001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *   http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018
019package org.apache.hadoop.hbase.rest;
020
021import java.lang.management.ManagementFactory;
022import java.util.ArrayList;
023import java.util.List;
024import java.util.Map;
025import java.util.EnumSet;
026import java.util.concurrent.ArrayBlockingQueue;
027
028import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
029import org.apache.commons.lang3.ArrayUtils;
030import org.apache.yetus.audience.InterfaceAudience;
031import org.apache.hadoop.conf.Configuration;
032import org.apache.hadoop.hbase.HBaseConfiguration;
033import org.apache.hadoop.hbase.HBaseInterfaceAudience;
034import org.apache.hadoop.hbase.http.InfoServer;
035import org.apache.hadoop.hbase.log.HBaseMarkers;
036import org.apache.hadoop.hbase.rest.filter.AuthFilter;
037import org.apache.hadoop.hbase.rest.filter.GzipFilter;
038import org.apache.hadoop.hbase.rest.filter.RestCsrfPreventionFilter;
039import org.apache.hadoop.hbase.security.UserProvider;
040import org.apache.hadoop.hbase.util.DNS;
041import org.apache.hadoop.hbase.http.HttpServerUtil;
042import org.apache.hadoop.hbase.util.Pair;
043import org.apache.hadoop.hbase.util.ReflectionUtils;
044import org.apache.hadoop.hbase.util.Strings;
045import org.apache.hadoop.hbase.util.VersionInfo;
046
047import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;
048import org.apache.hbase.thirdparty.org.apache.commons.cli.CommandLine;
049import org.apache.hbase.thirdparty.org.apache.commons.cli.HelpFormatter;
050import org.apache.hbase.thirdparty.org.apache.commons.cli.Options;
051import org.apache.hbase.thirdparty.org.apache.commons.cli.ParseException;
052import org.apache.hbase.thirdparty.org.apache.commons.cli.PosixParser;
053
054import org.eclipse.jetty.http.HttpVersion;
055import org.eclipse.jetty.server.Server;
056import org.eclipse.jetty.server.HttpConnectionFactory;
057import org.eclipse.jetty.server.SslConnectionFactory;
058import org.eclipse.jetty.server.HttpConfiguration;
059import org.eclipse.jetty.server.ServerConnector;
060import org.eclipse.jetty.server.SecureRequestCustomizer;
061import org.eclipse.jetty.util.ssl.SslContextFactory;
062import org.eclipse.jetty.servlet.ServletContextHandler;
063import org.eclipse.jetty.servlet.ServletHolder;
064import org.eclipse.jetty.util.thread.QueuedThreadPool;
065import org.eclipse.jetty.jmx.MBeanContainer;
066import org.eclipse.jetty.servlet.FilterHolder;
067
068import org.glassfish.jersey.server.ResourceConfig;
069import org.glassfish.jersey.servlet.ServletContainer;
070import org.slf4j.Logger;
071import org.slf4j.LoggerFactory;
072
073import javax.servlet.DispatcherType;
074
075/**
076 * Main class for launching REST gateway as a servlet hosted by Jetty.
077 * <p>
078 * The following options are supported:
079 * <ul>
080 * <li>-p --port : service port</li>
081 * <li>-ro --readonly : server mode</li>
082 * </ul>
083 */
084@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.TOOLS)
085public class RESTServer implements Constants {
086  static Logger LOG = LoggerFactory.getLogger("RESTServer");
087
088  static final String REST_CSRF_ENABLED_KEY = "hbase.rest.csrf.enabled";
089  static final boolean REST_CSRF_ENABLED_DEFAULT = false;
090  boolean restCSRFEnabled = false;
091  static final String REST_CSRF_CUSTOM_HEADER_KEY ="hbase.rest.csrf.custom.header";
092  static final String REST_CSRF_CUSTOM_HEADER_DEFAULT = "X-XSRF-HEADER";
093  static final String REST_CSRF_METHODS_TO_IGNORE_KEY = "hbase.rest.csrf.methods.to.ignore";
094  static final String REST_CSRF_METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
095  public static final String SKIP_LOGIN_KEY = "hbase.rest.skip.login";
096
097  private static final String PATH_SPEC_ANY = "/*";
098
099  // HTTP OPTIONS method is commonly used in REST APIs for negotiation. It is disabled by default to
100  // maintain backward incompatibility
101  static final String REST_HTTP_ALLOW_OPTIONS_METHOD = "hbase.rest.http.allow.options.method";
102  private static boolean REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT = false;
103  static final String REST_CSRF_BROWSER_USERAGENTS_REGEX_KEY =
104    "hbase.rest-csrf.browser-useragents-regex";
105
106  // HACK, making this static for AuthFilter to get at our configuration. Necessary for unit tests.
107  @edu.umd.cs.findbugs.annotations.SuppressWarnings(
108    value={"ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD", "MS_CANNOT_BE_FINAL"},
109    justification="For testing")
110  public static Configuration conf = null;
111  private final UserProvider userProvider;
112  private Server server;
113  private InfoServer infoServer;
114
115  public RESTServer(Configuration conf) {
116    RESTServer.conf = conf;
117    this.userProvider = UserProvider.instantiate(conf);
118  }
119
120  private static void printUsageAndExit(Options options, int exitCode) {
121    HelpFormatter formatter = new HelpFormatter();
122    formatter.printHelp("hbase rest start", "", options,
123      "\nTo run the REST server as a daemon, execute " +
124      "hbase-daemon.sh start|stop rest [--infoport <port>] [-p <port>] [-ro]\n", true);
125    System.exit(exitCode);
126  }
127
128  void addCSRFFilter(ServletContextHandler ctxHandler, Configuration conf) {
129    restCSRFEnabled = conf.getBoolean(REST_CSRF_ENABLED_KEY, REST_CSRF_ENABLED_DEFAULT);
130    if (restCSRFEnabled) {
131      Map<String, String> restCsrfParams = RestCsrfPreventionFilter
132          .getFilterParams(conf, "hbase.rest-csrf.");
133      FilterHolder holder = new FilterHolder();
134      holder.setName("csrf");
135      holder.setClassName(RestCsrfPreventionFilter.class.getName());
136      holder.setInitParameters(restCsrfParams);
137      ctxHandler.addFilter(holder, PATH_SPEC_ANY, EnumSet.allOf(DispatcherType.class));
138    }
139  }
140
141  // login the server principal (if using secure Hadoop)
142  private static Pair<FilterHolder, Class<? extends ServletContainer>> loginServerPrincipal(
143    UserProvider userProvider, Configuration conf) throws Exception {
144    Class<? extends ServletContainer> containerClass = ServletContainer.class;
145    if (userProvider.isHadoopSecurityEnabled() && userProvider.isHBaseSecurityEnabled()) {
146      String machineName = Strings.domainNamePointerToHostName(
147        DNS.getDefaultHost(conf.get(REST_DNS_INTERFACE, "default"),
148          conf.get(REST_DNS_NAMESERVER, "default")));
149      String keytabFilename = conf.get(REST_KEYTAB_FILE);
150      Preconditions.checkArgument(keytabFilename != null && !keytabFilename.isEmpty(),
151        REST_KEYTAB_FILE + " should be set if security is enabled");
152      String principalConfig = conf.get(REST_KERBEROS_PRINCIPAL);
153      Preconditions.checkArgument(principalConfig != null && !principalConfig.isEmpty(),
154        REST_KERBEROS_PRINCIPAL + " should be set if security is enabled");
155      // Hook for unit tests, this will log out any other user and mess up tests.
156      if (!conf.getBoolean(SKIP_LOGIN_KEY, false)) {
157        userProvider.login(REST_KEYTAB_FILE, REST_KERBEROS_PRINCIPAL, machineName);
158      }
159      if (conf.get(REST_AUTHENTICATION_TYPE) != null) {
160        containerClass = RESTServletContainer.class;
161        FilterHolder authFilter = new FilterHolder();
162        authFilter.setClassName(AuthFilter.class.getName());
163        authFilter.setName("AuthenticationFilter");
164        return new Pair<>(authFilter,containerClass);
165      }
166    }
167    return new Pair<>(null, containerClass);
168  }
169
170  private static void parseCommandLine(String[] args, Configuration conf) {
171    Options options = new Options();
172    options.addOption("p", "port", true, "Port to bind to [default: " + DEFAULT_LISTEN_PORT + "]");
173    options.addOption("ro", "readonly", false, "Respond only to GET HTTP " +
174      "method requests [default: false]");
175    options.addOption(null, "infoport", true, "Port for web UI");
176
177    CommandLine commandLine = null;
178    try {
179      commandLine = new PosixParser().parse(options, args);
180    } catch (ParseException e) {
181      LOG.error("Could not parse: ", e);
182      printUsageAndExit(options, -1);
183    }
184
185    // check for user-defined port setting, if so override the conf
186    if (commandLine != null && commandLine.hasOption("port")) {
187      String val = commandLine.getOptionValue("port");
188      conf.setInt("hbase.rest.port", Integer.parseInt(val));
189      if (LOG.isDebugEnabled()) {
190        LOG.debug("port set to " + val);
191      }
192    }
193
194    // check if server should only process GET requests, if so override the conf
195    if (commandLine != null && commandLine.hasOption("readonly")) {
196      conf.setBoolean("hbase.rest.readonly", true);
197      if (LOG.isDebugEnabled()) {
198        LOG.debug("readonly set to true");
199      }
200    }
201
202    // check for user-defined info server port setting, if so override the conf
203    if (commandLine != null && commandLine.hasOption("infoport")) {
204      String val = commandLine.getOptionValue("infoport");
205      conf.setInt("hbase.rest.info.port", Integer.parseInt(val));
206      if (LOG.isDebugEnabled()) {
207        LOG.debug("Web UI port set to " + val);
208      }
209    }
210
211    if (commandLine != null && commandLine.hasOption("skipLogin")) {
212      conf.setBoolean(SKIP_LOGIN_KEY, true);
213      if (LOG.isDebugEnabled()) {
214        LOG.debug("Skipping Kerberos login for REST server");
215      }
216    }
217
218    List<String> remainingArgs = commandLine != null ? commandLine.getArgList() : new ArrayList<>();
219    if (remainingArgs.size() != 1) {
220      printUsageAndExit(options, 1);
221    }
222
223    String command = remainingArgs.get(0);
224    if ("start".equals(command)) {
225      // continue and start container
226    } else if ("stop".equals(command)) {
227      System.exit(1);
228    } else {
229      printUsageAndExit(options, 1);
230    }
231  }
232
233
234  /**
235   * Runs the REST server.
236   */
237  public synchronized void run() throws Exception {
238    Pair<FilterHolder, Class<? extends ServletContainer>> pair = loginServerPrincipal(
239      userProvider, conf);
240    FilterHolder authFilter = pair.getFirst();
241    Class<? extends ServletContainer> containerClass = pair.getSecond();
242    RESTServlet servlet = RESTServlet.getInstance(conf, userProvider);
243
244
245    // Set up the Jersey servlet container for Jetty
246    // The Jackson1Feature is a signal to Jersey that it should use jackson doing json.
247    // See here: https://stackoverflow.com/questions/39458230/how-register-jacksonfeature-on-clientconfig
248    ResourceConfig application = new ResourceConfig().
249        packages("org.apache.hadoop.hbase.rest").register(JacksonJaxbJsonProvider.class);
250    // Using our custom ServletContainer is tremendously important. This is what makes sure the
251    // UGI.doAs() is done for the remoteUser, and calls are not made as the REST server itself.
252    ServletContainer servletContainer = ReflectionUtils.newInstance(containerClass, application);
253    ServletHolder sh = new ServletHolder(servletContainer);
254
255    // Set the default max thread number to 100 to limit
256    // the number of concurrent requests so that REST server doesn't OOM easily.
257    // Jetty set the default max thread number to 250, if we don't set it.
258    //
259    // Our default min thread number 2 is the same as that used by Jetty.
260    int maxThreads = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREADS_MAX, 100);
261    int minThreads = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREADS_MIN, 2);
262    // Use the default queue (unbounded with Jetty 9.3) if the queue size is negative, otherwise use
263    // bounded {@link ArrayBlockingQueue} with the given size
264    int queueSize = servlet.getConfiguration().getInt(REST_THREAD_POOL_TASK_QUEUE_SIZE, -1);
265    int idleTimeout = servlet.getConfiguration().getInt(REST_THREAD_POOL_THREAD_IDLE_TIMEOUT, 60000);
266    QueuedThreadPool threadPool = queueSize > 0 ?
267        new QueuedThreadPool(maxThreads, minThreads, idleTimeout, new ArrayBlockingQueue<>(queueSize)) :
268        new QueuedThreadPool(maxThreads, minThreads, idleTimeout);
269
270    this.server = new Server(threadPool);
271
272    // Setup JMX
273    MBeanContainer mbContainer=new MBeanContainer(ManagementFactory.getPlatformMBeanServer());
274    server.addEventListener(mbContainer);
275    server.addBean(mbContainer);
276
277
278    String host = servlet.getConfiguration().get("hbase.rest.host", "0.0.0.0");
279    int servicePort = servlet.getConfiguration().getInt("hbase.rest.port", 8080);
280    HttpConfiguration httpConfig = new HttpConfiguration();
281    httpConfig.setSecureScheme("https");
282    httpConfig.setSecurePort(servicePort);
283    httpConfig.setSendServerVersion(false);
284    httpConfig.setSendDateHeader(false);
285
286    ServerConnector serverConnector;
287    if (conf.getBoolean(REST_SSL_ENABLED, false)) {
288      HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
289      httpsConfig.addCustomizer(new SecureRequestCustomizer());
290
291      SslContextFactory sslCtxFactory = new SslContextFactory();
292      String keystore = conf.get(REST_SSL_KEYSTORE_STORE);
293      String password = HBaseConfiguration.getPassword(conf,
294          REST_SSL_KEYSTORE_PASSWORD, null);
295      String keyPassword = HBaseConfiguration.getPassword(conf,
296          REST_SSL_KEYSTORE_KEYPASSWORD, password);
297      sslCtxFactory.setKeyStorePath(keystore);
298      sslCtxFactory.setKeyStorePassword(password);
299      sslCtxFactory.setKeyManagerPassword(keyPassword);
300
301      String[] excludeCiphers = servlet.getConfiguration().getStrings(
302          REST_SSL_EXCLUDE_CIPHER_SUITES, ArrayUtils.EMPTY_STRING_ARRAY);
303      if (excludeCiphers.length != 0) {
304        sslCtxFactory.setExcludeCipherSuites(excludeCiphers);
305      }
306      String[] includeCiphers = servlet.getConfiguration().getStrings(
307          REST_SSL_INCLUDE_CIPHER_SUITES, ArrayUtils.EMPTY_STRING_ARRAY);
308      if (includeCiphers.length != 0) {
309        sslCtxFactory.setIncludeCipherSuites(includeCiphers);
310      }
311
312      String[] excludeProtocols = servlet.getConfiguration().getStrings(
313          REST_SSL_EXCLUDE_PROTOCOLS, ArrayUtils.EMPTY_STRING_ARRAY);
314      if (excludeProtocols.length != 0) {
315        sslCtxFactory.setExcludeProtocols(excludeProtocols);
316      }
317      String[] includeProtocols = servlet.getConfiguration().getStrings(
318          REST_SSL_INCLUDE_PROTOCOLS, ArrayUtils.EMPTY_STRING_ARRAY);
319      if (includeProtocols.length != 0) {
320        sslCtxFactory.setIncludeProtocols(includeProtocols);
321      }
322
323      serverConnector = new ServerConnector(server,
324          new SslConnectionFactory(sslCtxFactory, HttpVersion.HTTP_1_1.toString()),
325          new HttpConnectionFactory(httpsConfig));
326    } else {
327      serverConnector = new ServerConnector(server, new HttpConnectionFactory(httpConfig));
328    }
329
330    int acceptQueueSize = servlet.getConfiguration().getInt(REST_CONNECTOR_ACCEPT_QUEUE_SIZE, -1);
331    if (acceptQueueSize >= 0) {
332      serverConnector.setAcceptQueueSize(acceptQueueSize);
333    }
334
335    serverConnector.setPort(servicePort);
336    serverConnector.setHost(host);
337
338    server.addConnector(serverConnector);
339    server.setStopAtShutdown(true);
340
341    // set up context
342    ServletContextHandler ctxHandler = new ServletContextHandler(server, "/", ServletContextHandler.SESSIONS);
343    ctxHandler.addServlet(sh, PATH_SPEC_ANY);
344    if (authFilter != null) {
345      ctxHandler.addFilter(authFilter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST));
346    }
347
348    // Load filters from configuration.
349    String[] filterClasses = servlet.getConfiguration().getStrings(FILTER_CLASSES,
350        GzipFilter.class.getName());
351    for (String filter : filterClasses) {
352      filter = filter.trim();
353      ctxHandler.addFilter(filter, PATH_SPEC_ANY, EnumSet.of(DispatcherType.REQUEST));
354    }
355    addCSRFFilter(ctxHandler, conf);
356    HttpServerUtil.constrainHttpMethods(ctxHandler, servlet.getConfiguration()
357        .getBoolean(REST_HTTP_ALLOW_OPTIONS_METHOD, REST_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));
358
359    // Put up info server.
360    int port = conf.getInt("hbase.rest.info.port", 8085);
361    if (port >= 0) {
362      conf.setLong("startcode", System.currentTimeMillis());
363      String a = conf.get("hbase.rest.info.bindAddress", "0.0.0.0");
364      this.infoServer = new InfoServer("rest", a, port, false, conf);
365      this.infoServer.setAttribute("hbase.conf", conf);
366      this.infoServer.start();
367    }
368    try {
369      // start server
370      server.start();
371    } catch (Exception e) {
372      LOG.error(HBaseMarkers.FATAL, "Failed to start server", e);
373      throw e;
374    }
375  }
376
377  public synchronized void join() throws Exception {
378    if (server == null) {
379      throw new IllegalStateException("Server is not running");
380    }
381    server.join();
382  }
383
384  public synchronized void stop() throws Exception {
385    if (server == null) {
386      throw new IllegalStateException("Server is not running");
387    }
388    server.stop();
389    server = null;
390    RESTServlet.stop();
391  }
392
393  public synchronized int getPort() {
394    if (server == null) {
395      throw new IllegalStateException("Server is not running");
396    }
397    return ((ServerConnector) server.getConnectors()[0]).getLocalPort();
398  }
399
400  @SuppressWarnings("deprecation")
401  public synchronized int getInfoPort() {
402    if (infoServer == null) {
403      throw new IllegalStateException("InfoServer is not running");
404    }
405    return infoServer.getPort();
406  }
407
408  public Configuration getConf() {
409    return conf;
410  }
411
412  /**
413   * The main method for the HBase rest server.
414   * @param args command-line arguments
415   * @throws Exception exception
416   */
417  public static void main(String[] args) throws Exception {
418    LOG.info("***** STARTING service '" + RESTServer.class.getSimpleName() + "' *****");
419    VersionInfo.logVersion();
420    final Configuration conf = HBaseConfiguration.create();
421    parseCommandLine(args, conf);
422    RESTServer server = new RESTServer(conf);
423
424    try {
425      server.run();
426      server.join();
427    } catch (Exception e) {
428      System.exit(1);
429    }
430
431    LOG.info("***** STOPPING service '" + RESTServer.class.getSimpleName() + "' *****");
432  }
433}