001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.IOException; 021import java.net.URI; 022 023import javax.servlet.ServletContext; 024import javax.servlet.http.HttpServlet; 025import javax.servlet.http.HttpServletRequest; 026 027import org.apache.hadoop.conf.Configuration; 028import org.apache.hadoop.fs.CommonConfigurationKeys; 029import org.apache.hadoop.hbase.HBaseConfiguration; 030import org.apache.hadoop.security.authorize.AccessControlList; 031import org.apache.yetus.audience.InterfaceAudience; 032 033/** 034 * Create a Jetty embedded server to answer http requests. The primary goal 035 * is to serve up status information for the server. 036 * There are three contexts: 037 * "/stacks/" -> points to stack trace 038 * "/static/" -> points to common static files (src/hbase-webapps/static) 039 * "/" -> the jsp server code from (src/hbase-webapps/<name>) 040 */ 041@InterfaceAudience.Private 042public class InfoServer { 043 private static final String HBASE_APP_DIR = "hbase-webapps"; 044 private final org.apache.hadoop.hbase.http.HttpServer httpServer; 045 046 /** 047 * Create a status server on the given port. 048 * The jsp scripts are taken from src/hbase-webapps/<code>name</code>. 049 * @param name The name of the server 050 * @param bindAddress address to bind to 051 * @param port The port to use on the server 052 * @param findPort whether the server should start at the given port and increment by 1 until it 053 * finds a free port. 054 * @param c the {@link Configuration} to build the server 055 * @throws IOException if getting one of the password fails or the server cannot be created 056 */ 057 public InfoServer(String name, String bindAddress, int port, boolean findPort, 058 final Configuration c) throws IOException { 059 HttpConfig httpConfig = new HttpConfig(c); 060 HttpServer.Builder builder = 061 new org.apache.hadoop.hbase.http.HttpServer.Builder(); 062 063 builder.setName(name).addEndpoint(URI.create(httpConfig.getSchemePrefix() + 064 bindAddress + ":" + 065 port)).setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c); 066 String logDir = System.getProperty("hbase.log.dir"); 067 if (logDir != null) { 068 builder.setLogDir(logDir); 069 } 070 if (httpConfig.isSecure()) { 071 builder.keyPassword(HBaseConfiguration 072 .getPassword(c, "ssl.server.keystore.keypassword", null)) 073 .keyStore(c.get("ssl.server.keystore.location"), 074 HBaseConfiguration.getPassword(c,"ssl.server.keystore.password", null), 075 c.get("ssl.server.keystore.type", "jks")) 076 .trustStore(c.get("ssl.server.truststore.location"), 077 HBaseConfiguration.getPassword(c, "ssl.server.truststore.password", null), 078 c.get("ssl.server.truststore.type", "jks")); 079 } 080 // Enable SPNEGO authentication 081 if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) { 082 builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY) 083 .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY) 084 .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY) 085 .setSignatureSecretFileKey( 086 HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY) 087 .setSecurityEnabled(true); 088 089 // Set an admin ACL on sensitive webUI endpoints 090 AccessControlList acl = buildAdminAcl(c); 091 builder.setACL(acl); 092 } 093 this.httpServer = builder.build(); 094 } 095 096 /** 097 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI 098 * which are meant only for administrators. 099 */ 100 AccessControlList buildAdminAcl(Configuration conf) { 101 final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null); 102 final String adminGroups = conf.get( 103 HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null); 104 if (userGroups == null && adminGroups == null) { 105 // Backwards compatibility - if the user doesn't have anything set, allow all users in. 106 return new AccessControlList("*", null); 107 } 108 return new AccessControlList(userGroups, adminGroups); 109 } 110 111 /** 112 * Explicitly invoke {@link #addPrivilegedServlet(String, String, Class)} or 113 * {@link #addUnprivilegedServlet(String, String, Class)} instead of this method. 114 * This method will add a servlet which any authenticated user can access. 115 * 116 * @deprecated Use {@link #addUnprivilegedServlet(String, String, Class)} or 117 * {@link #addPrivilegedServlet(String, String, Class)} instead of this 118 * method which does not state outwardly what kind of authz rules will 119 * be applied to this servlet. 120 */ 121 @Deprecated 122 public void addServlet(String name, String pathSpec, 123 Class<? extends HttpServlet> clazz) { 124 addUnprivilegedServlet(name, pathSpec, clazz); 125 } 126 127 /** 128 * @see HttpServer#addUnprivilegedServlet(String, String, Class) 129 */ 130 public void addUnprivilegedServlet(String name, String pathSpec, 131 Class<? extends HttpServlet> clazz) { 132 this.httpServer.addUnprivilegedServlet(name, pathSpec, clazz); 133 } 134 135 /** 136 * @see HttpServer#addPrivilegedServlet(String, String, Class) 137 */ 138 public void addPrivilegedServlet(String name, String pathSpec, 139 Class<? extends HttpServlet> clazz) { 140 this.httpServer.addPrivilegedServlet(name, pathSpec, clazz); 141 } 142 143 public void setAttribute(String name, Object value) { 144 this.httpServer.setAttribute(name, value); 145 } 146 147 public void start() throws IOException { 148 this.httpServer.start(); 149 } 150 151 /** 152 * @return the port of the info server 153 * @deprecated Since 0.99.0 154 */ 155 @Deprecated 156 public int getPort() { 157 return this.httpServer.getPort(); 158 } 159 160 public void stop() throws Exception { 161 this.httpServer.stop(); 162 } 163 164 165 /** 166 * Returns true if and only if UI authentication (spnego) is enabled, UI authorization is enabled, 167 * and the requesting user is defined as an administrator. If the UI is set to readonly, this 168 * method always returns false. 169 */ 170 public static boolean canUserModifyUI( 171 HttpServletRequest req, ServletContext ctx, Configuration conf) { 172 if (conf.getBoolean("hbase.master.ui.readonly", false)) { 173 return false; 174 } 175 String remoteUser = req.getRemoteUser(); 176 if ("kerberos".equalsIgnoreCase(conf.get(HttpServer.HTTP_UI_AUTHENTICATION)) && 177 conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false) && 178 remoteUser != null) { 179 return HttpServer.userHasAdministratorAccess(ctx, remoteUser); 180 } 181 return false; 182 } 183}