HBASE-20590 REST Java client is not able to negotiate with the server in the 
secure mode

Signed-off-by: Ashish Singhi <ashishsin...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/7da0015a
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/7da0015a
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/7da0015a

Branch: refs/heads/HBASE-19064
Commit: 7da0015a3b58a28ccbae0b03ba7de9ce62b751e1
Parents: 1b716ad
Author: Ashish Singhi <ashishsin...@apache.org>
Authored: Mon Jun 4 14:11:19 2018 +0530
Committer: Ashish Singhi <ashishsin...@apache.org>
Committed: Mon Jun 4 14:11:19 2018 +0530

----------------------------------------------------------------------
 hbase-examples/pom.xml                          |   4 +
 .../hadoop/hbase/rest/RESTDemoClient.java       | 144 +++++++++++++++++++
 .../apache/hadoop/hbase/rest/client/Client.java |  55 ++++++-
 3 files changed, 200 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/7da0015a/hbase-examples/pom.xml
----------------------------------------------------------------------
diff --git a/hbase-examples/pom.xml b/hbase-examples/pom.xml
index 8814491..c74c1ba 100644
--- a/hbase-examples/pom.xml
+++ b/hbase-examples/pom.xml
@@ -183,6 +183,10 @@
       <artifactId>findbugs-annotations</artifactId>
     </dependency>
     <dependency>
+      <groupId>org.apache.hbase</groupId>
+      <artifactId>hbase-rest</artifactId>
+    </dependency>
+    <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
       <scope>test</scope>

http://git-wip-us.apache.org/repos/asf/hbase/blob/7da0015a/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java
----------------------------------------------------------------------
diff --git 
a/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java 
b/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java
new file mode 100644
index 0000000..19fae47
--- /dev/null
+++ 
b/hbase-examples/src/main/java/org/apache/hadoop/hbase/rest/RESTDemoClient.java
@@ -0,0 +1,144 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hbase.rest;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+
+import org.apache.hadoop.hbase.Cell;
+import org.apache.hadoop.hbase.CellUtil;
+import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.hbase.client.Get;
+import org.apache.hadoop.hbase.client.Put;
+import org.apache.hadoop.hbase.client.Result;
+import org.apache.hadoop.hbase.rest.client.Client;
+import org.apache.hadoop.hbase.rest.client.Cluster;
+import org.apache.hadoop.hbase.rest.client.RemoteHTable;
+import org.apache.hadoop.hbase.util.Bytes;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;
+
+@InterfaceAudience.Private
+public class RESTDemoClient {
+
+  private static String host = "localhost";
+  private static int port = 9090;
+  private static boolean secure = false;
+  private static org.apache.hadoop.conf.Configuration conf = null;
+
+  public static void main(String[] args) throws Exception {
+    System.out.println("REST Demo");
+    System.out.println("Usage: RESTDemoClient [host=localhost] [port=9090] 
[secure=false]");
+    System.out.println("This demo assumes you have a table called \"example\""
+        + " with a column family called \"family1\"");
+
+    // use passed in arguments instead of defaults
+    if (args.length >= 1) {
+      host = args[0];
+    }
+    if (args.length >= 2) {
+      port = Integer.parseInt(args[1]);
+    }
+    conf = HBaseConfiguration.create();
+    String principal = conf.get(Constants.REST_KERBEROS_PRINCIPAL);
+    if (principal != null) {
+      secure = true;
+    }
+    if (args.length >= 3) {
+      secure = Boolean.parseBoolean(args[2]);
+    }
+
+    final RESTDemoClient client = new RESTDemoClient();
+    Subject.doAs(getSubject(), new PrivilegedExceptionAction<Void>() {
+      @Override
+      public Void run() throws Exception {
+        client.run();
+        return null;
+      }
+    });
+  }
+
+  public void run() throws Exception {
+    Cluster cluster = new Cluster();
+    cluster.add(host, port);
+    Client restClient = new Client(cluster, 
conf.getBoolean(Constants.REST_SSL_ENABLED, false));
+    try (RemoteHTable remoteTable = new RemoteHTable(restClient, conf, 
"example")) {
+      // Write data to the table
+      String rowKey = "row1";
+      Put p = new Put(rowKey.getBytes());
+      p.addColumn("family1".getBytes(), "qualifier1".getBytes(), 
"value1".getBytes());
+      remoteTable.put(p);
+
+      // Get the data from the table
+      Get g = new Get(rowKey.getBytes());
+      Result result = remoteTable.get(g);
+
+      Preconditions.checkArgument(result != null,
+        Bytes.toString(remoteTable.getTableName()) + " should have a row with 
key as " + rowKey);
+      System.out.println("row = " + new String(result.getRow()));
+      for (Cell cell : result.rawCells()) {
+        System.out.print("family = " + 
Bytes.toString(CellUtil.cloneFamily(cell)) + "\t");
+        System.out.print("qualifier = " + 
Bytes.toString(CellUtil.cloneQualifier(cell)) + "\t");
+        System.out.print("value = " + 
Bytes.toString(CellUtil.cloneValue(cell)) + "\t");
+        System.out.println("timestamp = " + 
Long.toString(cell.getTimestamp()));
+      }
+    }
+  }
+
+  static Subject getSubject() throws Exception {
+    if (!secure) {
+      return new Subject();
+    }
+
+    /*
+     * To authenticate the demo client, kinit should be invoked ahead. Here we 
try to get the
+     * Kerberos credential from the ticket cache.
+     */
+    LoginContext context = new LoginContext("", new Subject(), null, new 
Configuration() {
+      @Override
+      public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+        Map<String, String> options = new HashMap<>();
+        options.put("useKeyTab", "false");
+        options.put("storeKey", "false");
+        options.put("doNotPrompt", "true");
+        options.put("useTicketCache", "true");
+        options.put("renewTGT", "true");
+        options.put("refreshKrb5Config", "true");
+        options.put("isInitiator", "true");
+        String ticketCache = System.getenv("KRB5CCNAME");
+        if (ticketCache != null) {
+          options.put("ticketCache", ticketCache);
+        }
+        options.put("debug", "true");
+
+        return new AppConfigurationEntry[] {
+          new 
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
+                AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, 
options) };
+      }
+    });
+    context.login();
+    return context.getSubject();
+  }
+}

http://git-wip-us.apache.org/repos/asf/hbase/blob/7da0015a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java
----------------------------------------------------------------------
diff --git 
a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java 
b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java
index d8cf5f4..9e6661b 100644
--- a/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java
+++ b/hbase-rest/src/main/java/org/apache/hadoop/hbase/rest/client/Client.java
@@ -25,15 +25,17 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
 import java.net.URISyntaxException;
+import java.net.URL;
 import java.util.Collections;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.apache.yetus.audience.InterfaceAudience;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
+import 
org.apache.hadoop.security.authentication.client.AuthenticationException;
+import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
 import org.apache.http.Header;
 import org.apache.http.HttpResponse;
+import org.apache.http.HttpStatus;
 import org.apache.http.client.HttpClient;
 import org.apache.http.client.methods.HttpDelete;
 import org.apache.http.client.methods.HttpGet;
@@ -46,6 +48,9 @@ import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.message.BasicHeader;
 import org.apache.http.params.CoreConnectionPNames;
 import org.apache.http.util.EntityUtils;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * A wrapper around HttpClient which provides some useful function and
@@ -65,6 +70,10 @@ public class Client {
 
   private Map<String, String> extraHeaders;
 
+  private static final String AUTH_COOKIE = "hadoop.auth";
+  private static final String AUTH_COOKIE_EQ = AUTH_COOKIE + "=";
+  private static final String COOKIE = "Cookie";
+
   /**
    * Default Constructor
    */
@@ -224,6 +233,12 @@ public class Client {
     long startTime = System.currentTimeMillis();
     if (resp != null) EntityUtils.consumeQuietly(resp.getEntity());
     resp = httpClient.execute(method);
+    if (resp.getStatusLine().getStatusCode() == HttpStatus.SC_UNAUTHORIZED) {
+      // Authentication error
+      LOG.debug("Performing negotiation with the server.");
+      negotiate(method, uri);
+      resp = httpClient.execute(method);
+    }
 
     long endTime = System.currentTimeMillis();
     if (LOG.isTraceEnabled()) {
@@ -253,6 +268,40 @@ public class Client {
   }
 
   /**
+   * Initiate client side Kerberos negotiation with the server.
+   * @param method method to inject the authentication token into.
+   * @param uri the String to parse as a URL.
+   * @throws IOException if unknown protocol is found.
+   */
+  private void negotiate(HttpUriRequest method, String uri) throws IOException 
{
+    try {
+      AuthenticatedURL.Token token = new AuthenticatedURL.Token();
+      KerberosAuthenticator authenticator = new KerberosAuthenticator();
+      authenticator.authenticate(new URL(uri), token);
+      // Inject the obtained negotiated token in the method cookie
+      injectToken(method, token);
+    } catch (AuthenticationException e) {
+      LOG.error("Failed to negotiate with the server.", e);
+      throw new IOException(e);
+    }
+  }
+
+  /**
+   * Helper method that injects an authentication token to send with the 
method.
+   * @param method method to inject the authentication token into.
+   * @param token authentication token to inject.
+   */
+  private void injectToken(HttpUriRequest method, AuthenticatedURL.Token 
token) {
+    String t = token.toString();
+    if (t != null) {
+      if (!t.startsWith("\"")) {
+        t = "\"" + t + "\"";
+      }
+      method.addHeader(COOKIE, AUTH_COOKIE_EQ + t);
+    }
+  }
+
+  /**
    * @return the cluster definition
    */
   public Cluster getCluster() {

Reply via email to