001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security;
019
020import java.util.Arrays;
021import java.util.List;
022import java.util.concurrent.ConcurrentHashMap;
023import java.util.concurrent.ConcurrentMap;
024import org.apache.yetus.audience.InterfaceAudience;
025
026import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;
027
028import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos;
029import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos.TokenIdentifier.Kind;
030import org.apache.hadoop.hbase.shaded.protobuf.generated.BootstrapNodeProtos;
031import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;
032import org.apache.hadoop.hbase.shaded.protobuf.generated.LockServiceProtos;
033import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos;
034import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.MasterService;
035import org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos;
036import org.apache.hadoop.hbase.shaded.protobuf.generated.RegistryProtos;
037
038/**
039 * Maps RPC protocol interfaces to required configuration
040 */
041@InterfaceAudience.Private
042public class SecurityInfo {
043  /** Maps RPC service names to authentication information */
044  private static ConcurrentMap<String, SecurityInfo> infos = new ConcurrentHashMap<>();
045  // populate info for known services
046  static {
047    infos.put(AdminProtos.AdminService.getDescriptor().getName(),
048      new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
049    infos.put(ClientProtos.ClientService.getDescriptor().getName(),
050      new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
051    infos.put(MasterService.getDescriptor().getName(),
052      new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
053    infos.put(RegionServerStatusProtos.RegionServerStatusService.getDescriptor().getName(),
054      new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
055    infos.put(MasterProtos.HbckService.getDescriptor().getName(),
056      new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
057    infos.put(RegistryProtos.ClientMetaService.getDescriptor().getName(),
058      new SecurityInfo(Kind.HBASE_AUTH_TOKEN, SecurityConstants.MASTER_KRB_PRINCIPAL,
059        SecurityConstants.REGIONSERVER_KRB_PRINCIPAL));
060    infos.put(BootstrapNodeProtos.BootstrapNodeService.getDescriptor().getName(),
061      new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
062    infos.put(LockServiceProtos.LockService.getDescriptor().getName(),
063      new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN));
064    // NOTE: IF ADDING A NEW SERVICE, BE SURE TO UPDATE HBasePolicyProvider ALSO ELSE
065    // new Service will not be found when all is Kerberized!!!!
066  }
067
068  /**
069   * Adds a security configuration for a new service name. Note that this will have no effect if the
070   * service name was already registered.
071   */
072  public static void addInfo(String serviceName, SecurityInfo securityInfo) {
073    infos.putIfAbsent(serviceName, securityInfo);
074  }
075
076  /**
077   * Returns the security configuration associated with the given service name.
078   */
079  public static SecurityInfo getInfo(String serviceName) {
080    return infos.get(serviceName);
081  }
082
083  private final List<String> serverPrincipals;
084  private final Kind tokenKind;
085
086  public SecurityInfo(String serverPrincipal, Kind tokenKind) {
087    this(tokenKind, serverPrincipal);
088  }
089
090  public SecurityInfo(Kind tokenKind, String... serverPrincipal) {
091    Preconditions.checkArgument(serverPrincipal.length > 0);
092    this.tokenKind = tokenKind;
093    this.serverPrincipals = Arrays.asList(serverPrincipal);
094  }
095
096  /**
097   * Although this class is IA.Private, we leak this class in
098   * {@code SaslClientAuthenticationProvider}, so need to align with the deprecation cycle for that
099   * class.
100   * @deprecated Since 2.6.0, will be removed in 4.0.0. Use {@link #getServerPrincipals()} instead.
101   */
102  @Deprecated
103  public String getServerPrincipal() {
104    return serverPrincipals.get(0);
105  }
106
107  public List<String> getServerPrincipals() {
108    return serverPrincipals;
109  }
110
111  public Kind getTokenKind() {
112    return tokenKind;
113  }
114}