001/** 002 * 003 * Licensed to the Apache Software Foundation (ASF) under one 004 * or more contributor license agreements. See the NOTICE file 005 * distributed with this work for additional information 006 * regarding copyright ownership. The ASF licenses this file 007 * to you under the Apache License, Version 2.0 (the 008 * "License"); you may not use this file except in compliance 009 * with the License. You may obtain a copy of the License at 010 * 011 * http://www.apache.org/licenses/LICENSE-2.0 012 * 013 * Unless required by applicable law or agreed to in writing, software 014 * distributed under the License is distributed on an "AS IS" BASIS, 015 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 016 * See the License for the specific language governing permissions and 017 * limitations under the License. 018 */ 019 020package org.apache.hadoop.hbase.http; 021 022import java.io.IOException; 023import java.net.URI; 024 025import javax.servlet.ServletContext; 026import javax.servlet.http.HttpServlet; 027import javax.servlet.http.HttpServletRequest; 028 029import org.apache.hadoop.conf.Configuration; 030import org.apache.hadoop.fs.CommonConfigurationKeys; 031import org.apache.hadoop.hbase.HBaseConfiguration; 032import org.apache.hadoop.security.authorize.AccessControlList; 033import org.apache.yetus.audience.InterfaceAudience; 034 035/** 036 * Create a Jetty embedded server to answer http requests. The primary goal 037 * is to serve up status information for the server. 038 * There are three contexts: 039 * "/stacks/" -> points to stack trace 040 * "/static/" -> points to common static files (src/hbase-webapps/static) 041 * "/" -> the jsp server code from (src/hbase-webapps/<name>) 042 */ 043@InterfaceAudience.Private 044public class InfoServer { 045 046 private static final String HBASE_APP_DIR = "hbase-webapps"; 047 private final org.apache.hadoop.hbase.http.HttpServer httpServer; 048 049 /** 050 * Create a status server on the given port. 051 * The jsp scripts are taken from src/hbase-webapps/<code>name</code>. 052 * @param name The name of the server 053 * @param bindAddress address to bind to 054 * @param port The port to use on the server 055 * @param findPort whether the server should start at the given port and 056 * increment by 1 until it finds a free port. 057 * @throws IOException e 058 */ 059 public InfoServer(String name, String bindAddress, int port, boolean findPort, 060 final Configuration c) 061 throws IOException { 062 HttpConfig httpConfig = new HttpConfig(c); 063 HttpServer.Builder builder = 064 new org.apache.hadoop.hbase.http.HttpServer.Builder(); 065 066 builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() + 067 bindAddress + ":" + 068 port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c); 069 String logDir = System.getProperty("hbase.log.dir"); 070 if (logDir != null) { 071 builder.setLogDir(logDir); 072 } 073 if (httpConfig.isSecure()) { 074 builder.keyPassword(HBaseConfiguration.getPassword(c, "ssl.server.keystore.keypassword", null)) 075 .keyStore(c.get("ssl.server.keystore.location"), 076 HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null), 077 c.get("ssl.server.keystore.type", "jks")) 078 .trustStore(c.get("ssl.server.truststore.location"), 079 HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null), 080 c.get("ssl.server.truststore.type", "jks")); 081 } 082 // Enable SPNEGO authentication 083 if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) { 084 builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY) 085 .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY) 086 .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY) 087 .setSignatureSecretFileKey( 088 HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY) 089 .setSecurityEnabled(true); 090 091 // Set an admin ACL on sensitive webUI endpoints 092 AccessControlList acl = buildAdminAcl(c); 093 builder.setACL(acl); 094 } 095 this.httpServer = builder.build(); 096 } 097 098 /** 099 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI 100 * which are meant only for administrators. 101 */ 102 AccessControlList buildAdminAcl(Configuration conf) { 103 final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null); 104 final String adminGroups = conf.get( 105 HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null); 106 if (userGroups == null && adminGroups == null) { 107 // Backwards compatibility - if the user doesn't have anything set, allow all users in. 108 return new AccessControlList("*", null); 109 } 110 return new AccessControlList(userGroups, adminGroups); 111 } 112 113 /** 114 * Explicitly invoke {@link #addPrivilegedServlet(String, String, Class)} or 115 * {@link #addUnprivilegedServlet(String, String, Class)} instead of this method. 116 * This method will add a servlet which any authenticated user can access. 117 * 118 * @deprecated Use {@link #addUnprivilegedServlet(String, String, Class)} or 119 * {@link #addPrivilegedServlet(String, String, Class)} instead of this 120 * method which does not state outwardly what kind of authz rules will 121 * be applied to this servlet. 122 */ 123 @Deprecated 124 public void addServlet(String name, String pathSpec, 125 Class<? extends HttpServlet> clazz) { 126 addUnprivilegedServlet(name, pathSpec, clazz); 127 } 128 129 /** 130 * @see HttpServer#addUnprivilegedServlet(String, String, Class) 131 */ 132 public void addUnprivilegedServlet(String name, String pathSpec, 133 Class<? extends HttpServlet> clazz) { 134 this.httpServer.addUnprivilegedServlet(name, pathSpec, clazz); 135 } 136 137 /** 138 * @see HttpServer#addPrivilegedServlet(String, String, Class) 139 */ 140 public void addPrivilegedServlet(String name, String pathSpec, 141 Class<? extends HttpServlet> clazz) { 142 this.httpServer.addPrivilegedServlet(name, pathSpec, clazz); 143 } 144 145 public void setAttribute(String name, Object value) { 146 this.httpServer.setAttribute(name, value); 147 } 148 149 public void start() throws IOException { 150 this.httpServer.start(); 151 } 152 153 @Deprecated 154 public int getPort() { 155 return this.httpServer.getPort(); 156 } 157 158 public void stop() throws Exception { 159 this.httpServer.stop(); 160 } 161 162 163 /** 164 * Returns true if and only if UI authentication (spnego) is enabled, UI authorization is enabled, 165 * and the requesting user is defined as an administrator. If the UI is set to readonly, this 166 * method always returns false. 167 */ 168 public static boolean canUserModifyUI( 169 HttpServletRequest req, ServletContext ctx, Configuration conf) { 170 if (conf.getBoolean("hbase.master.ui.readonly", false)) { 171 return false; 172 } 173 String remoteUser = req.getRemoteUser(); 174 if ("kerberos".equals(conf.get(HttpServer.HTTP_UI_AUTHENTICATION)) && 175 conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false) && 176 remoteUser != null) { 177 return HttpServer.userHasAdministratorAccess(ctx, remoteUser); 178 } 179 return false; 180 } 181}