001/*
002 * Copyright The Apache Software Foundation
003 *
004 * Licensed to the Apache Software Foundation (ASF) under one or more
005 * contributor license agreements. See the NOTICE file distributed with this
006 * work for additional information regarding copyright ownership. The ASF
007 * licenses this file to you under the Apache License, Version 2.0 (the
008 * "License"); you may not use this file except in compliance with the License.
009 * You may obtain a copy of the License at
010 *
011 * http://www.apache.org/licenses/LICENSE-2.0
012 *
013 * Unless required by applicable law or agreed to in writing, software
014 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
015 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
016 * License for the specific language governing permissions and limitations
017 * under the License.
018 */
019package org.apache.hadoop.hbase.thrift;
020
021import static org.apache.hadoop.hbase.thrift.Constants.THRIFT_SUPPORT_PROXYUSER_KEY;
022import static org.junit.Assert.assertFalse;
023import static org.junit.Assert.assertNotNull;
024import static org.junit.Assert.assertTrue;
025
026import java.io.File;
027import java.security.Principal;
028import java.security.PrivilegedExceptionAction;
029import java.util.Set;
030
031import javax.security.auth.Subject;
032import javax.security.auth.kerberos.KerberosTicket;
033
034import org.apache.commons.io.FileUtils;
035import org.apache.hadoop.conf.Configuration;
036import org.apache.hadoop.hbase.HBaseClassTestRule;
037import org.apache.hadoop.hbase.HBaseTestingUtility;
038import org.apache.hadoop.hbase.HConstants;
039import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
040import org.apache.hadoop.hbase.testclassification.ClientTests;
041import org.apache.hadoop.hbase.testclassification.LargeTests;
042import org.apache.hadoop.hbase.thrift.generated.Hbase;
043import org.apache.hadoop.security.authentication.util.KerberosName;
044import org.apache.http.HttpHeaders;
045import org.apache.http.auth.AuthSchemeProvider;
046import org.apache.http.auth.AuthScope;
047import org.apache.http.auth.KerberosCredentials;
048import org.apache.http.client.config.AuthSchemes;
049import org.apache.http.config.Lookup;
050import org.apache.http.config.RegistryBuilder;
051import org.apache.http.impl.auth.SPNegoSchemeFactory;
052import org.apache.http.impl.client.BasicCredentialsProvider;
053import org.apache.http.impl.client.CloseableHttpClient;
054import org.apache.http.impl.client.HttpClients;
055import org.apache.kerby.kerberos.kerb.KrbException;
056import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
057import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
058import org.apache.thrift.protocol.TBinaryProtocol;
059import org.apache.thrift.protocol.TProtocol;
060import org.apache.thrift.transport.THttpClient;
061import org.ietf.jgss.GSSCredential;
062import org.ietf.jgss.GSSManager;
063import org.ietf.jgss.GSSName;
064import org.ietf.jgss.Oid;
065import org.junit.AfterClass;
066import org.junit.BeforeClass;
067import org.junit.ClassRule;
068import org.junit.experimental.categories.Category;
069import org.slf4j.Logger;
070import org.slf4j.LoggerFactory;
071
072/**
073 * Start the HBase Thrift HTTP server on a random port through the command-line
074 * interface and talk to it from client side with SPNEGO security enabled.
075 */
076@Category({ClientTests.class, LargeTests.class})
077public class TestThriftSpnegoHttpServer extends TestThriftHttpServer {
078  @ClassRule
079  public static final HBaseClassTestRule CLASS_RULE =
080    HBaseClassTestRule.forClass(TestThriftSpnegoHttpServer.class);
081
082  private static final Logger LOG =
083    LoggerFactory.getLogger(TestThriftSpnegoHttpServer.class);
084
085  private static SimpleKdcServer kdc;
086  private static File serverKeytab;
087  private static File spnegoServerKeytab;
088  private static File clientKeytab;
089
090  private static String clientPrincipal;
091  private static String serverPrincipal;
092  private static String spnegoServerPrincipal;
093
094  private static void setupUser(SimpleKdcServer kdc, File keytab, String principal)
095      throws KrbException {
096    kdc.createPrincipal(principal);
097    kdc.exportPrincipal(principal, keytab);
098  }
099
100  private static SimpleKdcServer buildMiniKdc() throws Exception {
101    SimpleKdcServer kdc = new SimpleKdcServer();
102
103    final File target = new File(System.getProperty("user.dir"), "target");
104    File kdcDir = new File(target, TestThriftSpnegoHttpServer.class.getSimpleName());
105    if (kdcDir.exists()) {
106      FileUtils.deleteDirectory(kdcDir);
107    }
108    kdcDir.mkdirs();
109    kdc.setWorkDir(kdcDir);
110
111    kdc.setKdcHost(HConstants.LOCALHOST);
112    int kdcPort = HBaseTestingUtility.randomFreePort();
113    kdc.setAllowTcp(true);
114    kdc.setAllowUdp(false);
115    kdc.setKdcTcpPort(kdcPort);
116
117    LOG.info("Starting KDC server at " + HConstants.LOCALHOST + ":" + kdcPort);
118
119    kdc.init();
120
121    return kdc;
122  }
123
124  private static void addSecurityConfigurations(Configuration conf) {
125    KerberosName.setRules("DEFAULT");
126
127    HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath());
128    HBaseKerberosUtils.setSecuredConfiguration(conf, serverPrincipal, spnegoServerPrincipal);
129
130    conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true);
131    conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true);
132    conf.set("hadoop.proxyuser.hbase.hosts", "*");
133    conf.set("hadoop.proxyuser.hbase.groups", "*");
134
135    conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal);
136    conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
137    conf.set(Constants.THRIFT_SPNEGO_PRINCIPAL_KEY, spnegoServerPrincipal);
138    conf.set(Constants.THRIFT_SPNEGO_KEYTAB_FILE_KEY, spnegoServerKeytab.getAbsolutePath());
139  }
140
141  @BeforeClass
142  public static void setUpBeforeClass() throws Exception {
143    final File target = new File(System.getProperty("user.dir"), "target");
144    assertTrue(target.exists());
145
146    File keytabDir = new File(target, TestThriftSpnegoHttpServer.class.getSimpleName() +
147      "_keytabs");
148    if (keytabDir.exists()) {
149      FileUtils.deleteDirectory(keytabDir);
150    }
151    keytabDir.mkdirs();
152
153    kdc = buildMiniKdc();
154    kdc.start();
155
156    clientPrincipal = "client@" + kdc.getKdcConfig().getKdcRealm();
157    clientKeytab = new File(keytabDir, clientPrincipal + ".keytab");
158    setupUser(kdc, clientKeytab, clientPrincipal);
159
160    serverPrincipal = "hbase/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
161    serverKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab");
162    setupUser(kdc, serverKeytab, serverPrincipal);
163
164    spnegoServerPrincipal = "HTTP/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
165    spnegoServerKeytab = new File(keytabDir, spnegoServerPrincipal.replace('/', '_') + ".keytab");
166    setupUser(kdc, spnegoServerKeytab, spnegoServerPrincipal);
167
168    TEST_UTIL.getConfiguration().setBoolean(Constants.USE_HTTP_CONF_KEY, true);
169    TEST_UTIL.getConfiguration().setBoolean("hbase.table.sanity.checks", false);
170    addSecurityConfigurations(TEST_UTIL.getConfiguration());
171
172    TestThriftHttpServer.setUpBeforeClass();
173  }
174
175  @AfterClass
176  public static void tearDownAfterClass() throws Exception {
177    TestThriftHttpServer.tearDownAfterClass();
178
179    try {
180      if (null != kdc) {
181        kdc.stop();
182      }
183    } catch (Exception e) {
184      LOG.info("Failed to stop mini KDC", e);
185    }
186  }
187
188  @Override
189  protected void talkToThriftServer(String url, int customHeaderSize) throws Exception {
190    // Close httpClient and THttpClient automatically on any failures
191    try (
192        CloseableHttpClient httpClient = createHttpClient();
193        THttpClient tHttpClient = new THttpClient(url, httpClient)
194    ) {
195      tHttpClient.open();
196      if (customHeaderSize > 0) {
197        StringBuilder sb = new StringBuilder();
198        for (int i = 0; i < customHeaderSize; i++) {
199          sb.append("a");
200        }
201        tHttpClient.setCustomHeader(HttpHeaders.USER_AGENT, sb.toString());
202      }
203
204      TProtocol prot = new TBinaryProtocol(tHttpClient);
205      Hbase.Client client = new Hbase.Client(prot);
206      if (!tableCreated) {
207        TestThriftServer.createTestTables(client);
208        tableCreated = true;
209      }
210      TestThriftServer.checkTableList(client);
211    }
212  }
213
214  private CloseableHttpClient createHttpClient() throws Exception {
215    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab);
216    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
217    // Make sure the subject has a principal
218    assertFalse(clientPrincipals.isEmpty());
219
220    // Get a TGT for the subject (might have many, different encryption types). The first should
221    // be the default encryption type.
222    Set<KerberosTicket> privateCredentials =
223        clientSubject.getPrivateCredentials(KerberosTicket.class);
224    assertFalse(privateCredentials.isEmpty());
225    KerberosTicket tgt = privateCredentials.iterator().next();
226    assertNotNull(tgt);
227
228    // The name of the principal
229    final String clientPrincipalName = clientPrincipals.iterator().next().getName();
230
231    return Subject.doAs(clientSubject, new PrivilegedExceptionAction<CloseableHttpClient>() {
232      @Override
233      public CloseableHttpClient run() throws Exception {
234        // Logs in with Kerberos via GSS
235        GSSManager gssManager = GSSManager.getInstance();
236        // jGSS Kerberos login constant
237        Oid oid = new Oid("1.2.840.113554.1.2.2");
238        GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
239        GSSCredential credential = gssManager.createCredential(gssClient,
240            GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
241
242        Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
243            .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true))
244            .build();
245
246        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
247        credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
248
249        return HttpClients.custom()
250            .setDefaultAuthSchemeRegistry(authRegistry)
251            .setDefaultCredentialsProvider(credentialsProvider)
252            .build();
253      }
254    });
255  }
256}