001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security; 019 020import java.util.Arrays; 021import java.util.List; 022import java.util.concurrent.ConcurrentHashMap; 023import java.util.concurrent.ConcurrentMap; 024import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.TokenIdentifier.Kind; 025import org.apache.yetus.audience.InterfaceAudience; 026 027import org.apache.hbase.thirdparty.com.google.common.base.Preconditions; 028 029import org.apache.hadoop.hbase.shaded.protobuf.generated.AdminProtos; 030import org.apache.hadoop.hbase.shaded.protobuf.generated.BootstrapNodeProtos; 031import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos; 032import org.apache.hadoop.hbase.shaded.protobuf.generated.LockServiceProtos; 033import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos; 034import org.apache.hadoop.hbase.shaded.protobuf.generated.MasterProtos.MasterService; 035import org.apache.hadoop.hbase.shaded.protobuf.generated.RegionServerStatusProtos; 036import org.apache.hadoop.hbase.shaded.protobuf.generated.RegistryProtos; 037 038/** 039 * Maps RPC protocol interfaces to required configuration 040 */ 041@InterfaceAudience.Private 042public class SecurityInfo { 043 /** Maps RPC service names to authentication information */ 044 private static ConcurrentMap<String, SecurityInfo> infos = new ConcurrentHashMap<>(); 045 // populate info for known services 046 static { 047 infos.put(AdminProtos.AdminService.getDescriptor().getName(), 048 new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 049 infos.put(ClientProtos.ClientService.getDescriptor().getName(), 050 new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 051 infos.put(MasterService.getDescriptor().getName(), 052 new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 053 infos.put(RegionServerStatusProtos.RegionServerStatusService.getDescriptor().getName(), 054 new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 055 infos.put(MasterProtos.HbckService.getDescriptor().getName(), 056 new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 057 infos.put(RegistryProtos.ClientMetaService.getDescriptor().getName(), 058 new SecurityInfo(Kind.HBASE_AUTH_TOKEN, SecurityConstants.MASTER_KRB_PRINCIPAL, 059 SecurityConstants.REGIONSERVER_KRB_PRINCIPAL)); 060 infos.put(BootstrapNodeProtos.BootstrapNodeService.getDescriptor().getName(), 061 new SecurityInfo(SecurityConstants.REGIONSERVER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 062 infos.put(LockServiceProtos.LockService.getDescriptor().getName(), 063 new SecurityInfo(SecurityConstants.MASTER_KRB_PRINCIPAL, Kind.HBASE_AUTH_TOKEN)); 064 // NOTE: IF ADDING A NEW SERVICE, BE SURE TO UPDATE HBasePolicyProvider ALSO ELSE 065 // new Service will not be found when all is Kerberized!!!! 066 } 067 068 /** 069 * Adds a security configuration for a new service name. Note that this will have no effect if the 070 * service name was already registered. 071 */ 072 public static void addInfo(String serviceName, SecurityInfo securityInfo) { 073 infos.putIfAbsent(serviceName, securityInfo); 074 } 075 076 /** 077 * Returns the security configuration associated with the given service name. 078 */ 079 public static SecurityInfo getInfo(String serviceName) { 080 return infos.get(serviceName); 081 } 082 083 private final List<String> serverPrincipals; 084 private final Kind tokenKind; 085 086 public SecurityInfo(String serverPrincipal, Kind tokenKind) { 087 this(tokenKind, serverPrincipal); 088 } 089 090 public SecurityInfo(Kind tokenKind, String... serverPrincipal) { 091 Preconditions.checkArgument(serverPrincipal.length > 0); 092 this.tokenKind = tokenKind; 093 this.serverPrincipals = Arrays.asList(serverPrincipal); 094 } 095 096 /** 097 * Although this class is IA.Private, we leak this class in 098 * {@code SaslClientAuthenticationProvider}, so need to align with the deprecation cycle for that 099 * class. 100 * @deprecated Since 2.6.0, will be removed in 4.0.0. Use {@link #getServerPrincipals()} instead. 101 */ 102 @Deprecated 103 public String getServerPrincipal() { 104 return serverPrincipals.get(0); 105 } 106 107 public List<String> getServerPrincipals() { 108 return serverPrincipals; 109 } 110 111 public Kind getTokenKind() { 112 return tokenKind; 113 } 114}