HBASE-19118 Use SaslUtil to set Sasl.QOP in 'Thrift' Signed-off-by: Josh Elser <els...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/01cb1d99 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/01cb1d99 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/01cb1d99 Branch: refs/heads/branch-1 Commit: 01cb1d99b722bb8dc017726a77e532bfc9a1a6e9 Parents: 61753bd Author: Reid Chan <reidddc...@outlook.com> Authored: Mon Oct 30 17:25:59 2017 +0800 Committer: Josh Elser <els...@apache.org> Committed: Thu Nov 2 00:42:03 2017 -0400 ---------------------------------------------------------------------- .../apache/hadoop/hbase/security/SaslUtil.java | 2 +- .../hadoop/hbase/thrift/ThriftServerRunner.java | 24 +++++++++++++------- .../hadoop/hbase/thrift2/ThriftServer.java | 5 +--- 3 files changed, 18 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java ---------------------------------------------------------------------- diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java index aaa9d7a..54c1701 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/SaslUtil.java @@ -97,7 +97,7 @@ public class SaslUtil { * @param rpcProtection Value of 'hbase.rpc.protection' configuration. * @return Map with values for SASL properties. */ - static Map<String, String> initSaslProperties(String rpcProtection) { + public static Map<String, String> initSaslProperties(String rpcProtection) { String saslQop; if (rpcProtection.isEmpty()) { saslQop = QualityOfProtection.AUTHENTICATION.getSaslQop(); http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java ---------------------------------------------------------------------- diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java index 90b9c5c..6d1dde8 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java @@ -81,6 +81,8 @@ import org.apache.hadoop.hbase.filter.ParseFilter; import org.apache.hadoop.hbase.filter.PrefixFilter; import org.apache.hadoop.hbase.filter.WhileMatchFilter; import org.apache.hadoop.hbase.jetty.SslSelectChannelConnectorSecure; +import org.apache.hadoop.hbase.security.SaslUtil; +import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection; import org.apache.hadoop.hbase.security.SecurityUtil; import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.thrift.CallQueue.Call; @@ -197,7 +199,7 @@ public class ThriftServerRunner implements Runnable { private final HBaseHandler hbaseHandler; private final UserGroupInformation realUser; - private final String qop; + private SaslUtil.QualityOfProtection qop; private String host; private final boolean securityEnabled; @@ -324,7 +326,10 @@ public class ThriftServerRunner implements Runnable { this.handler = HbaseHandlerMetricsProxy.newInstance( hbaseHandler, metrics, conf); this.realUser = userProvider.getCurrent().getUGI(); - qop = conf.get(THRIFT_QOP_KEY); + String strQop = conf.get(THRIFT_QOP_KEY); + if (strQop != null) { + this.qop = SaslUtil.getQop(strQop); + } doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER, false); if (doAsEnabled) { if (!conf.getBoolean(USE_HTTP_CONF_KEY, false)) { @@ -332,10 +337,14 @@ public class ThriftServerRunner implements Runnable { } } if (qop != null) { - if (!qop.equals("auth") && !qop.equals("auth-int") - && !qop.equals("auth-conf")) { - throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop - + ", it must be 'auth', 'auth-int', or 'auth-conf'"); + if (qop != QualityOfProtection.AUTHENTICATION && + qop != QualityOfProtection.INTEGRITY && + qop != QualityOfProtection.PRIVACY) { + throw new IOException(String.format("Invalide %s: It must be one of %s, %s, or %s.", + THRIFT_QOP_KEY, + QualityOfProtection.AUTHENTICATION.name(), + QualityOfProtection.INTEGRITY.name(), + QualityOfProtection.PRIVACY.name())); } if (!securityEnabled) { throw new IOException("Thrift server must" @@ -482,8 +491,7 @@ public class ThriftServerRunner implements Runnable { // Extract the name from the principal String name = SecurityUtil.getUserFromPrincipal( conf.get("hbase.thrift.kerberos.principal")); - Map<String, String> saslProperties = new HashMap<String, String>(); - saslProperties.put(Sasl.QOP, qop); + Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() { http://git-wip-us.apache.org/repos/asf/hbase/blob/01cb1d99/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java ---------------------------------------------------------------------- diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java index e1cb2b9..24bff56 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java @@ -23,7 +23,6 @@ import java.net.InetAddress; import java.net.InetSocketAddress; import java.net.UnknownHostException; import java.security.PrivilegedAction; -import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.concurrent.ExecutorService; @@ -35,7 +34,6 @@ import java.util.concurrent.TimeUnit; import javax.security.auth.callback.Callback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.sasl.AuthorizeCallback; -import javax.security.sasl.Sasl; import javax.security.sasl.SaslServer; import org.apache.commons.cli.CommandLine; @@ -197,8 +195,7 @@ public class ThriftServer { } else if (qop == null) { return new TTransportFactory(); } else { - Map<String, String> saslProperties = new HashMap<String, String>(); - saslProperties.put(Sasl.QOP, qop.getSaslQop()); + Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() {
