View Javadoc

1   /**
2    *
3    * Licensed to the Apache Software Foundation (ASF) under one
4    * or more contributor license agreements.  See the NOTICE file
5    * distributed with this work for additional information
6    * regarding copyright ownership.  The ASF licenses this file
7    * to you under the Apache License, Version 2.0 (the
8    * "License"); you may not use this file except in compliance
9    * with the License.  You may obtain a copy of the License at
10   *
11   *     http://www.apache.org/licenses/LICENSE-2.0
12   *
13   * Unless required by applicable law or agreed to in writing, software
14   * distributed under the License is distributed on an "AS IS" BASIS,
15   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16   * See the License for the specific language governing permissions and
17   * limitations under the License.
18   */
19  package org.apache.hadoop.hbase.security;
20  
21  import org.apache.commons.codec.binary.Base64;
22  import org.apache.hadoop.hbase.classification.InterfaceAudience;
23  
24  import java.util.Map;
25  import java.util.TreeMap;
26  
27  import javax.security.sasl.Sasl;
28  
29  import org.apache.commons.codec.binary.Base64;
30  import org.apache.commons.logging.Log;
31  import org.apache.commons.logging.LogFactory;
32  import org.apache.hadoop.hbase.classification.InterfaceAudience;
33  
34  @InterfaceAudience.Private
35  public class SaslUtil {
36    private static final Log log = LogFactory.getLog(SaslUtil.class);
37    public static final String SASL_DEFAULT_REALM = "default";
38    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="MS_MUTABLE_COLLECTION_PKGPROTECT",
39        justification="it is used in different package")
40    public static final Map<String, String> SASL_PROPS =
41        new TreeMap<String, String>();
42    public static final int SWITCH_TO_SIMPLE_AUTH = -88;
43  
44    public static enum QualityOfProtection {
45      AUTHENTICATION("auth"),
46      INTEGRITY("auth-int"),
47      PRIVACY("auth-conf");
48  
49      public final String saslQop;
50  
51      private QualityOfProtection(String saslQop) {
52        this.saslQop = saslQop;
53      }
54  
55      public String getSaslQop() {
56        return saslQop;
57      }
58    }
59  
60    /** Splitting fully qualified Kerberos name into parts */
61    public static String[] splitKerberosName(String fullName) {
62      return fullName.split("[/@]");
63    }
64  
65    static String encodeIdentifier(byte[] identifier) {
66      return new String(Base64.encodeBase64(identifier));
67    }
68  
69    static byte[] decodeIdentifier(String identifier) {
70      return Base64.decodeBase64(identifier.getBytes());
71    }
72  
73    static char[] encodePassword(byte[] password) {
74      return new String(Base64.encodeBase64(password)).toCharArray();
75    }
76  
77    /**
78     * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection}
79     * corresponding to the given {@code stringQop} value. Returns null if value is
80     * invalid.
81     */
82    public static QualityOfProtection getQop(String stringQop) {
83      QualityOfProtection qop = null;
84      if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop)
85          || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) {
86        qop = QualityOfProtection.AUTHENTICATION;
87      } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop)
88          || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) {
89        qop = QualityOfProtection.INTEGRITY;
90      } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop)
91          || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
92        qop = QualityOfProtection.PRIVACY;
93      }
94      if (qop == null) {
95        throw new IllegalArgumentException("Invalid qop: " +  stringQop
96            + ". It must be one of 'authentication', 'integrity', 'privacy'.");
97      }
98      if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)
99          || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)
100         || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
101       log.warn("Use authentication/integrity/privacy as value for rpc protection "
102           + "configurations instead of auth/auth-int/auth-conf.");
103     }
104     return qop;
105   }
106 
107   static void initSaslProperties(String rpcProtection) {
108     QualityOfProtection saslQOP = getQop(rpcProtection);
109     if (saslQOP == null) {
110       saslQOP = QualityOfProtection.AUTHENTICATION;
111     }
112     SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop());
113     SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true");
114   }
115 }