Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.thrift;
019
020import static org.junit.Assert.assertFalse;
021import static org.junit.Assert.assertNotNull;
022
023import java.io.File;
024import java.nio.file.Paths;
025import java.security.Principal;
026import java.security.PrivilegedExceptionAction;
027import java.util.Set;
028
029import javax.security.auth.Subject;
030import javax.security.auth.kerberos.KerberosTicket;
031
032import org.apache.hadoop.conf.Configuration;
033import org.apache.hadoop.hbase.HBaseClassTestRule;
034import org.apache.hadoop.hbase.HBaseTestingUtility;
035import org.apache.hadoop.hbase.HConstants;
036import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
037import org.apache.hadoop.hbase.testclassification.ClientTests;
038import org.apache.hadoop.hbase.testclassification.LargeTests;
039import org.apache.hadoop.hbase.thrift.generated.Hbase;
040import org.apache.hadoop.hdfs.DFSConfigKeys;
041import org.apache.hadoop.security.authentication.util.KerberosName;
042import org.apache.http.HttpHeaders;
043import org.apache.http.auth.AuthSchemeProvider;
044import org.apache.http.auth.AuthScope;
045import org.apache.http.auth.KerberosCredentials;
046import org.apache.http.client.config.AuthSchemes;
047import org.apache.http.config.Lookup;
048import org.apache.http.config.RegistryBuilder;
049import org.apache.http.impl.auth.SPNegoSchemeFactory;
050import org.apache.http.impl.client.BasicCredentialsProvider;
051import org.apache.http.impl.client.CloseableHttpClient;
052import org.apache.http.impl.client.HttpClients;
053import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
054import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
055import org.apache.thrift.protocol.TBinaryProtocol;
056import org.apache.thrift.protocol.TProtocol;
057import org.apache.thrift.transport.THttpClient;
058import org.ietf.jgss.GSSCredential;
059import org.ietf.jgss.GSSManager;
060import org.ietf.jgss.GSSName;
061import org.ietf.jgss.Oid;
062import org.junit.AfterClass;
063import org.junit.BeforeClass;
064import org.junit.ClassRule;
065import org.junit.experimental.categories.Category;
066import org.slf4j.Logger;
067import org.slf4j.LoggerFactory;
068
069/**
070 * Start the HBase Thrift HTTP server on a random port through the command-line
071 * interface and talk to it from client side with SPNEGO security enabled.
072 *
073 * Supplemental test to TestThriftSpnegoHttpServer which falls back to the original
074 * Kerberos principal and keytab configuration properties, not the separate
075 * SPNEGO-specific properties.
076 */
077@Category({ClientTests.class, LargeTests.class})
078public class TestThriftSpnegoHttpFallbackServer extends TestThriftHttpServer {
079  @ClassRule
080  public static final HBaseClassTestRule CLASS_RULE =
081    HBaseClassTestRule.forClass(TestThriftSpnegoHttpFallbackServer.class);
082
083  private static final Logger LOG =
084    LoggerFactory.getLogger(TestThriftSpnegoHttpFallbackServer.class);
085
086  private static SimpleKdcServer kdc;
087  private static File serverKeytab;
088  private static File clientKeytab;
089
090  private static String clientPrincipal;
091  private static String serverPrincipal;
092  private static String spnegoServerPrincipal;
093
094  private static SimpleKdcServer buildMiniKdc() throws Exception {
095    SimpleKdcServer kdc = new SimpleKdcServer();
096
097    File kdcDir = Paths.get(TEST_UTIL.getRandomDir().toString()).toAbsolutePath().toFile();
098    kdcDir.mkdirs();
099    kdc.setWorkDir(kdcDir);
100
101    kdc.setKdcHost(HConstants.LOCALHOST);
102    int kdcPort = HBaseTestingUtility.randomFreePort();
103    kdc.setAllowTcp(true);
104    kdc.setAllowUdp(false);
105    kdc.setKdcTcpPort(kdcPort);
106
107    LOG.info("Starting KDC server at " + HConstants.LOCALHOST + ":" + kdcPort);
108
109    kdc.init();
110
111    return kdc;
112  }
113
114  private static void addSecurityConfigurations(Configuration conf) {
115    KerberosName.setRules("DEFAULT");
116
117    HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath());
118    HBaseKerberosUtils.setPrincipalForTesting(spnegoServerPrincipal);
119    HBaseKerberosUtils.setSecuredConfiguration(conf);
120
121    // if we drop support for hadoop-2.4.0 and hadoop-2.4.1,
122    // the following key should be changed.
123    // 1) DFS_NAMENODE_USER_NAME_KEY -> DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY
124    // 2) DFS_DATANODE_USER_NAME_KEY -> DFS_DATANODE_KERBEROS_PRINCIPAL_KEY
125    conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, spnegoServerPrincipal);
126    conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
127    conf.set(DFSConfigKeys.DFS_DATANODE_USER_NAME_KEY, spnegoServerPrincipal);
128    conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
129
130    conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
131
132    conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoServerPrincipal);
133    conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_KEYTAB_KEY,
134        serverKeytab.getAbsolutePath());
135
136    conf.setBoolean("ignore.secure.ports.for.testing", true);
137
138    conf.setBoolean(ThriftServerRunner.THRIFT_SUPPORT_PROXYUSER_KEY, true);
139    conf.setBoolean(ThriftServerRunner.USE_HTTP_CONF_KEY, true);
140    conf.set("hadoop.proxyuser.HTTP.hosts", "*");
141    conf.set("hadoop.proxyuser.HTTP.groups", "*");
142
143    conf.set(ThriftServerRunner.THRIFT_KERBEROS_PRINCIPAL_KEY, spnegoServerPrincipal);
144    conf.set(ThriftServerRunner.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
145  }
146
147  @BeforeClass
148  public static void setUpBeforeClass() throws Exception {
149    kdc = buildMiniKdc();
150    kdc.start();
151
152    File keytabDir = Paths.get(TEST_UTIL.getRandomDir().toString()).toAbsolutePath().toFile();
153    keytabDir.mkdirs();
154
155    clientPrincipal = "client@" + kdc.getKdcConfig().getKdcRealm();
156    clientKeytab = new File(keytabDir, clientPrincipal + ".keytab");
157    kdc.createAndExportPrincipals(clientKeytab, clientPrincipal);
158
159    serverPrincipal = "hbase/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
160    serverKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab");
161
162    spnegoServerPrincipal = "HTTP/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
163    // Add SPNEGO principal to server keytab
164    kdc.createAndExportPrincipals(serverKeytab, serverPrincipal, spnegoServerPrincipal);
165
166    TEST_UTIL.getConfiguration().setBoolean(ThriftServerRunner.USE_HTTP_CONF_KEY, true);
167    addSecurityConfigurations(TEST_UTIL.getConfiguration());
168
169    TestThriftHttpServer.setUpBeforeClass();
170  }
171
172  @AfterClass
173  public static void tearDownAfterClass() throws Exception {
174    TestThriftHttpServer.tearDownAfterClass();
175
176    try {
177      if (null != kdc) {
178        kdc.stop();
179        kdc = null;
180      }
181    } catch (Exception e) {
182      LOG.info("Failed to stop mini KDC", e);
183    }
184  }
185
186  @Override
187  protected void talkToThriftServer(String url, int customHeaderSize) throws Exception {
188    // Close httpClient and THttpClient automatically on any failures
189    try (
190        CloseableHttpClient httpClient = createHttpClient();
191        THttpClient tHttpClient = new THttpClient(url, httpClient)
192    ) {
193      tHttpClient.open();
194      if (customHeaderSize > 0) {
195        StringBuilder sb = new StringBuilder();
196        for (int i = 0; i < customHeaderSize; i++) {
197          sb.append("a");
198        }
199        tHttpClient.setCustomHeader(HttpHeaders.USER_AGENT, sb.toString());
200      }
201
202      TProtocol prot = new TBinaryProtocol(tHttpClient);
203      Hbase.Client client = new Hbase.Client(prot);
204      TestThriftServer.createTestTables(client);
205      TestThriftServer.checkTableList(client);
206      TestThriftServer.dropTestTables(client);
207    }
208  }
209
210  private CloseableHttpClient createHttpClient() throws Exception {
211    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab);
212    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
213    // Make sure the subject has a principal
214    assertFalse("Found no client principals in the clientSubject.",
215      clientPrincipals.isEmpty());
216
217    // Get a TGT for the subject (might have many, different encryption types). The first should
218    // be the default encryption type.
219    Set<KerberosTicket> privateCredentials =
220        clientSubject.getPrivateCredentials(KerberosTicket.class);
221    assertFalse("Found no private credentials in the clientSubject.",
222      privateCredentials.isEmpty());
223    KerberosTicket tgt = privateCredentials.iterator().next();
224    assertNotNull("No kerberos ticket found.", tgt);
225
226    // The name of the principal
227    final String clientPrincipalName = clientPrincipals.iterator().next().getName();
228
229    return Subject.doAs(clientSubject, new PrivilegedExceptionAction<CloseableHttpClient>() {
230      @Override
231      public CloseableHttpClient run() throws Exception {
232        // Logs in with Kerberos via GSS
233        GSSManager gssManager = GSSManager.getInstance();
234        // jGSS Kerberos login constant
235        Oid oid = new Oid("1.2.840.113554.1.2.2");
236        GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
237        GSSCredential credential = gssManager.createCredential(gssClient,
238            GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
239
240        Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
241            .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true))
242            .build();
243
244        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
245        credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
246
247        return HttpClients.custom()
248            .setDefaultAuthSchemeRegistry(authRegistry)
249            .setDefaultCredentialsProvider(credentialsProvider)
250            .build();
251      }
252    });
253  }
254}