View Javadoc

1   /**
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  package org.apache.hadoop.hbase.security;
20  
21  import java.util.Map;
22  import java.util.TreeMap;
23  
24  import javax.security.sasl.Sasl;
25  
26  import org.apache.commons.codec.binary.Base64;
27  import org.apache.commons.logging.Log;
28  import org.apache.commons.logging.LogFactory;
29  import org.apache.hadoop.hbase.classification.InterfaceAudience;
30  
31  @InterfaceAudience.Private
32  public class SaslUtil {
33    private static final Log log = LogFactory.getLog(SaslUtil.class);
34    public static final String SASL_DEFAULT_REALM = "default";
35    public static final int SWITCH_TO_SIMPLE_AUTH = -88;
36  
37    public enum QualityOfProtection {
38      AUTHENTICATION("auth"),
39      INTEGRITY("auth-int"),
40      PRIVACY("auth-conf");
41  
42      private final String saslQop;
43  
44      QualityOfProtection(String saslQop) {
45        this.saslQop = saslQop;
46      }
47  
48      public String getSaslQop() {
49        return saslQop;
50      }
51  
52      public boolean matches(String stringQop) {
53        if (saslQop.equals(stringQop)) {
54          log.warn("Use authentication/integrity/privacy as value for rpc protection "
55              + "configurations instead of auth/auth-int/auth-conf.");
56          return true;
57        }
58        return name().equalsIgnoreCase(stringQop);
59      }
60    }
61  
62    /** Splitting fully qualified Kerberos name into parts */
63    public static String[] splitKerberosName(String fullName) {
64      return fullName.split("[/@]");
65    }
66  
67    static String encodeIdentifier(byte[] identifier) {
68      return new String(Base64.encodeBase64(identifier));
69    }
70  
71    static byte[] decodeIdentifier(String identifier) {
72      return Base64.decodeBase64(identifier.getBytes());
73    }
74  
75    static char[] encodePassword(byte[] password) {
76      return new String(Base64.encodeBase64(password)).toCharArray();
77    }
78  
79    /**
80     * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection}
81     * corresponding to the given {@code stringQop} value.
82     * @throws IllegalArgumentException If stringQop doesn't match any QOP.
83     */
84    public static QualityOfProtection getQop(String stringQop) {
85      for (QualityOfProtection qop : QualityOfProtection.values()) {
86        if (qop.matches(stringQop)) {
87          return qop;
88        }
89      }
90      throw new IllegalArgumentException("Invalid qop: " +  stringQop
91          + ". It must be one of 'authentication', 'integrity', 'privacy'.");
92    }
93  
94    /**
95     * @param rpcProtection Value of 'hbase.rpc.protection' configuration.
96     * @return Map with values for SASL properties.
97     */
98    static Map<String, String> initSaslProperties(String rpcProtection) {
99      String saslQop;
100     if (rpcProtection.isEmpty()) {
101       saslQop = QualityOfProtection.AUTHENTICATION.getSaslQop();
102     } else {
103       String[] qops = rpcProtection.split(",");
104       StringBuilder saslQopBuilder = new StringBuilder();
105       for (int i = 0; i < qops.length; ++i) {
106         QualityOfProtection qop = getQop(qops[i]);
107         saslQopBuilder.append(",").append(qop.getSaslQop());
108       }
109       saslQop = saslQopBuilder.substring(1);  // remove first ','
110     }
111     Map<String, String> saslProps = new TreeMap<>();
112     saslProps.put(Sasl.QOP, saslQop);
113     saslProps.put(Sasl.SERVER_AUTH, "true");
114     return saslProps;
115   }
116 }