Repository: hbase Updated Branches: refs/heads/branch-2 81937df3b -> 805e2db3e
HBASE-20590 REST Java client is not able to negotiate with the server in the secure mode Signed-off-by: Ashish Singhi <ashishsin...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/hbase/repo Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/805e2db3 Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/805e2db3 Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/805e2db3 Branch: refs/heads/branch-2 Commit: 805e2db3e2cddd47b9caa1bcd6ebea9b4159e365 Parents: 81937df Author: Ashish Singhi <ashishsin...@apache.org> Authored: Mon Jun 4 14:13:42 2018 +0530 Committer: Ashish Singhi <ashishsin...@apache.org> Committed: Mon Jun 4 14:13:42 2018 +0530 ---------------------------------------------------------------------- hbase-examples/pom.xml | 4 + .../hadoop/hbase/rest/RESTDemoClient.java | 144 +++++++++++++++++++ .../apache/hadoop/hbase/rest/client/Client.java | 55 ++++++- 3 files changed, 200 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hbase/blob/805e2db3/hbase-examples/pom.xml ---------------------------------------------------------------------- diff --git a/hbase-examples/pom.xml b/hbase-examples/pom.xml index d1881376..8b48a81 100644 --- a/hbase-examples/pom.xml +++ b/hbase-examples/pom.xml @@ -183,6 +183,10 @@ <artifactId>findbugs-annotations</artifactId> </dependency> <dependency> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-rest</artifactId> + </dependency> + <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> http://git-wip-us.apache.org/repos/asf/hbase/blob/805e2db3/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java ---------------------------------------------------------------------- diff --git a/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java b/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java new file mode 100644 index 0000000..19fae47 --- /dev/null +++ b/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java @@ -0,0 +1,144 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.rest; + +import java.security.PrivilegedExceptionAction; +import java.util.HashMap; +import java.util.Map; + +import javax.security.auth.Subject; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; + +import org.apache.hadoop.hbase.Cell; +import org.apache.hadoop.hbase.CellUtil; +import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.client.Get; +import org.apache.hadoop.hbase.client.Put; +import org.apache.hadoop.hbase.client.Result; +import org.apache.hadoop.hbase.rest.client.Client; +import org.apache.hadoop.hbase.rest.client.Cluster; +import org.apache.hadoop.hbase.rest.client.RemoteHTable; +import org.apache.hadoop.hbase.util.Bytes; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.hbase.thirdparty.com.google.common.base.Preconditions; + +@InterfaceAudience.Private +public class RESTDemoClient { + + private static String host = "localhost"; + private static int port = 9090; + private static boolean secure = false; + private static org.apache.hadoop.conf.Configuration conf = null; + + public static void main(String[] args) throws Exception { + System.out.println("REST Demo"); + System.out.println("Usage: RESTDemoClient [host=localhost] [port=9090] [secure=false]"); + System.out.println("This demo assumes you have a table called \"example\"" + + " with a column family called \"family1\""); + + // use passed in arguments instead of defaults + if (args.length >= 1) { + host = args[0]; + } + if (args.length >= 2) { + port = Integer.parseInt(args[1]); + } + conf = HBaseConfiguration.create(); + String principal = conf.get(Constants.REST_KERBEROS_PRINCIPAL); + if (principal != null) { + secure = true; + } + if (args.length >= 3) { + secure = Boolean.parseBoolean(args[2]); + } + + final RESTDemoClient client = new RESTDemoClient(); + Subject.doAs(getSubject(), new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + client.run(); + return null; + } + }); + } + + public void run() throws Exception { + Cluster cluster = new Cluster(); + cluster.add(host, port); + Client restClient = new Client(cluster, conf.getBoolean(Constants.REST_SSL_ENABLED, false)); + try (RemoteHTable remoteTable = new RemoteHTable(restClient, conf, "example")) { + // Write data to the table + String rowKey = "row1"; + Put p = new Put(rowKey.getBytes()); + p.addColumn("family1".getBytes(), "qualifier1".getBytes(), "value1".getBytes()); + remoteTable.put(p); + + // Get the data from the table + Get g = new Get(rowKey.getBytes()); + Result result = remoteTable.get(g); + + Preconditions.checkArgument(result != null, + Bytes.toString(remoteTable.getTableName()) + " should have a row with key as " + rowKey); + System.out.println("row = " + new String(result.getRow())); + for (Cell cell : result.rawCells()) { + System.out.print("family = " + Bytes.toString(CellUtil.cloneFamily(cell)) + "\t"); + System.out.print("qualifier = " + Bytes.toString(CellUtil.cloneQualifier(cell)) + "\t"); + System.out.print("value = " + Bytes.toString(CellUtil.cloneValue(cell)) + "\t"); + System.out.println("timestamp = " + Long.toString(cell.getTimestamp())); + } + } + } + + static Subject getSubject() throws Exception { + if (!secure) { + return new Subject(); + } + + /* + * To authenticate the demo client, kinit should be invoked ahead. Here we try to get the + * Kerberos credential from the ticket cache. + */ + LoginContext context = new LoginContext("", new Subject(), null, new Configuration() { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + Map<String, String> options = new HashMap<>(); + options.put("useKeyTab", "false"); + options.put("storeKey", "false"); + options.put("doNotPrompt", "true"); + options.put("useTicketCache", "true"); + options.put("renewTGT", "true"); + options.put("refreshKrb5Config", "true"); + options.put("isInitiator", "true"); + String ticketCache = System.getenv("KRB5CCNAME"); + if (ticketCache != null) { + options.put("ticketCache", ticketCache); + } + options.put("debug", "true"); + + return new AppConfigurationEntry[] { + new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", + AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; + } + }); + context.login(); + return context.getSubject(); + } +} http://git-wip-us.apache.org/repos/asf/hbase/blob/805e2db3/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java ---------------------------------------------------------------------- diff --git a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java index d8cf5f4..9e6661b 100644 --- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java +++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java @@ -25,15 +25,17 @@ import java.io.IOException; import java.io.InputStream; import java.net.URI; import java.net.URISyntaxException; +import java.net.URL; import java.util.Collections; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; -import org.apache.yetus.audience.InterfaceAudience; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import org.apache.hadoop.security.authentication.client.AuthenticatedURL; +import org.apache.hadoop.security.authentication.client.AuthenticationException; +import org.apache.hadoop.security.authentication.client.KerberosAuthenticator; import org.apache.http.Header; import org.apache.http.HttpResponse; +import org.apache.http.HttpStatus; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpDelete; import org.apache.http.client.methods.HttpGet; @@ -46,6 +48,9 @@ import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.message.BasicHeader; import org.apache.http.params.CoreConnectionPNames; import org.apache.http.util.EntityUtils; +import org.apache.yetus.audience.InterfaceAudience; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * A wrapper around HttpClient which provides some useful function and @@ -65,6 +70,10 @@ public class Client { private Map<String, String> extraHeaders; + private static final String AUTH_COOKIE = "hadoop.auth"; + private static final String AUTH_COOKIE_EQ = AUTH_COOKIE + "="; + private static final String COOKIE = "Cookie"; + /** * Default Constructor */ @@ -224,6 +233,12 @@ public class Client { long startTime = System.currentTimeMillis(); if (resp != null) EntityUtils.consumeQuietly(resp.getEntity()); resp = httpClient.execute(method); + if (resp.getStatusLine().getStatusCode() == HttpStatus.SC_UNAUTHORIZED) { + // Authentication error + LOG.debug("Performing negotiation with the server."); + negotiate(method, uri); + resp = httpClient.execute(method); + } long endTime = System.currentTimeMillis(); if (LOG.isTraceEnabled()) { @@ -253,6 +268,40 @@ public class Client { } /** + * Initiate client side Kerberos negotiation with the server. + * @param method method to inject the authentication token into. + * @param uri the String to parse as a URL. + * @throws IOException if unknown protocol is found. + */ + private void negotiate(HttpUriRequest method, String uri) throws IOException { + try { + AuthenticatedURL.Token token = new AuthenticatedURL.Token(); + KerberosAuthenticator authenticator = new KerberosAuthenticator(); + authenticator.authenticate(new URL(uri), token); + // Inject the obtained negotiated token in the method cookie + injectToken(method, token); + } catch (AuthenticationException e) { + LOG.error("Failed to negotiate with the server.", e); + throw new IOException(e); + } + } + + /** + * Helper method that injects an authentication token to send with the method. + * @param method method to inject the authentication token into. + * @param token authentication token to inject. + */ + private void injectToken(HttpUriRequest method, AuthenticatedURL.Token token) { + String t = token.toString(); + if (t != null) { + if (!t.startsWith("\"")) { + t = "\"" + t + "\""; + } + method.addHeader(COOKIE, AUTH_COOKIE_EQ + t); + } + } + + /** * @return the cluster definition */ public Cluster getCluster() {
