001/** 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.File; 021import java.net.HttpURLConnection; 022import java.net.URL; 023import java.security.Principal; 024import java.security.PrivilegedExceptionAction; 025import java.util.Set; 026 027import javax.security.auth.Subject; 028import javax.security.auth.kerberos.KerberosTicket; 029 030import org.apache.hadoop.conf.Configuration; 031import org.apache.hadoop.hbase.HBaseClassTestRule; 032import org.apache.hadoop.hbase.HBaseCommonTestingUtility; 033import org.apache.hadoop.hbase.http.TestHttpServer.EchoServlet; 034import org.apache.hadoop.hbase.http.resource.JerseyResource; 035import org.apache.hadoop.hbase.testclassification.MiscTests; 036import org.apache.hadoop.hbase.testclassification.SmallTests; 037import org.apache.hadoop.hbase.util.SimpleKdcServerUtil; 038import org.apache.hadoop.security.authentication.util.KerberosName; 039import org.apache.hadoop.security.authorize.AccessControlList; 040import org.apache.http.HttpHost; 041import org.apache.http.HttpResponse; 042import org.apache.http.auth.AuthSchemeProvider; 043import org.apache.http.auth.AuthScope; 044import org.apache.http.auth.KerberosCredentials; 045import org.apache.http.client.HttpClient; 046import org.apache.http.client.config.AuthSchemes; 047import org.apache.http.client.methods.HttpGet; 048import org.apache.http.client.protocol.HttpClientContext; 049import org.apache.http.config.Lookup; 050import org.apache.http.config.RegistryBuilder; 051import org.apache.http.impl.auth.SPNegoSchemeFactory; 052import org.apache.http.impl.client.BasicCredentialsProvider; 053import org.apache.http.impl.client.HttpClients; 054import org.apache.http.util.EntityUtils; 055import org.apache.kerby.kerberos.kerb.KrbException; 056import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil; 057import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer; 058import org.ietf.jgss.GSSCredential; 059import org.ietf.jgss.GSSManager; 060import org.ietf.jgss.GSSName; 061import org.ietf.jgss.Oid; 062import org.junit.AfterClass; 063import org.junit.BeforeClass; 064import org.junit.ClassRule; 065import org.junit.Test; 066import org.junit.experimental.categories.Category; 067import org.slf4j.Logger; 068import org.slf4j.LoggerFactory; 069 070/** 071 * Test class for SPNEGO Proxyuser authentication on the HttpServer. Uses Kerby's MiniKDC and Apache 072 * HttpComponents to verify that the doas= mechanicsm works, and that the proxyuser settings are 073 * observed. 074 */ 075@Category({MiscTests.class, SmallTests.class}) 076public class TestProxyUserSpnegoHttpServer extends HttpServerFunctionalTest { 077 @ClassRule 078 public static final HBaseClassTestRule CLASS_RULE = 079 HBaseClassTestRule.forClass(TestProxyUserSpnegoHttpServer.class); 080 081 private static final Logger LOG = LoggerFactory.getLogger(TestProxyUserSpnegoHttpServer.class); 082 private static final String KDC_SERVER_HOST = "localhost"; 083 private static final String WHEEL_PRINCIPAL = "wheel"; 084 private static final String UNPRIVILEGED_PRINCIPAL = "unprivileged"; 085 private static final String PRIVILEGED_PRINCIPAL = "privileged"; 086 private static final String PRIVILEGED2_PRINCIPAL = "privileged2"; 087 088 private static HttpServer server; 089 private static URL baseUrl; 090 private static SimpleKdcServer kdc; 091 private static File infoServerKeytab; 092 private static File wheelKeytab; 093 private static File unprivilegedKeytab; 094 private static File privilegedKeytab; 095 private static File privileged2Keytab; 096 097 098 @BeforeClass 099 public static void setupServer() throws Exception { 100 Configuration conf = new Configuration(); 101 HBaseCommonTestingUtility htu = new HBaseCommonTestingUtility(conf); 102 103 final String serverPrincipal = "HTTP/" + KDC_SERVER_HOST; 104 105 kdc = SimpleKdcServerUtil.getRunningSimpleKdcServer(new File(htu.getDataTestDir().toString()), 106 HBaseCommonTestingUtility::randomFreePort); 107 File keytabDir = new File(htu.getDataTestDir("keytabs").toString()); 108 if (keytabDir.exists()) { 109 deleteRecursively(keytabDir); 110 } 111 keytabDir.mkdirs(); 112 113 infoServerKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab"); 114 wheelKeytab = new File(keytabDir, WHEEL_PRINCIPAL + ".keytab"); 115 unprivilegedKeytab = new File(keytabDir, UNPRIVILEGED_PRINCIPAL + ".keytab"); 116 privilegedKeytab = new File(keytabDir, PRIVILEGED_PRINCIPAL + ".keytab"); 117 privileged2Keytab = new File(keytabDir, PRIVILEGED2_PRINCIPAL + ".keytab"); 118 119 setupUser(kdc, wheelKeytab, WHEEL_PRINCIPAL); 120 setupUser(kdc, unprivilegedKeytab, UNPRIVILEGED_PRINCIPAL); 121 setupUser(kdc, privilegedKeytab, PRIVILEGED_PRINCIPAL); 122 setupUser(kdc, privileged2Keytab, PRIVILEGED2_PRINCIPAL); 123 124 setupUser(kdc, infoServerKeytab, serverPrincipal); 125 126 buildSpnegoConfiguration(conf, serverPrincipal, infoServerKeytab); 127 AccessControlList acl = buildAdminAcl(conf); 128 129 server = createTestServerWithSecurityAndAcl(conf, acl); 130 server.addPrivilegedServlet("echo", "/echo", EchoServlet.class); 131 server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*"); 132 server.start(); 133 baseUrl = getServerURL(server); 134 135 LOG.info("HTTP server started: "+ baseUrl); 136 } 137 138 @AfterClass 139 public static void stopServer() throws Exception { 140 try { 141 if (null != server) { 142 server.stop(); 143 } 144 } catch (Exception e) { 145 LOG.info("Failed to stop info server", e); 146 } 147 try { 148 if (null != kdc) { 149 kdc.stop(); 150 } 151 } catch (Exception e) { 152 LOG.info("Failed to stop mini KDC", e); 153 } 154 } 155 156 private static void setupUser(SimpleKdcServer kdc, File keytab, String principal) 157 throws KrbException { 158 kdc.createPrincipal(principal); 159 kdc.exportPrincipal(principal, keytab); 160 } 161 162 163 protected static Configuration buildSpnegoConfiguration(Configuration conf, 164 String serverPrincipal, File serverKeytab) { 165 KerberosName.setRules("DEFAULT"); 166 167 conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS); 168 169 // Enable Kerberos (pre-req) 170 conf.set("hbase.security.authentication", "kerberos"); 171 conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos"); 172 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal); 173 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath()); 174 175 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, PRIVILEGED_PRINCIPAL); 176 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY, "true"); 177 conf.set("hadoop.security.authorization", "true"); 178 179 conf.set("hadoop.proxyuser.wheel.hosts", "*"); 180 conf.set("hadoop.proxyuser.wheel.users", PRIVILEGED_PRINCIPAL + "," + UNPRIVILEGED_PRINCIPAL); 181 return conf; 182 } 183 184 /** 185 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI 186 * which are meant only for administrators. 187 */ 188 public static AccessControlList buildAdminAcl(Configuration conf) { 189 final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null); 190 final String adminGroups = conf.get( 191 HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null); 192 if (userGroups == null && adminGroups == null) { 193 // Backwards compatibility - if the user doesn't have anything set, allow all users in. 194 return new AccessControlList("*", null); 195 } 196 return new AccessControlList(userGroups, adminGroups); 197 } 198 199 @Test 200 public void testProxyAllowed() throws Exception { 201 testProxy(WHEEL_PRINCIPAL, PRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_OK, null); 202 } 203 204 @Test 205 public void testProxyDisallowedForUnprivileged() throws Exception { 206 testProxy(WHEEL_PRINCIPAL, UNPRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN, "403 User unprivileged is unauthorized to access this page."); 207 } 208 209 @Test 210 public void testProxyDisallowedForNotSudoAble() throws Exception { 211 testProxy(WHEEL_PRINCIPAL, PRIVILEGED2_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN, "403 Forbidden"); 212 } 213 214 public void testProxy(String clientPrincipal, String doAs, int responseCode, String statusLine) throws Exception { 215 // Create the subject for the client 216 final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(WHEEL_PRINCIPAL, wheelKeytab); 217 final Set<Principal> clientPrincipals = clientSubject.getPrincipals(); 218 // Make sure the subject has a principal 219 assertFalse(clientPrincipals.isEmpty()); 220 221 // Get a TGT for the subject (might have many, different encryption types). The first should 222 // be the default encryption type. 223 Set<KerberosTicket> privateCredentials = 224 clientSubject.getPrivateCredentials(KerberosTicket.class); 225 assertFalse(privateCredentials.isEmpty()); 226 KerberosTicket tgt = privateCredentials.iterator().next(); 227 assertNotNull(tgt); 228 229 // The name of the principal 230 final String principalName = clientPrincipals.iterator().next().getName(); 231 232 // Run this code, logged in as the subject (the client) 233 HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() { 234 @Override 235 public HttpResponse run() throws Exception { 236 // Logs in with Kerberos via GSS 237 GSSManager gssManager = GSSManager.getInstance(); 238 // jGSS Kerberos login constant 239 Oid oid = new Oid("1.2.840.113554.1.2.2"); 240 GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME); 241 GSSCredential credential = gssManager.createCredential(gssClient, 242 GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY); 243 244 HttpClientContext context = HttpClientContext.create(); 245 Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create() 246 .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)) 247 .build(); 248 249 HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry) 250 .build(); 251 BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); 252 credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential)); 253 254 URL url = new URL(getServerURL(server), "/echo?doAs=" + doAs + "&a=b"); 255 context.setTargetHost(new HttpHost(url.getHost(), url.getPort())); 256 context.setCredentialsProvider(credentialsProvider); 257 context.setAuthSchemeRegistry(authRegistry); 258 259 HttpGet get = new HttpGet(url.toURI()); 260 return client.execute(get, context); 261 } 262 }); 263 264 assertNotNull(resp); 265 assertEquals(responseCode, resp.getStatusLine().getStatusCode()); 266 if (responseCode == HttpURLConnection.HTTP_OK) { 267 assertTrue(EntityUtils.toString(resp.getEntity()).trim().contains("a:b")); 268 } else { 269 assertTrue(resp.getStatusLine().toString().contains(statusLine) || 270 EntityUtils.toString(resp.getEntity()).contains(statusLine)); 271 } 272 } 273 274}