001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.ipc;
019
020import org.apache.hbase.thirdparty.io.netty.util.HashedWheelTimer;
021import org.apache.hbase.thirdparty.io.netty.util.Timeout;
022import org.apache.hbase.thirdparty.io.netty.util.TimerTask;
023
024import java.io.IOException;
025import java.net.UnknownHostException;
026import java.util.concurrent.TimeUnit;
027
028import org.apache.hadoop.conf.Configuration;
029import org.apache.hadoop.hbase.HConstants;
030import org.apache.yetus.audience.InterfaceAudience;
031import org.slf4j.Logger;
032import org.slf4j.LoggerFactory;
033import org.apache.hadoop.hbase.codec.Codec;
034import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos;
035import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
036import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.ConnectionHeader;
037import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation;
038import org.apache.hadoop.hbase.security.AuthMethod;
039import org.apache.hadoop.hbase.security.SecurityInfo;
040import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
041import org.apache.hadoop.io.Text;
042import org.apache.hadoop.io.compress.CompressionCodec;
043import org.apache.hadoop.security.SecurityUtil;
044import org.apache.hadoop.security.UserGroupInformation;
045import org.apache.hadoop.security.token.Token;
046import org.apache.hadoop.security.token.TokenIdentifier;
047import org.apache.hadoop.security.token.TokenSelector;
048
049/**
050 * Base class for ipc connection.
051 */
052@InterfaceAudience.Private
053abstract class RpcConnection {
054
055  private static final Logger LOG = LoggerFactory.getLogger(RpcConnection.class);
056
057  protected final ConnectionId remoteId;
058
059  protected final AuthMethod authMethod;
060
061  protected final boolean useSasl;
062
063  protected final Token<? extends TokenIdentifier> token;
064
065  protected final String serverPrincipal; // server's krb5 principal name
066
067  protected final int reloginMaxBackoff; // max pause before relogin on sasl failure
068
069  protected final Codec codec;
070
071  protected final CompressionCodec compressor;
072
073  protected final HashedWheelTimer timeoutTimer;
074
075  protected final Configuration conf;
076
077  protected static String CRYPTO_AES_ENABLED_KEY = "hbase.rpc.crypto.encryption.aes.enabled";
078
079  protected static boolean CRYPTO_AES_ENABLED_DEFAULT = false;
080
081  // the last time we were picked up from connection pool.
082  protected long lastTouched;
083
084  protected RpcConnection(Configuration conf, HashedWheelTimer timeoutTimer, ConnectionId remoteId,
085      String clusterId, boolean isSecurityEnabled, Codec codec, CompressionCodec compressor)
086      throws IOException {
087    if (remoteId.getAddress().isUnresolved()) {
088      throw new UnknownHostException("unknown host: " + remoteId.getAddress().getHostName());
089    }
090    this.timeoutTimer = timeoutTimer;
091    this.codec = codec;
092    this.compressor = compressor;
093    this.conf = conf;
094
095    UserGroupInformation ticket = remoteId.getTicket().getUGI();
096    SecurityInfo securityInfo = SecurityInfo.getInfo(remoteId.getServiceName());
097    this.useSasl = isSecurityEnabled;
098    Token<? extends TokenIdentifier> token = null;
099    String serverPrincipal = null;
100    if (useSasl && securityInfo != null) {
101      AuthenticationProtos.TokenIdentifier.Kind tokenKind = securityInfo.getTokenKind();
102      if (tokenKind != null) {
103        TokenSelector<? extends TokenIdentifier> tokenSelector = AbstractRpcClient.TOKEN_HANDLERS
104            .get(tokenKind);
105        if (tokenSelector != null) {
106          token = tokenSelector.selectToken(new Text(clusterId), ticket.getTokens());
107        } else if (LOG.isDebugEnabled()) {
108          LOG.debug("No token selector found for type " + tokenKind);
109        }
110      }
111      String serverKey = securityInfo.getServerPrincipal();
112      if (serverKey == null) {
113        throw new IOException("Can't obtain server Kerberos config key from SecurityInfo");
114      }
115      serverPrincipal = SecurityUtil.getServerPrincipal(conf.get(serverKey),
116        remoteId.address.getAddress().getCanonicalHostName().toLowerCase());
117      if (LOG.isDebugEnabled()) {
118        LOG.debug("RPC Server Kerberos principal name for service=" + remoteId.getServiceName()
119            + " is " + serverPrincipal);
120      }
121    }
122    this.token = token;
123    this.serverPrincipal = serverPrincipal;
124    if (!useSasl) {
125      authMethod = AuthMethod.SIMPLE;
126    } else if (token != null) {
127      authMethod = AuthMethod.DIGEST;
128    } else {
129      authMethod = AuthMethod.KERBEROS;
130    }
131
132    // Log if debug AND non-default auth, else if trace enabled.
133    // No point logging obvious.
134    if ((LOG.isDebugEnabled() && !authMethod.equals(AuthMethod.SIMPLE)) ||
135        LOG.isTraceEnabled()) {
136      // Only log if not default auth.
137      LOG.debug("Use " + authMethod + " authentication for service " + remoteId.serviceName
138          + ", sasl=" + useSasl);
139    }
140    reloginMaxBackoff = conf.getInt("hbase.security.relogin.maxbackoff", 5000);
141    this.remoteId = remoteId;
142  }
143
144  private UserInformation getUserInfo(UserGroupInformation ugi) {
145    if (ugi == null || authMethod == AuthMethod.DIGEST) {
146      // Don't send user for token auth
147      return null;
148    }
149    UserInformation.Builder userInfoPB = UserInformation.newBuilder();
150    if (authMethod == AuthMethod.KERBEROS) {
151      // Send effective user for Kerberos auth
152      userInfoPB.setEffectiveUser(ugi.getUserName());
153    } else if (authMethod == AuthMethod.SIMPLE) {
154      // Send both effective user and real user for simple auth
155      userInfoPB.setEffectiveUser(ugi.getUserName());
156      if (ugi.getRealUser() != null) {
157        userInfoPB.setRealUser(ugi.getRealUser().getUserName());
158      }
159    }
160    return userInfoPB.build();
161  }
162
163  protected UserGroupInformation getUGI() {
164    UserGroupInformation ticket = remoteId.getTicket().getUGI();
165    if (authMethod == AuthMethod.KERBEROS) {
166      if (ticket != null && ticket.getRealUser() != null) {
167        ticket = ticket.getRealUser();
168      }
169    }
170    return ticket;
171  }
172
173  protected boolean shouldAuthenticateOverKrb() throws IOException {
174    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
175    UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
176    UserGroupInformation realUser = currentUser.getRealUser();
177    return authMethod == AuthMethod.KERBEROS && loginUser != null &&
178    // Make sure user logged in using Kerberos either keytab or TGT
179        loginUser.hasKerberosCredentials() &&
180        // relogin only in case it is the login user (e.g. JT)
181        // or superuser (like oozie).
182        (loginUser.equals(currentUser) || loginUser.equals(realUser));
183  }
184
185  protected void relogin() throws IOException {
186    if (UserGroupInformation.isLoginKeytabBased()) {
187      UserGroupInformation.getLoginUser().reloginFromKeytab();
188    } else {
189      UserGroupInformation.getLoginUser().reloginFromTicketCache();
190    }
191  }
192
193  protected void scheduleTimeoutTask(final Call call) {
194    if (call.timeout > 0) {
195      call.timeoutTask = timeoutTimer.newTimeout(new TimerTask() {
196
197        @Override
198        public void run(Timeout timeout) throws Exception {
199          call.setTimeout(new CallTimeoutException(call.toShortString() + ", waitTime="
200              + (EnvironmentEdgeManager.currentTime() - call.getStartTime()) + ", rpcTimeout="
201              + call.timeout));
202          callTimeout(call);
203        }
204      }, call.timeout, TimeUnit.MILLISECONDS);
205    }
206  }
207
208  protected byte[] getConnectionHeaderPreamble() {
209    // Assemble the preamble up in a buffer first and then send it. Writing individual elements,
210    // they are getting sent across piecemeal according to wireshark and then server is messing
211    // up the reading on occasion (the passed in stream is not buffered yet).
212
213    // Preamble is six bytes -- 'HBas' + VERSION + AUTH_CODE
214    int rpcHeaderLen = HConstants.RPC_HEADER.length;
215    byte[] preamble = new byte[rpcHeaderLen + 2];
216    System.arraycopy(HConstants.RPC_HEADER, 0, preamble, 0, rpcHeaderLen);
217    preamble[rpcHeaderLen] = HConstants.RPC_CURRENT_VERSION;
218    synchronized (this) {
219      preamble[rpcHeaderLen + 1] = authMethod.code;
220    }
221    return preamble;
222  }
223
224  protected ConnectionHeader getConnectionHeader() {
225    ConnectionHeader.Builder builder = ConnectionHeader.newBuilder();
226    builder.setServiceName(remoteId.getServiceName());
227    UserInformation userInfoPB;
228    if ((userInfoPB = getUserInfo(remoteId.ticket.getUGI())) != null) {
229      builder.setUserInfo(userInfoPB);
230    }
231    if (this.codec != null) {
232      builder.setCellBlockCodecClass(this.codec.getClass().getCanonicalName());
233    }
234    if (this.compressor != null) {
235      builder.setCellBlockCompressorClass(this.compressor.getClass().getCanonicalName());
236    }
237    builder.setVersionInfo(ProtobufUtil.getVersionInfo());
238    boolean isCryptoAESEnable = conf.getBoolean(CRYPTO_AES_ENABLED_KEY, CRYPTO_AES_ENABLED_DEFAULT);
239    // if Crypto AES enable, setup Cipher transformation
240    if (isCryptoAESEnable) {
241      builder.setRpcCryptoCipherTransformation(
242          conf.get("hbase.rpc.crypto.encryption.aes.cipher.transform", "AES/CTR/NoPadding"));
243    }
244    return builder.build();
245  }
246
247  protected abstract void callTimeout(Call call);
248
249  public ConnectionId remoteId() {
250    return remoteId;
251  }
252
253  public long getLastTouched() {
254    return lastTouched;
255  }
256
257  public void setLastTouched(long lastTouched) {
258    this.lastTouched = lastTouched;
259  }
260
261  /**
262   * Tell the idle connection sweeper whether we could be swept.
263   */
264  public abstract boolean isActive();
265
266  /**
267   * Just close connection. Do not need to remove from connection pool.
268   */
269  public abstract void shutdown();
270
271  public abstract void sendRequest(Call call, HBaseRpcController hrc) throws IOException;
272
273  /**
274   * Does the clean up work after the connection is removed from the connection pool
275   */
276  public abstract void cleanupConnection();
277}