001/**
002 *
003 * Licensed to the Apache Software Foundation (ASF) under one
004 * or more contributor license agreements.  See the NOTICE file
005 * distributed with this work for additional information
006 * regarding copyright ownership.  The ASF licenses this file
007 * to you under the Apache License, Version 2.0 (the
008 * "License"); you may not use this file except in compliance
009 * with the License.  You may obtain a copy of the License at
010 *
011 *     http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing, software
014 * distributed under the License is distributed on an "AS IS" BASIS,
015 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
016 * See the License for the specific language governing permissions and
017 * limitations under the License.
018 */
019
020package org.apache.hadoop.hbase.http;
021
022import java.io.IOException;
023import java.net.URI;
024
025import javax.servlet.ServletContext;
026import javax.servlet.http.HttpServlet;
027import javax.servlet.http.HttpServletRequest;
028
029import org.apache.hadoop.conf.Configuration;
030import org.apache.hadoop.fs.CommonConfigurationKeys;
031import org.apache.hadoop.hbase.HBaseConfiguration;
032import org.apache.hadoop.security.authorize.AccessControlList;
033import org.apache.yetus.audience.InterfaceAudience;
034
035/**
036 * Create a Jetty embedded server to answer http requests. The primary goal
037 * is to serve up status information for the server.
038 * There are three contexts:
039 *   "/stacks/" -> points to stack trace
040 *   "/static/" -> points to common static files (src/hbase-webapps/static)
041 *   "/" -> the jsp server code from (src/hbase-webapps/<name>)
042 */
043@InterfaceAudience.Private
044public class InfoServer {
045
046  private static final String HBASE_APP_DIR = "hbase-webapps";
047  private final org.apache.hadoop.hbase.http.HttpServer httpServer;
048
049  /**
050   * Create a status server on the given port.
051   * The jsp scripts are taken from src/hbase-webapps/<code>name</code>.
052   * @param name The name of the server
053   * @param bindAddress address to bind to
054   * @param port The port to use on the server
055   * @param findPort whether the server should start at the given port and
056   * increment by 1 until it finds a free port.
057   * @throws IOException e
058   */
059  public InfoServer(String name, String bindAddress, int port, boolean findPort,
060      final Configuration c)
061  throws IOException {
062    HttpConfig httpConfig = new HttpConfig(c);
063    HttpServer.Builder builder =
064      new org.apache.hadoop.hbase.http.HttpServer.Builder();
065
066      builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() +
067        bindAddress + ":" +
068        port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c);
069      String logDir = System.getProperty("hbase.log.dir");
070      if (logDir != null) {
071        builder.setLogDir(logDir);
072      }
073    if (httpConfig.isSecure()) {
074    builder.keyPassword(HBaseConfiguration.getPassword(c, "ssl.server.keystore.keypassword", null))
075      .keyStore(c.get("ssl.server.keystore.location"),
076        HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null),
077        c.get("ssl.server.keystore.type", "jks"))
078      .trustStore(c.get("ssl.server.truststore.location"),
079        HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null),
080        c.get("ssl.server.truststore.type", "jks"));
081    }
082    // Enable SPNEGO authentication
083    if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {
084      builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
085        .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
086        .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
087        .setSignatureSecretFileKey(
088            HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
089        .setSecurityEnabled(true);
090
091      // Set an admin ACL on sensitive webUI endpoints
092      AccessControlList acl = buildAdminAcl(c);
093      builder.setACL(acl);
094    }
095    this.httpServer = builder.build();
096  }
097
098  /**
099   * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI
100   * which are meant only for administrators.
101   */
102  AccessControlList buildAdminAcl(Configuration conf) {
103    final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
104    final String adminGroups = conf.get(
105        HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null);
106    if (userGroups == null && adminGroups == null) {
107      // Backwards compatibility - if the user doesn't have anything set, allow all users in.
108      return new AccessControlList("*", null);
109    }
110    return new AccessControlList(userGroups, adminGroups);
111  }
112
113  /**
114   * Explicitly invoke {@link #addPrivilegedServlet(String, String, Class)} or
115   * {@link #addUnprivilegedServlet(String, String, Class)} instead of this method.
116   * This method will add a servlet which any authenticated user can access.
117   *
118   * @deprecated Use {@link #addUnprivilegedServlet(String, String, Class)} or
119   *    {@link #addPrivilegedServlet(String, String, Class)} instead of this
120   *    method which does not state outwardly what kind of authz rules will
121   *    be applied to this servlet.
122   */
123  @Deprecated
124  public void addServlet(String name, String pathSpec,
125          Class<? extends HttpServlet> clazz) {
126    addUnprivilegedServlet(name, pathSpec, clazz);
127  }
128
129  /**
130   * @see HttpServer#addUnprivilegedServlet(String, String, Class)
131   */
132  public void addUnprivilegedServlet(String name, String pathSpec,
133          Class<? extends HttpServlet> clazz) {
134    this.httpServer.addUnprivilegedServlet(name, pathSpec, clazz);
135  }
136
137  /**
138   * @see HttpServer#addPrivilegedServlet(String, String, Class)
139   */
140  public void addPrivilegedServlet(String name, String pathSpec,
141          Class<? extends HttpServlet> clazz) {
142    this.httpServer.addPrivilegedServlet(name, pathSpec, clazz);
143  }
144
145  public void setAttribute(String name, Object value) {
146    this.httpServer.setAttribute(name, value);
147  }
148
149  public void start() throws IOException {
150    this.httpServer.start();
151  }
152
153  @Deprecated
154  public int getPort() {
155    return this.httpServer.getPort();
156  }
157
158  public void stop() throws Exception {
159    this.httpServer.stop();
160  }
161
162
163  /**
164   * Returns true if and only if UI authentication (spnego) is enabled, UI authorization is enabled,
165   * and the requesting user is defined as an administrator. If the UI is set to readonly, this
166   * method always returns false.
167   */
168  public static boolean canUserModifyUI(
169      HttpServletRequest req, ServletContext ctx, Configuration conf) {
170    if (conf.getBoolean("hbase.master.ui.readonly", false)) {
171      return false;
172    }
173    String remoteUser = req.getRemoteUser();
174    if ("kerberos".equals(conf.get(HttpServer.HTTP_UI_AUTHENTICATION)) &&
175        conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false) &&
176        remoteUser != null) {
177      return HttpServer.userHasAdministratorAccess(ctx, remoteUser);
178    }
179    return false;
180  }
181}