
   static AuthenticationProtos.Token toToken(Token<AuthenticationTokenIdentifier> token) {
     AuthenticationProtos.Token.Builder builder = AuthenticationProtos.Token.newBuilder();
     builder.setIdentifier(ByteString.copyFrom(token.getIdentifier()));
     builder.setPassword(ByteString.copyFrom(token.getPassword()));
     if (token.getService() != null) {
       builder.setService(ByteString.copyFromUtf8(token.getService().toString()));
     }
     return builder.build();
   }

   /**
    * Converts a protobuf Token message back into a Token instance.
    * @param proto the protobuf Token message
    * @return the Token instance
    */
   @InterfaceAudience.Private
   static Token<AuthenticationTokenIdentifier> toToken(AuthenticationProtos.Token proto) {
     return new Token<>(proto.hasIdentifier() ? proto.getIdentifier().toByteArray() : null,
       proto.hasPassword() ? proto.getPassword().toByteArray() : null,
       AuthenticationTokenIdentifier.AUTH_TOKEN_TYPE,
       proto.hasService() ? new Text(proto.getService().toStringUtf8()) : null);
   }

   /**
    * Obtain and return an authentication token for the given user.
    * @param conn The HBase cluster connection
    * @param user The user to obtain a token for
    * @return the authentication token instance
    */
   @InterfaceAudience.Private
   static Token<AuthenticationTokenIdentifier> obtainToken(final Connection conn, User user)
     throws IOException, InterruptedException {
     return user.runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
       @Override
       public Token<AuthenticationTokenIdentifier> run() throws Exception {
         return obtainToken(conn);
       }
     });
   }

   /**
    * Obtain an authentication token for the given user and add it to the user's credentials.
    * @param conn The HBase cluster connection
    * @param user The user for whom to obtain the token
    * @throws IOException          If making a remote call to the authentication service fails
    * @throws InterruptedException If executing as the given user is interrupted
    */
   public static void obtainAndCacheToken(final Connection conn, User user)
     throws IOException, InterruptedException {
     try {
       Token<AuthenticationTokenIdentifier> token = obtainToken(conn, user);

       if (token == null) {
         throw new IOException("No token returned for user " + user.getName());
       }
       if (LOG.isDebugEnabled()) {
         LOG.debug("Obtained token " + token.getKind().toString() + " for user " + user.getName());
       }
       user.addToken(token);
     } catch (IOException | InterruptedException | RuntimeException e) {
       throw e;
     } catch (Exception e) {
       throw new UndeclaredThrowableException(e,
         "Unexpected exception obtaining token for user " + user.getName());
     }
   }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.hbase.security.token;

	import java.io.IOException;
	import java.lang.reflect.UndeclaredThrowableException;
	import java.security.PrivilegedExceptionAction;
	import java.util.concurrent.CompletableFuture;
	import org.apache.hadoop.hbase.HConstants;
	import org.apache.hadoop.hbase.TableName;
	import org.apache.hadoop.hbase.client.AsyncConnection;
	import org.apache.hadoop.hbase.client.AsyncTable;
	import org.apache.hadoop.hbase.client.Connection;
	import org.apache.hadoop.hbase.client.Table;
	import org.apache.hadoop.hbase.ipc.CoprocessorRpcChannel;
	import org.apache.hadoop.hbase.security.User;
	import org.apache.hadoop.io.Text;
	import org.apache.hadoop.security.token.Token;
	import org.apache.yetus.audience.InterfaceAudience;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;
	import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;

	import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
	import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos;

	/**
	* Utility methods for obtaining authentication tokens, that do not require hbase-server.
	*/
	@InterfaceAudience.Public
	public final class ClientTokenUtil {
	private static final Logger LOG = LoggerFactory.getLogger(ClientTokenUtil.class);

	// Set in TestClientTokenUtil via reflection
	private static ServiceException injectedException;

	private ClientTokenUtil() {
	}

	private static void injectFault() throws ServiceException {
	if (injectedException != null) {
	throw injectedException;
	}
	}

	/**
	* Obtain and return an authentication token for the current user.
	* @param conn The async HBase cluster connection
	* @return the authentication token instance, wrapped by a {@link CompletableFuture}.
	*/
	@InterfaceAudience.Private
	public static CompletableFuture<Token<AuthenticationTokenIdentifier>>
	obtainToken(AsyncConnection conn) {
	CompletableFuture<Token<AuthenticationTokenIdentifier>> future = new CompletableFuture<>();
	if (injectedException != null) {
	future.completeExceptionally(ProtobufUtil.handleRemoteException(injectedException));
	return future;
	}
	AsyncTable<?> table = conn.getTable(TableName.META_TABLE_NAME);
	table.<AuthenticationProtos.AuthenticationService.Interface,
	AuthenticationProtos.GetAuthenticationTokenResponse> coprocessorService(
	AuthenticationProtos.AuthenticationService::newStub,
	(s, c, r) -> s.getAuthenticationToken(c,
	AuthenticationProtos.GetAuthenticationTokenRequest.getDefaultInstance(), r),
	HConstants.EMPTY_START_ROW)
	.whenComplete((resp, error) -> {
	if (error != null) {
	future.completeExceptionally(ProtobufUtil.handleRemoteException(error));
	} else {
	future.complete(toToken(resp.getToken()));
	}
	});
	return future;
	}

	/**
	* Obtain and return an authentication token for the current user.
	* @param conn The HBase cluster connection
	* @throws IOException if a remote error or serialization problem occurs.
	* @return the authentication token instance
	*/
	@InterfaceAudience.Private
	static Token<AuthenticationTokenIdentifier> obtainToken(Connection conn) throws IOException {
	Table meta = null;
	try {
	injectFault();

	meta = conn.getTable(TableName.META_TABLE_NAME);
	CoprocessorRpcChannel rpcChannel = meta.coprocessorService(HConstants.EMPTY_START_ROW);
	AuthenticationProtos.AuthenticationService.BlockingInterface service =
	AuthenticationProtos.AuthenticationService.newBlockingStub(rpcChannel);
	AuthenticationProtos.GetAuthenticationTokenResponse response = service.getAuthenticationToken(
	null, AuthenticationProtos.GetAuthenticationTokenRequest.getDefaultInstance());

	return toToken(response.getToken());
	} catch (ServiceException se) {
	throw ProtobufUtil.handleRemoteException(se);
	} finally {
	if (meta != null) {
	meta.close();
	}
	}
	}

	/**
	* Converts a Token instance (with embedded identifier) to the protobuf representation.
	* @param token the Token instance to copy
	* @return the protobuf Token message
	*/
	@InterfaceAudience.Private
	static AuthenticationProtos.Token toToken(Token<AuthenticationTokenIdentifier> token) {
	AuthenticationProtos.Token.Builder builder = AuthenticationProtos.Token.newBuilder();
	builder.setIdentifier(ByteString.copyFrom(token.getIdentifier()));
	builder.setPassword(ByteString.copyFrom(token.getPassword()));
	if (token.getService() != null) {
	builder.setService(ByteString.copyFromUtf8(token.getService().toString()));
	}
	return builder.build();
	}

	/**
	* Converts a protobuf Token message back into a Token instance.
	* @param proto the protobuf Token message
	* @return the Token instance
	*/
	@InterfaceAudience.Private
	static Token<AuthenticationTokenIdentifier> toToken(AuthenticationProtos.Token proto) {
	return new Token<>(proto.hasIdentifier() ? proto.getIdentifier().toByteArray() : null,
	proto.hasPassword() ? proto.getPassword().toByteArray() : null,
	AuthenticationTokenIdentifier.AUTH_TOKEN_TYPE,
	proto.hasService() ? new Text(proto.getService().toStringUtf8()) : null);
	}

	/**
	* Obtain and return an authentication token for the given user.
	* @param conn The HBase cluster connection
	* @param user The user to obtain a token for
	* @return the authentication token instance
	*/
	@InterfaceAudience.Private
	static Token<AuthenticationTokenIdentifier> obtainToken(final Connection conn, User user)
	throws IOException, InterruptedException {
	return user.runAs(new PrivilegedExceptionAction<Token<AuthenticationTokenIdentifier>>() {
	@Override
	public Token<AuthenticationTokenIdentifier> run() throws Exception {
	return obtainToken(conn);
	}
	});
	}

	/**
	* Obtain an authentication token for the given user and add it to the user's credentials.
	* @param conn The HBase cluster connection
	* @param user The user for whom to obtain the token
	* @throws IOException If making a remote call to the authentication service fails
	* @throws InterruptedException If executing as the given user is interrupted
	*/
	public static void obtainAndCacheToken(final Connection conn, User user)
	throws IOException, InterruptedException {
	try {
	Token<AuthenticationTokenIdentifier> token = obtainToken(conn, user);

	if (token == null) {
	throw new IOException("No token returned for user " + user.getName());
	}
	if (LOG.isDebugEnabled()) {
	LOG.debug("Obtained token " + token.getKind().toString() + " for user " + user.getName());
	}
	user.addToken(token);
	} catch (IOException \| InterruptedException \| RuntimeException e) {
	throw e;
	} catch (Exception e) {
	throw new UndeclaredThrowableException(e,
	"Unexpected exception obtaining token for user " + user.getName());
	}
	}
	}