1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security;
20
21 import org.apache.commons.codec.binary.Base64;
22 import org.apache.hadoop.hbase.classification.InterfaceAudience;
23
24 import java.util.Map;
25 import java.util.TreeMap;
26
27 import javax.security.sasl.Sasl;
28
29 import org.apache.commons.codec.binary.Base64;
30 import org.apache.commons.logging.Log;
31 import org.apache.commons.logging.LogFactory;
32 import org.apache.hadoop.hbase.classification.InterfaceAudience;
33
34 @InterfaceAudience.Private
35 public class SaslUtil {
36 private static final Log log = LogFactory.getLog(SaslUtil.class);
37 public static final String SASL_DEFAULT_REALM = "default";
38 @edu.umd.cs.findbugs.annotations.SuppressWarnings(value="MS_MUTABLE_COLLECTION_PKGPROTECT",
39 justification="it is used in different package")
40 public static final Map<String, String> SASL_PROPS =
41 new TreeMap<String, String>();
42 public static final int SWITCH_TO_SIMPLE_AUTH = -88;
43
44 public static enum QualityOfProtection {
45 AUTHENTICATION("auth"),
46 INTEGRITY("auth-int"),
47 PRIVACY("auth-conf");
48
49 public final String saslQop;
50
51 private QualityOfProtection(String saslQop) {
52 this.saslQop = saslQop;
53 }
54
55 public String getSaslQop() {
56 return saslQop;
57 }
58 }
59
60
61 public static String[] splitKerberosName(String fullName) {
62 return fullName.split("[/@]");
63 }
64
65 static String encodeIdentifier(byte[] identifier) {
66 return new String(Base64.encodeBase64(identifier));
67 }
68
69 static byte[] decodeIdentifier(String identifier) {
70 return Base64.decodeBase64(identifier.getBytes());
71 }
72
73 static char[] encodePassword(byte[] password) {
74 return new String(Base64.encodeBase64(password)).toCharArray();
75 }
76
77
78
79
80
81
82 public static QualityOfProtection getQop(String stringQop) {
83 QualityOfProtection qop = null;
84 if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop)
85 || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) {
86 qop = QualityOfProtection.AUTHENTICATION;
87 } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop)
88 || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) {
89 qop = QualityOfProtection.INTEGRITY;
90 } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop)
91 || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
92 qop = QualityOfProtection.PRIVACY;
93 }
94 if (qop == null) {
95 throw new IllegalArgumentException("Invalid qop: " + stringQop
96 + ". It must be one of 'authentication', 'integrity', 'privacy'.");
97 }
98 if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)
99 || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)
100 || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
101 log.warn("Use authentication/integrity/privacy as value for rpc protection "
102 + "configurations instead of auth/auth-int/auth-conf.");
103 }
104 return qop;
105 }
106
107 static void initSaslProperties(String rpcProtection) {
108 QualityOfProtection saslQOP = getQop(rpcProtection);
109 if (saslQOP == null) {
110 saslQOP = QualityOfProtection.AUTHENTICATION;
111 }
112 SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop());
113 SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true");
114 }
115 }