001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.rest; 019 020import static org.junit.Assert.assertEquals; 021import static org.junit.Assert.assertTrue; 022 023import com.fasterxml.jackson.databind.ObjectMapper; 024import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider; 025 026import java.io.File; 027import java.net.HttpURLConnection; 028import java.net.URL; 029import java.security.Principal; 030import java.security.PrivilegedExceptionAction; 031 032import javax.ws.rs.core.MediaType; 033 034import org.apache.commons.io.FileUtils; 035import org.apache.hadoop.conf.Configuration; 036import org.apache.hadoop.hbase.HBaseClassTestRule; 037import org.apache.hadoop.hbase.HBaseTestingUtility; 038import org.apache.hadoop.hbase.MiniHBaseCluster; 039import org.apache.hadoop.hbase.TableName; 040import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder; 041import org.apache.hadoop.hbase.client.Connection; 042import org.apache.hadoop.hbase.client.ConnectionFactory; 043import org.apache.hadoop.hbase.client.Put; 044import org.apache.hadoop.hbase.client.Table; 045import org.apache.hadoop.hbase.client.TableDescriptor; 046import org.apache.hadoop.hbase.client.TableDescriptorBuilder; 047import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; 048import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil; 049import org.apache.hadoop.hbase.rest.model.CellModel; 050import org.apache.hadoop.hbase.rest.model.CellSetModel; 051import org.apache.hadoop.hbase.rest.model.RowModel; 052import org.apache.hadoop.hbase.security.HBaseKerberosUtils; 053import org.apache.hadoop.hbase.security.access.AccessControlClient; 054import org.apache.hadoop.hbase.security.access.AccessControlConstants; 055import org.apache.hadoop.hbase.security.access.AccessController; 056import org.apache.hadoop.hbase.security.access.Permission.Action; 057import org.apache.hadoop.hbase.security.token.TokenProvider; 058import org.apache.hadoop.hbase.testclassification.MiscTests; 059import org.apache.hadoop.hbase.testclassification.SmallTests; 060import org.apache.hadoop.hbase.util.Bytes; 061import org.apache.hadoop.hbase.util.Pair; 062import org.apache.hadoop.hdfs.DFSConfigKeys; 063import org.apache.hadoop.http.HttpConfig; 064import org.apache.hadoop.minikdc.MiniKdc; 065import org.apache.hadoop.security.UserGroupInformation; 066import org.apache.hadoop.security.authentication.util.KerberosName; 067import org.apache.http.HttpEntity; 068import org.apache.http.HttpHost; 069import org.apache.http.auth.AuthSchemeProvider; 070import org.apache.http.auth.AuthScope; 071import org.apache.http.auth.Credentials; 072import org.apache.http.client.AuthCache; 073import org.apache.http.client.CredentialsProvider; 074import org.apache.http.client.config.AuthSchemes; 075import org.apache.http.client.methods.CloseableHttpResponse; 076import org.apache.http.client.methods.HttpGet; 077import org.apache.http.client.methods.HttpPut; 078import org.apache.http.client.protocol.HttpClientContext; 079import org.apache.http.config.Registry; 080import org.apache.http.config.RegistryBuilder; 081import org.apache.http.conn.HttpClientConnectionManager; 082import org.apache.http.entity.ContentType; 083import org.apache.http.entity.StringEntity; 084import org.apache.http.impl.auth.SPNegoSchemeFactory; 085import org.apache.http.impl.client.BasicAuthCache; 086import org.apache.http.impl.client.BasicCredentialsProvider; 087import org.apache.http.impl.client.CloseableHttpClient; 088import org.apache.http.impl.client.HttpClients; 089import org.apache.http.impl.conn.PoolingHttpClientConnectionManager; 090import org.apache.http.util.EntityUtils; 091import org.junit.AfterClass; 092import org.junit.BeforeClass; 093import org.junit.ClassRule; 094import org.junit.Test; 095import org.junit.experimental.categories.Category; 096import org.slf4j.Logger; 097import org.slf4j.LoggerFactory; 098 099/** 100 * Test class for SPNEGO authentication on the HttpServer. Uses Kerby's MiniKDC and Apache 101 * HttpComponents to verify that a simple Servlet is reachable via SPNEGO and unreachable w/o. 102 */ 103@Category({MiscTests.class, SmallTests.class}) 104public class TestSecureRESTServer { 105 106 @ClassRule 107 public static final HBaseClassTestRule CLASS_RULE = 108 HBaseClassTestRule.forClass(TestSecureRESTServer.class); 109 110 private static final Logger LOG = LoggerFactory.getLogger(TestSecureRESTServer.class); 111 private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility(); 112 private static final HBaseRESTTestingUtility REST_TEST = new HBaseRESTTestingUtility(); 113 private static MiniHBaseCluster CLUSTER; 114 115 private static final String HOSTNAME = "localhost"; 116 private static final String CLIENT_PRINCIPAL = "client"; 117 // The principal for accepting SPNEGO authn'ed requests (*must* be HTTP/fqdn) 118 private static final String SPNEGO_SERVICE_PRINCIPAL = "HTTP/" + HOSTNAME; 119 // The principal we use to connect to HBase 120 private static final String REST_SERVER_PRINCIPAL = "rest"; 121 private static final String SERVICE_PRINCIPAL = "hbase/" + HOSTNAME; 122 123 private static URL baseUrl; 124 private static MiniKdc KDC; 125 private static RESTServer server; 126 private static File restServerKeytab; 127 private static File clientKeytab; 128 private static File serviceKeytab; 129 130 private static void setSecuredHadoopConfiguration(Configuration conf, 131 String servicePrincipal, String serviceKeytab, String spnegoServerPrincipal) { 132 // if we drop support for hadoop-2.4.0 and hadoop-2.4.1, 133 // the following key should be changed. 134 // 1) DFS_NAMENODE_USER_NAME_KEY -> DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY 135 // 2) DFS_DATANODE_USER_NAME_KEY -> DFS_DATANODE_KERBEROS_PRINCIPAL_KEY 136 // HDFS 137 conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, servicePrincipal); 138 conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, serviceKeytab); 139 conf.set(DFSConfigKeys.DFS_DATANODE_USER_NAME_KEY, servicePrincipal); 140 conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, serviceKeytab); 141 conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true); 142 143 if (spnegoServerPrincipal != null) { 144 conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, 145 spnegoServerPrincipal); 146 } 147 148 conf.setBoolean("ignore.secure.ports.for.testing", true); 149 150 UserGroupInformation.setConfiguration(conf); 151 } 152 153 @BeforeClass 154 public static void setupServer() throws Exception { 155 final File target = new File(System.getProperty("user.dir"), "target"); 156 assertTrue(target.exists()); 157 158 /* 159 * Keytabs 160 */ 161 File keytabDir = new File(target, TestSecureRESTServer.class.getSimpleName() 162 + "_keytabs"); 163 if (keytabDir.exists()) { 164 FileUtils.deleteDirectory(keytabDir); 165 } 166 keytabDir.mkdirs(); 167 // Keytab for HBase services (RS, Master) 168 serviceKeytab = new File(keytabDir, "hbase.service.keytab"); 169 // The keytab for the REST server 170 restServerKeytab = new File(keytabDir, "spnego.keytab"); 171 // Keytab for the client 172 clientKeytab = new File(keytabDir, CLIENT_PRINCIPAL + ".keytab"); 173 174 /* 175 * Update UGI 176 */ 177 Configuration conf = TEST_UTIL.getConfiguration(); 178 179 /* 180 * Start KDC 181 */ 182 KDC = TEST_UTIL.setupMiniKdc(serviceKeytab); 183 KDC.createPrincipal(clientKeytab, CLIENT_PRINCIPAL); 184 KDC.createPrincipal(serviceKeytab, SERVICE_PRINCIPAL); 185 // REST server's keytab contains keys for both principals REST uses 186 KDC.createPrincipal(restServerKeytab, SPNEGO_SERVICE_PRINCIPAL, REST_SERVER_PRINCIPAL); 187 188 // Set configuration for HBase 189 HBaseKerberosUtils.setPrincipalForTesting(SERVICE_PRINCIPAL + "@" + KDC.getRealm()); 190 HBaseKerberosUtils.setKeytabFileForTesting(serviceKeytab.getAbsolutePath()); 191 // Why doesn't `setKeytabFileForTesting` do this? 192 conf.set("hbase.master.keytab.file", serviceKeytab.getAbsolutePath()); 193 conf.set("hbase.regionserver.hostname", "localhost"); 194 conf.set("hbase.master.hostname", "localhost"); 195 // Work around HBASE-20950 missing in branch-2.0 and branch-2.1 196 HBaseKerberosUtils.setPrincipalForTesting(SERVICE_PRINCIPAL+ "@" + KDC.getRealm()); 197 HBaseKerberosUtils.setSecuredConfiguration(conf); 198 setSecuredHadoopConfiguration(conf, 199 SERVICE_PRINCIPAL+ "@" + KDC.getRealm(), serviceKeytab.getAbsolutePath(), 200 SPNEGO_SERVICE_PRINCIPAL+ "@" + KDC.getRealm()); 201 setHdfsSecuredConfiguration(conf); 202 conf.setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, 203 TokenProvider.class.getName(), AccessController.class.getName()); 204 conf.setStrings(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, 205 AccessController.class.getName()); 206 conf.setStrings(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, 207 AccessController.class.getName()); 208 // Enable EXEC permission checking 209 conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true); 210 conf.set("hbase.superuser", "hbase"); 211 conf.set("hadoop.proxyuser.rest.hosts", "*"); 212 conf.set("hadoop.proxyuser.rest.users", "*"); 213 UserGroupInformation.setConfiguration(conf); 214 215 updateKerberosConfiguration(conf, REST_SERVER_PRINCIPAL, SPNEGO_SERVICE_PRINCIPAL, 216 restServerKeytab); 217 218 // Start HDFS 219 TEST_UTIL.startMiniCluster(1, 1); 220 221 // Start REST 222 UserGroupInformation restUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI( 223 REST_SERVER_PRINCIPAL, restServerKeytab.getAbsolutePath()); 224 restUser.doAs(new PrivilegedExceptionAction<Void>() { 225 @Override 226 public Void run() throws Exception { 227 REST_TEST.startServletContainer(conf); 228 return null; 229 } 230 }); 231 baseUrl = new URL("http://localhost:" + REST_TEST.getServletPort()); 232 233 LOG.info("HTTP server started: "+ baseUrl); 234 TEST_UTIL.waitTableAvailable(TableName.valueOf("hbase:acl")); 235 236 // Let the REST server create, read, and write globally 237 UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI( 238 SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath()); 239 superuser.doAs(new PrivilegedExceptionAction<Void>() { 240 @Override 241 public Void run() throws Exception { 242 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { 243 AccessControlClient.grant( 244 conn, REST_SERVER_PRINCIPAL, Action.CREATE, Action.READ, Action.WRITE); 245 } catch (Throwable t) { 246 if (t instanceof Exception) { 247 throw (Exception) t; 248 } else { 249 throw new Exception(t); 250 } 251 } 252 return null; 253 } 254 }); 255 } 256 257 @AfterClass 258 public static void stopServer() throws Exception { 259 try { 260 if (null != server) { 261 server.stop(); 262 } 263 } catch (Exception e) { 264 LOG.info("Failed to stop info server", e); 265 } 266 try { 267 if (CLUSTER != null) { 268 CLUSTER.shutdown(); 269 } 270 } catch (Exception e) { 271 LOG.info("Failed to stop HBase cluster", e); 272 } 273 try { 274 if (null != KDC) { 275 KDC.stop(); 276 } 277 } catch (Exception e) { 278 LOG.info("Failed to stop mini KDC", e); 279 } 280 } 281 282 private static void setHdfsSecuredConfiguration(Configuration conf) throws Exception { 283 // Set principal+keytab configuration for HDFS 284 conf.set(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, 285 SERVICE_PRINCIPAL + "@" + KDC.getRealm()); 286 conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, serviceKeytab.getAbsolutePath()); 287 conf.set(DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, 288 SERVICE_PRINCIPAL + "@" + KDC.getRealm()); 289 conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, serviceKeytab.getAbsolutePath()); 290 conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, 291 SPNEGO_SERVICE_PRINCIPAL + "@" + KDC.getRealm()); 292 // Enable token access for HDFS blocks 293 conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true); 294 // Only use HTTPS (required because we aren't using "secure" ports) 295 conf.set(DFSConfigKeys.DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name()); 296 // Bind on localhost for spnego to have a chance at working 297 conf.set(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0"); 298 conf.set(DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0"); 299 300 // Generate SSL certs 301 File keystoresDir = new File(TEST_UTIL.getDataTestDir("keystore").toUri().getPath()); 302 keystoresDir.mkdirs(); 303 String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSecureRESTServer.class); 304 KeyStoreTestUtil.setupSSLConfig(keystoresDir.getAbsolutePath(), sslConfDir, conf, false); 305 306 // Magic flag to tell hdfs to not fail on using ports above 1024 307 conf.setBoolean("ignore.secure.ports.for.testing", true); 308 } 309 310 private static void updateKerberosConfiguration(Configuration conf, 311 String serverPrincipal, String spnegoPrincipal, File serverKeytab) { 312 KerberosName.setRules("DEFAULT"); 313 314 // Enable Kerberos (pre-req) 315 conf.set("hbase.security.authentication", "kerberos"); 316 conf.set(RESTServer.REST_AUTHENTICATION_TYPE, "kerberos"); 317 // User to talk to HBase as 318 conf.set(RESTServer.REST_KERBEROS_PRINCIPAL, serverPrincipal); 319 // User to accept SPNEGO-auth'd http calls as 320 conf.set("hbase.rest.authentication.kerberos.principal", spnegoPrincipal); 321 // Keytab for both principals above 322 conf.set(RESTServer.REST_KEYTAB_FILE, serverKeytab.getAbsolutePath()); 323 conf.set("hbase.rest.authentication.kerberos.keytab", serverKeytab.getAbsolutePath()); 324 } 325 326 @Test 327 public void testPositiveAuthorization() throws Exception { 328 // Create a table, write a row to it, grant read perms to the client 329 UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI( 330 SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath()); 331 final TableName table = TableName.valueOf("publicTable"); 332 superuser.doAs(new PrivilegedExceptionAction<Void>() { 333 @Override 334 public Void run() throws Exception { 335 try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) { 336 TableDescriptor desc = TableDescriptorBuilder.newBuilder(table) 337 .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")) 338 .build(); 339 conn.getAdmin().createTable(desc); 340 try (Table t = conn.getTable(table)) { 341 Put p = new Put(Bytes.toBytes("a")); 342 p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1")); 343 t.put(p); 344 } 345 AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ); 346 } catch (Throwable e) { 347 if (e instanceof Exception) { 348 throw (Exception) e; 349 } else { 350 throw new Exception(e); 351 } 352 } 353 return null; 354 } 355 }); 356 357 // Read that row as the client 358 Pair<CloseableHttpClient,HttpClientContext> pair = getClient(); 359 CloseableHttpClient client = pair.getFirst(); 360 HttpClientContext context = pair.getSecond(); 361 362 HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI() 363 + "/" + table + "/a"); 364 get.addHeader("Accept", "application/json"); 365 UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI( 366 CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath()); 367 String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() { 368 @Override 369 public String run() throws Exception { 370 try (CloseableHttpResponse response = client.execute(get, context)) { 371 final int statusCode = response.getStatusLine().getStatusCode(); 372 assertEquals(response.getStatusLine().toString(), HttpURLConnection.HTTP_OK, statusCode); 373 HttpEntity entity = response.getEntity(); 374 return EntityUtils.toString(entity); 375 } 376 } 377 }); 378 ObjectMapper mapper = new JacksonJaxbJsonProvider() 379 .locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE); 380 CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class); 381 assertEquals(1, model.getRows().size()); 382 RowModel row = model.getRows().get(0); 383 assertEquals("a", Bytes.toString(row.getKey())); 384 assertEquals(1, row.getCells().size()); 385 CellModel cell = row.getCells().get(0); 386 assertEquals("1", Bytes.toString(cell.getValue())); 387 } 388 389 @Test 390 public void testNegativeAuthorization() throws Exception { 391 Pair<CloseableHttpClient,HttpClientContext> pair = getClient(); 392 CloseableHttpClient client = pair.getFirst(); 393 HttpClientContext context = pair.getSecond(); 394 395 StringEntity entity = new StringEntity( 396 "{\"name\":\"test\", \"ColumnSchema\":[{\"name\":\"f\"}]}", ContentType.APPLICATION_JSON); 397 HttpPut put = new HttpPut("http://localhost:"+ REST_TEST.getServletPort() + "/test/schema"); 398 put.setEntity(entity); 399 400 401 UserGroupInformation unprivileged = UserGroupInformation.loginUserFromKeytabAndReturnUGI( 402 CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath()); 403 unprivileged.doAs(new PrivilegedExceptionAction<Void>() { 404 @Override 405 public Void run() throws Exception { 406 try (CloseableHttpResponse response = client.execute(put, context)) { 407 final int statusCode = response.getStatusLine().getStatusCode(); 408 HttpEntity entity = response.getEntity(); 409 assertEquals("Got response: "+ EntityUtils.toString(entity), 410 HttpURLConnection.HTTP_FORBIDDEN, statusCode); 411 } 412 return null; 413 } 414 }); 415 } 416 417 private Pair<CloseableHttpClient,HttpClientContext> getClient() { 418 HttpClientConnectionManager pool = new PoolingHttpClientConnectionManager(); 419 HttpHost host = new HttpHost("localhost", REST_TEST.getServletPort()); 420 Registry<AuthSchemeProvider> authRegistry = 421 RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, 422 new SPNegoSchemeFactory(true, true)).build(); 423 CredentialsProvider credentialsProvider = new BasicCredentialsProvider(); 424 credentialsProvider.setCredentials(AuthScope.ANY, EmptyCredentials.INSTANCE); 425 AuthCache authCache = new BasicAuthCache(); 426 427 CloseableHttpClient client = HttpClients.custom() 428 .setDefaultAuthSchemeRegistry(authRegistry) 429 .setConnectionManager(pool).build(); 430 431 HttpClientContext context = HttpClientContext.create(); 432 context.setTargetHost(host); 433 context.setCredentialsProvider(credentialsProvider); 434 context.setAuthSchemeRegistry(authRegistry); 435 context.setAuthCache(authCache); 436 437 return new Pair<>(client, context); 438 } 439 440 private static class EmptyCredentials implements Credentials { 441 public static final EmptyCredentials INSTANCE = new EmptyCredentials(); 442 443 @Override public String getPassword() { 444 return null; 445 } 446 @Override public Principal getUserPrincipal() { 447 return null; 448 } 449 } 450}