Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.thrift;
019
020import static org.apache.hadoop.hbase.thrift.Constants.THRIFT_SUPPORT_PROXYUSER_KEY;
021import static org.junit.Assert.assertFalse;
022import static org.junit.Assert.assertNotNull;
023
024import java.io.File;
025import java.nio.file.Paths;
026import java.security.Principal;
027import java.security.PrivilegedExceptionAction;
028import java.util.Set;
029
030import javax.security.auth.Subject;
031import javax.security.auth.kerberos.KerberosTicket;
032
033import org.apache.hadoop.conf.Configuration;
034import org.apache.hadoop.hbase.HBaseClassTestRule;
035import org.apache.hadoop.hbase.HBaseTestingUtility;
036import org.apache.hadoop.hbase.HConstants;
037import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
038import org.apache.hadoop.hbase.testclassification.ClientTests;
039import org.apache.hadoop.hbase.testclassification.LargeTests;
040import org.apache.hadoop.hbase.thrift.generated.Hbase;
041import org.apache.hadoop.security.authentication.util.KerberosName;
042import org.apache.http.HttpHeaders;
043import org.apache.http.auth.AuthSchemeProvider;
044import org.apache.http.auth.AuthScope;
045import org.apache.http.auth.KerberosCredentials;
046import org.apache.http.client.config.AuthSchemes;
047import org.apache.http.config.Lookup;
048import org.apache.http.config.RegistryBuilder;
049import org.apache.http.impl.auth.SPNegoSchemeFactory;
050import org.apache.http.impl.client.BasicCredentialsProvider;
051import org.apache.http.impl.client.CloseableHttpClient;
052import org.apache.http.impl.client.HttpClients;
053import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
054import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
055import org.apache.thrift.protocol.TBinaryProtocol;
056import org.apache.thrift.protocol.TProtocol;
057import org.apache.thrift.transport.THttpClient;
058import org.ietf.jgss.GSSCredential;
059import org.ietf.jgss.GSSManager;
060import org.ietf.jgss.GSSName;
061import org.ietf.jgss.Oid;
062import org.junit.AfterClass;
063import org.junit.BeforeClass;
064import org.junit.ClassRule;
065import org.junit.experimental.categories.Category;
066import org.slf4j.Logger;
067import org.slf4j.LoggerFactory;
068
069/**
070 * Start the HBase Thrift HTTP server on a random port through the command-line
071 * interface and talk to it from client side with SPNEGO security enabled.
072 */
073@Category({ClientTests.class, LargeTests.class})
074public class TestThriftSpnegoHttpServer extends TestThriftHttpServer {
075  @ClassRule
076  public static final HBaseClassTestRule CLASS_RULE =
077    HBaseClassTestRule.forClass(TestThriftSpnegoHttpServer.class);
078
079  private static final Logger LOG =
080    LoggerFactory.getLogger(TestThriftSpnegoHttpServer.class);
081
082  private static SimpleKdcServer kdc;
083  private static File serverKeytab;
084  private static File spnegoServerKeytab;
085  private static File clientKeytab;
086
087  private static String clientPrincipal;
088  private static String serverPrincipal;
089  private static String spnegoServerPrincipal;
090
091  private static SimpleKdcServer buildMiniKdc() throws Exception {
092    SimpleKdcServer kdc = new SimpleKdcServer();
093
094    File kdcDir = Paths.get(TEST_UTIL.getRandomDir().toString()).toAbsolutePath().toFile();
095    kdcDir.mkdirs();
096    kdc.setWorkDir(kdcDir);
097
098    kdc.setKdcHost(HConstants.LOCALHOST);
099    int kdcPort = HBaseTestingUtility.randomFreePort();
100    kdc.setAllowTcp(true);
101    kdc.setAllowUdp(false);
102    kdc.setKdcTcpPort(kdcPort);
103
104    LOG.info("Starting KDC server at " + HConstants.LOCALHOST + ":" + kdcPort);
105
106    kdc.init();
107
108    return kdc;
109  }
110
111  private static void addSecurityConfigurations(Configuration conf) {
112    KerberosName.setRules("DEFAULT");
113
114    HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath());
115
116    conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true);
117    conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true);
118
119    conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal);
120    conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
121
122    HBaseKerberosUtils.setSecuredConfiguration(conf, serverPrincipal, spnegoServerPrincipal);
123    conf.set("hadoop.proxyuser.hbase.hosts", "*");
124    conf.set("hadoop.proxyuser.hbase.groups", "*");
125    conf.set(Constants.THRIFT_SPNEGO_PRINCIPAL_KEY, spnegoServerPrincipal);
126    conf.set(Constants.THRIFT_SPNEGO_KEYTAB_FILE_KEY, spnegoServerKeytab.getAbsolutePath());
127  }
128
129  @BeforeClass
130  public static void setUpBeforeClass() throws Exception {
131    kdc = buildMiniKdc();
132    kdc.start();
133
134    File keytabDir = Paths.get(TEST_UTIL.getRandomDir().toString()).toAbsolutePath().toFile();
135    keytabDir.mkdirs();
136
137    clientPrincipal = "client@" + kdc.getKdcConfig().getKdcRealm();
138    clientKeytab = new File(keytabDir, clientPrincipal + ".keytab");
139    kdc.createAndExportPrincipals(clientKeytab, clientPrincipal);
140
141    serverPrincipal = "hbase/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
142    serverKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab");
143
144    // Setup separate SPNEGO keytab
145    spnegoServerPrincipal = "HTTP/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm();
146    spnegoServerKeytab = new File(keytabDir, spnegoServerPrincipal.replace('/', '_') + ".keytab");
147    kdc.createAndExportPrincipals(spnegoServerKeytab, spnegoServerPrincipal);
148    kdc.createAndExportPrincipals(serverKeytab, serverPrincipal);
149
150    TEST_UTIL.getConfiguration().setBoolean(Constants.USE_HTTP_CONF_KEY, true);
151    addSecurityConfigurations(TEST_UTIL.getConfiguration());
152
153    TestThriftHttpServer.setUpBeforeClass();
154  }
155
156  @AfterClass
157  public static void tearDownAfterClass() throws Exception {
158    TestThriftHttpServer.tearDownAfterClass();
159
160    try {
161      if (null != kdc) {
162        kdc.stop();
163        kdc = null;
164      }
165    } catch (Exception e) {
166      LOG.info("Failed to stop mini KDC", e);
167    }
168  }
169
170  @Override
171  protected void talkToThriftServer(String url, int customHeaderSize) throws Exception {
172    // Close httpClient and THttpClient automatically on any failures
173    try (
174        CloseableHttpClient httpClient = createHttpClient();
175        THttpClient tHttpClient = new THttpClient(url, httpClient)
176    ) {
177      tHttpClient.open();
178      if (customHeaderSize > 0) {
179        StringBuilder sb = new StringBuilder();
180        for (int i = 0; i < customHeaderSize; i++) {
181          sb.append("a");
182        }
183        tHttpClient.setCustomHeader(HttpHeaders.USER_AGENT, sb.toString());
184      }
185
186      TProtocol prot = new TBinaryProtocol(tHttpClient);
187      Hbase.Client client = new Hbase.Client(prot);
188      TestThriftServer.createTestTables(client);
189      TestThriftServer.checkTableList(client);
190      TestThriftServer.dropTestTables(client);
191    }
192  }
193
194  private CloseableHttpClient createHttpClient() throws Exception {
195    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab);
196    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
197    // Make sure the subject has a principal
198    assertFalse("Found no client principals in the clientSubject.",
199      clientPrincipals.isEmpty());
200
201    // Get a TGT for the subject (might have many, different encryption types). The first should
202    // be the default encryption type.
203    Set<KerberosTicket> privateCredentials =
204        clientSubject.getPrivateCredentials(KerberosTicket.class);
205    assertFalse("Found no private credentials in the clientSubject.",
206      privateCredentials.isEmpty());
207    KerberosTicket tgt = privateCredentials.iterator().next();
208    assertNotNull("No kerberos ticket found.", tgt);
209
210    // The name of the principal
211    final String clientPrincipalName = clientPrincipals.iterator().next().getName();
212
213    return Subject.doAs(clientSubject, (PrivilegedExceptionAction<CloseableHttpClient>) () -> {
214      // Logs in with Kerberos via GSS
215      GSSManager gssManager = GSSManager.getInstance();
216      // jGSS Kerberos login constant
217      Oid oid = new Oid("1.2.840.113554.1.2.2");
218      GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
219      GSSCredential credential = gssManager.createCredential(gssClient,
220          GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
221
222      Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
223          .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true))
224          .build();
225
226      BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
227      credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
228
229      return HttpClients.custom()
230          .setDefaultAuthSchemeRegistry(authRegistry)
231          .setDefaultCredentialsProvider(credentialsProvider)
232          .build();
233    });
234  }
235}