001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.IOException; 021import java.net.URI; 022import javax.servlet.ServletContext; 023import javax.servlet.http.HttpServlet; 024import javax.servlet.http.HttpServletRequest; 025import org.apache.hadoop.conf.Configuration; 026import org.apache.hadoop.fs.CommonConfigurationKeys; 027import org.apache.hadoop.hbase.HBaseConfiguration; 028import org.apache.hadoop.security.authorize.AccessControlList; 029import org.apache.yetus.audience.InterfaceAudience; 030 031import org.apache.hbase.thirdparty.com.google.common.net.HostAndPort; 032import org.apache.hbase.thirdparty.org.eclipse.jetty.ee8.servlet.ServletHolder; 033 034/** 035 * Create a Jetty embedded server to answer http requests. The primary goal is to serve up status 036 * information for the server. There are three contexts: "/stacks/" -> points to stack trace 037 * "/static/" -> points to common static files (src/hbase-webapps/static) "/" -> the jsp 038 * server code from (src/hbase-webapps/<name>) 039 */ 040@InterfaceAudience.Private 041public class InfoServer { 042 private static final String HBASE_APP_DIR = "hbase-webapps"; 043 private final org.apache.hadoop.hbase.http.HttpServer httpServer; 044 045 private static final String HADOOP_WEB_TLS_CONFIG_PREFIX = "ssl.server."; 046 private static final String HBASE_WEB_TLS_CONFIG_PREFIX = "hbase.ui.ssl."; 047 048 /** 049 * Create a status server on the given port. The jsp scripts are taken from 050 * src/hbase-webapps/<code>name</code>. 051 * @param name The name of the server 052 * @param bindAddress address to bind to 053 * @param port The port to use on the server 054 * @param findPort whether the server should start at the given port and increment by 1 until 055 * it finds a free port. 056 * @param c the {@link Configuration} to build the server 057 * @throws IOException if getting one of the password fails or the server cannot be created 058 */ 059 public InfoServer(String name, String bindAddress, int port, boolean findPort, 060 final Configuration c) throws IOException { 061 HttpConfig httpConfig = new HttpConfig(c); 062 HttpServer.Builder builder = new org.apache.hadoop.hbase.http.HttpServer.Builder(); 063 064 builder.setName(name) 065 .addEndpoint(URI 066 .create(httpConfig.getSchemePrefix() + HostAndPort.fromParts(bindAddress, port).toString())) 067 .setAppDir(HBASE_APP_DIR).setFindPort(findPort).setConf(c); 068 String logDir = System.getProperty("hbase.log.dir"); 069 if (logDir != null) { 070 builder.setLogDir(logDir); 071 } 072 if (httpConfig.isSecure()) { 073 // We are using the Hadoop HTTP server config properties. 074 // This makes it easy to keep in sync with Hadoop's UI servers, but hard to set this 075 // separately for HBase. 076 builder.keyPassword(getTLSPassword(c, "keystore.keypassword")) 077 .keyStore(getTLSProperty(c, "keystore.location"), getTLSPassword(c, "keystore.password"), 078 getTLSProperty(c, "keystore.type", "jks")) 079 .trustStore(getTLSProperty(c, "truststore.location"), 080 getTLSPassword(c, "truststore.password"), getTLSProperty(c, "truststore.type", "jks")) 081 // The ssl.server.*.protocols properties do not exist in Hadoop at the time of writing. 082 .setIncludeProtocols(getTLSProperty(c, "include.protocols")) 083 .setExcludeProtocols(getTLSProperty(c, "exclude.protocols")) 084 .setIncludeCiphers(getTLSProperty(c, "include.cipher.list")) 085 .setExcludeCiphers(getTLSProperty(c, "exclude.cipher.list")); 086 } 087 088 final String httpAuthType = c.get(HttpServer.HTTP_UI_AUTHENTICATION, "").toLowerCase(); 089 // Enable SPNEGO authentication 090 if ("kerberos".equals(httpAuthType)) { 091 builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY) 092 .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY) 093 .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY) 094 .setSignatureSecretFileKey(HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY) 095 .setSecurityEnabled(true); 096 } 097 098 // Set an admin ACL on sensitive webUI endpoints (works only if SPNEGO or LDAP is enabled) 099 if ("ldap".equals(httpAuthType) || "kerberos".equals(httpAuthType)) { 100 AccessControlList acl = buildAdminAcl(c); 101 builder.setACL(acl); 102 } 103 104 this.httpServer = builder.build(); 105 } 106 107 private String getTLSPassword(Configuration c, String postfix) throws IOException { 108 return HBaseConfiguration.getPassword(c, HBASE_WEB_TLS_CONFIG_PREFIX + postfix, 109 HBaseConfiguration.getPassword(c, HADOOP_WEB_TLS_CONFIG_PREFIX + postfix, null)); 110 } 111 112 private String getTLSProperty(Configuration c, String postfix) { 113 return getTLSProperty(c, postfix, null); 114 } 115 116 private String getTLSProperty(Configuration c, String postfix, String defaultValue) { 117 return c.get(HBASE_WEB_TLS_CONFIG_PREFIX + postfix, 118 c.get(HADOOP_WEB_TLS_CONFIG_PREFIX + postfix, defaultValue)); 119 } 120 121 /** 122 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI which 123 * are meant only for administrators. 124 */ 125 static AccessControlList buildAdminAcl(Configuration conf) { 126 // Initialize admin users based on whether http ui auth is set to ldap or kerberos 127 String httpAuthType = conf.get(HttpServer.HTTP_UI_AUTHENTICATION, "").toLowerCase(); 128 final String adminUsers = getAdminUsers(conf, httpAuthType); 129 final String adminGroups = 130 conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null); 131 if (adminUsers == null && adminGroups == null) { 132 // Backwards compatibility - if the user doesn't have anything set, allow all users in. 133 return new AccessControlList("*", null); 134 } 135 return new AccessControlList(adminUsers, adminGroups); 136 } 137 138 private static String getAdminUsers(Configuration conf, String httpAuthType) { 139 if ("kerberos".equals(httpAuthType)) { 140 return conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null); 141 } else if ("ldap".equals(httpAuthType)) { 142 return conf.get(HttpServer.HTTP_LDAP_AUTHENTICATION_ADMIN_USERS_KEY, null); 143 } 144 // If the auth type is not kerberos or ldap, return null 145 return null; 146 } 147 148 /** 149 * Explicitly invoke {@link #addPrivilegedServlet(String, String, Class)} or 150 * {@link #addUnprivilegedServlet(String, String, Class)} instead of this method. This method will 151 * add a servlet which any authenticated user can access. 152 * @deprecated Use {@link #addUnprivilegedServlet(String, String, Class)} or 153 * {@link #addPrivilegedServlet(String, String, Class)} instead of this method which 154 * does not state outwardly what kind of authz rules will be applied to this servlet. 155 */ 156 @Deprecated 157 public void addServlet(String name, String pathSpec, Class<? extends HttpServlet> clazz) { 158 addUnprivilegedServlet(name, pathSpec, clazz); 159 } 160 161 /** 162 * Adds a servlet in the server that any user can access. 163 * @see HttpServer#addUnprivilegedServlet(String, String, Class) 164 */ 165 public void addUnprivilegedServlet(String name, String pathSpec, 166 Class<? extends HttpServlet> clazz) { 167 this.httpServer.addUnprivilegedServlet(name, pathSpec, clazz); 168 } 169 170 /** 171 * Adds a servlet in the server that any user can access. 172 * @see HttpServer#addUnprivilegedServlet(String, ServletHolder) 173 */ 174 public void addUnprivilegedServlet(String name, String pathSpec, ServletHolder holder) { 175 if (name != null) { 176 holder.setName(name); 177 } 178 this.httpServer.addUnprivilegedServlet(pathSpec, holder); 179 } 180 181 /** 182 * Adds a servlet in the server that any user can access. 183 * @see HttpServer#addPrivilegedServlet(String, String, Class) 184 */ 185 public void addPrivilegedServlet(String name, String pathSpec, 186 Class<? extends HttpServlet> clazz) { 187 this.httpServer.addPrivilegedServlet(name, pathSpec, clazz); 188 } 189 190 public void setAttribute(String name, Object value) { 191 this.httpServer.setAttribute(name, value); 192 } 193 194 public void start() throws IOException { 195 this.httpServer.start(); 196 } 197 198 /** 199 * @return the port of the info server 200 * @deprecated Since 0.99.0 201 */ 202 @Deprecated 203 public int getPort() { 204 return this.httpServer.getPort(); 205 } 206 207 public void stop() throws Exception { 208 this.httpServer.stop(); 209 } 210 211 /** 212 * Returns true if and only if UI authentication (spnego) is enabled, UI authorization is enabled, 213 * and the requesting user is defined as an administrator. If the UI is set to readonly, this 214 * method always returns false. 215 */ 216 public static boolean canUserModifyUI(HttpServletRequest req, ServletContext ctx, 217 Configuration conf) { 218 if (conf.getBoolean("hbase.master.ui.readonly", false)) { 219 return false; 220 } 221 String remoteUser = req.getRemoteUser(); 222 if ( 223 "kerberos".equalsIgnoreCase(conf.get(HttpServer.HTTP_UI_AUTHENTICATION)) 224 && conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false) 225 && remoteUser != null 226 ) { 227 return HttpServer.userHasAdministratorAccess(ctx, remoteUser); 228 } 229 return false; 230 } 231}