Source code

001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.ipc;
019
020import org.apache.hadoop.hbase.security.HBaseSaslRpcServer;
021import org.apache.hadoop.hbase.security.SaslStatus;
022import org.apache.hadoop.hbase.security.SaslUnwrapHandler;
023import org.apache.hadoop.hbase.security.SaslWrapHandler;
024import org.apache.hadoop.hbase.util.NettyFutureUtils;
025import org.apache.hadoop.io.BytesWritable;
026import org.slf4j.Logger;
027import org.slf4j.LoggerFactory;
028
029import org.apache.hbase.thirdparty.io.netty.buffer.ByteBuf;
030import org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerContext;
031import org.apache.hbase.thirdparty.io.netty.channel.ChannelPipeline;
032import org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler;
033import org.apache.hbase.thirdparty.io.netty.handler.codec.LengthFieldBasedFrameDecoder;
034
035/**
036 * Implement SASL negotiation logic for rpc server.
037 */
038class NettyHBaseSaslRpcServerHandler extends SimpleChannelInboundHandler<ByteBuf> {
039
040  private static final Logger LOG = LoggerFactory.getLogger(NettyHBaseSaslRpcServerHandler.class);
041
042  static final String DECODER_NAME = "SaslNegotiationDecoder";
043
044  private final NettyRpcServer rpcServer;
045
046  private final NettyServerRpcConnection conn;
047
048  NettyHBaseSaslRpcServerHandler(NettyRpcServer rpcServer, NettyServerRpcConnection conn) {
049    this.rpcServer = rpcServer;
050    this.conn = conn;
051  }
052
053  @Override
054  protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception {
055    LOG.debug("Read input token of size={} for processing by saslServer.evaluateResponse()",
056      msg.readableBytes());
057    HBaseSaslRpcServer saslServer = conn.getOrCreateSaslServer();
058    byte[] saslToken = new byte[msg.readableBytes()];
059    msg.readBytes(saslToken, 0, saslToken.length);
060    byte[] replyToken = saslServer.evaluateResponse(saslToken);
061    if (replyToken != null) {
062      LOG.debug("Will send token of size {} from saslServer.", replyToken.length);
063      conn.doRawSaslReply(SaslStatus.SUCCESS, new BytesWritable(replyToken), null, null);
064    }
065    if (saslServer.isComplete()) {
066      conn.finishSaslNegotiation();
067      String qop = saslServer.getNegotiatedQop();
068      boolean useWrap = qop != null && !"auth".equalsIgnoreCase(qop);
069      ChannelPipeline p = ctx.pipeline();
070      if (useWrap) {
071        p.addBefore(DECODER_NAME, null, new SaslWrapHandler(saslServer::wrap))
072          .addBefore(NettyRpcServerResponseEncoder.NAME, null,
073            new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4, 0, 4))
074          .addBefore(NettyRpcServerResponseEncoder.NAME, null,
075            new SaslUnwrapHandler(saslServer::unwrap));
076      }
077      conn.setupHandler();
078      p.remove(this);
079      p.remove(DECODER_NAME);
080    }
081  }
082
083  @Override
084  public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception {
085    LOG.error("Error when doing SASL handshade, provider={}", conn.provider, cause);
086    Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause);
087    conn.doRawSaslReply(SaslStatus.ERROR, null, sendToClient.getClass().getName(),
088      sendToClient.getLocalizedMessage());
089    rpcServer.metrics.authenticationFailure();
090    String clientIP = this.toString();
091    // attempting user could be null
092    RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP,
093      conn.saslServer != null ? conn.saslServer.getAttemptingUser() : "Unknown");
094    NettyFutureUtils.safeClose(ctx);
095  }
096}