001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.provider; 019 020import java.io.IOException; 021import java.net.InetAddress; 022import java.util.Map; 023import javax.security.sasl.SaslClient; 024import org.apache.hadoop.conf.Configuration; 025import org.apache.hadoop.hbase.HBaseInterfaceAudience; 026import org.apache.hadoop.hbase.security.SecurityInfo; 027import org.apache.hadoop.hbase.security.User; 028import org.apache.hadoop.security.UserGroupInformation; 029import org.apache.hadoop.security.token.Token; 030import org.apache.hadoop.security.token.TokenIdentifier; 031import org.apache.yetus.audience.InterfaceAudience; 032import org.apache.yetus.audience.InterfaceStability; 033 034import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation; 035 036/** 037 * Encapsulation of client-side logic to authenticate to HBase via some means over SASL. 038 * Implementations should not directly implement this interface, but instead extend 039 * {@link AbstractSaslClientAuthenticationProvider}. Implementations of this interface must make an 040 * implementation of {@code hashCode()} which returns the same value across multiple instances of 041 * the provider implementation. 042 */ 043@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) 044@InterfaceStability.Evolving 045public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider { 046 047 /** 048 * Creates the SASL client instance for this auth'n method. 049 */ 050 SaslClient createClient(Configuration conf, InetAddress serverAddr, SecurityInfo securityInfo, 051 Token<? extends TokenIdentifier> token, boolean fallbackAllowed, Map<String, String> saslProps) 052 throws IOException; 053 054 /** 055 * Constructs a {@link UserInformation} from the given {@link UserGroupInformation} 056 */ 057 UserInformation getUserInfo(User user); 058 059 /** 060 * Returns the "real" user, the user who has the credentials being authenticated by the remote 061 * service, in the form of an {@link UserGroupInformation} object. It is common in the Hadoop 062 * "world" to have distinct notions of a "real" user and a "proxy" user. A "real" user is the user 063 * which actually has the credentials (often, a Kerberos ticket), but some code may be running as 064 * some other user who has no credentials. This method gives the authentication provider a chance 065 * to acknowledge this is happening and ensure that any RPCs are executed with the real user's 066 * credentials, because executing them as the proxy user would result in failure because no 067 * credentials exist to authenticate the RPC. Not all implementations will need to implement this 068 * method. By default, the provided User's UGI is returned directly. 069 */ 070 default UserGroupInformation getRealUser(User ugi) { 071 return ugi.getUGI(); 072 } 073 074 /** 075 * Returns true if the implementation is capable of performing some action which may allow a 076 * failed authentication to become a successful authentication. Otherwise, returns false 077 */ 078 default boolean canRetry() { 079 return false; 080 } 081 082 /** 083 * Executes any necessary logic to re-login the client. Not all implementations will have any 084 * logic that needs to be executed. 085 */ 086 default void relogin() throws IOException { 087 } 088}