Package org.apache.hadoop.hbase.security.provider

Interface SaslClientAuthenticationProvider

All Superinterfaces:
SaslAuthenticationProvider
All Known Implementing Classes:
AbstractSaslClientAuthenticationProvider, DigestSaslClientAuthenticationProvider, GssSaslClientAuthenticationProvider, ShadeSaslClientAuthenticationProvider, SimpleSaslClientAuthenticationProvider
@LimitedPrivate("Authentication") @Evolving public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider
Encapsulation of client-side logic to authenticate to HBase via some means over SASL. Implementations should not directly implement this interface, but instead extend AbstractSaslClientAuthenticationProvider. Implementations of this interface must make an implementation of hashCode() which returns the same value across multiple instances of the provider implementation.

  • Method Summary

    Modifier and Type
    Method
    Description
    default boolean
    canRetry()
    Returns true if the implementation is capable of performing some action which may allow a failed authentication to become a successful authentication.
    default SaslClient
    createClient(org.apache.hadoop.conf.Configuration conf, InetAddress serverAddr, String serverPrincipal, org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token, boolean fallbackAllowed, Map<String,String> saslProps)
    Create the SASL client instance for this authentication method.
    default SaslClient
    createClient(org.apache.hadoop.conf.Configuration conf, InetAddress serverAddr, SecurityInfo securityInfo, org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token, boolean fallbackAllowed, Map<String,String> saslProps)
    Deprecated.
    Since 2.6.0.
    default org.apache.hadoop.security.UserGroupInformation
    getRealUser(User ugi)
    Returns the "real" user, the user who has the credentials being authenticated by the remote service, in the form of an UserGroupInformation object.
    org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation
    getUserInfo(User user)
    Constructs a RPCProtos.UserInformation from the given UserGroupInformation
    default void
    relogin()
    Executes any necessary logic to re-login the client.

    Methods inherited from interface org.apache.hadoop.hbase.security.provider.SaslAuthenticationProvider

    getSaslAuthMethod, getTokenKind

  • Method Details

    • createClient

      @Deprecated default SaslClient createClient(org.apache.hadoop.conf.Configuration conf, InetAddress serverAddr, SecurityInfo securityInfo, org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token, boolean fallbackAllowed, Map<String,String> saslProps) throws IOException
      Deprecated.
      Since 2.6.0. In our own code will not call this method any more, customized authentication method should implement createClient(Configuration, InetAddress, String, Token, boolean, Map) instead. Will be removed in 4.0.0.
      Creates the SASL client instance for this authentication method.
      Throws:
      IOException

    • createClient

      default SaslClient createClient(org.apache.hadoop.conf.Configuration conf, InetAddress serverAddr, String serverPrincipal, org.apache.hadoop.security.token.Token<? extends org.apache.hadoop.security.token.TokenIdentifier> token, boolean fallbackAllowed, Map<String,String> saslProps) throws IOException
      Create the SASL client instance for this authentication method.

      The default implementation is create a fake SecurityInfo and call the above method, for keeping compatible with old customized authentication method

      Throws:
      IOException

    • getUserInfo

      org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation getUserInfo(User user)
      Constructs a RPCProtos.UserInformation from the given UserGroupInformation

    • getRealUser

      default org.apache.hadoop.security.UserGroupInformation getRealUser(User ugi)
      Returns the "real" user, the user who has the credentials being authenticated by the remote service, in the form of an UserGroupInformation object. It is common in the Hadoop "world" to have distinct notions of a "real" user and a "proxy" user. A "real" user is the user which actually has the credentials (often, a Kerberos ticket), but some code may be running as some other user who has no credentials. This method gives the authentication provider a chance to acknowledge this is happening and ensure that any RPCs are executed with the real user's credentials, because executing them as the proxy user would result in failure because no credentials exist to authenticate the RPC. Not all implementations will need to implement this method. By default, the provided User's UGI is returned directly.

    • canRetry

      default boolean canRetry()
      Returns true if the implementation is capable of performing some action which may allow a failed authentication to become a successful authentication. Otherwise, returns false

    • relogin

      default void relogin() throws IOException
      Executes any necessary logic to re-login the client. Not all implementations will have any logic that needs to be executed.
      Throws:
      IOException