001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.security.provider; 019 020import java.io.IOException; 021import java.net.InetAddress; 022import java.util.Map; 023import javax.security.sasl.SaslClient; 024import org.apache.hadoop.conf.Configuration; 025import org.apache.hadoop.hbase.HBaseInterfaceAudience; 026import org.apache.hadoop.hbase.security.SecurityInfo; 027import org.apache.hadoop.hbase.security.User; 028import org.apache.hadoop.security.UserGroupInformation; 029import org.apache.hadoop.security.token.Token; 030import org.apache.hadoop.security.token.TokenIdentifier; 031import org.apache.yetus.audience.InterfaceAudience; 032import org.apache.yetus.audience.InterfaceStability; 033 034import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos.TokenIdentifier.Kind; 035import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation; 036 037/** 038 * Encapsulation of client-side logic to authenticate to HBase via some means over SASL. 039 * Implementations should not directly implement this interface, but instead extend 040 * {@link AbstractSaslClientAuthenticationProvider}. Implementations of this interface must make an 041 * implementation of {@code hashCode()} which returns the same value across multiple instances of 042 * the provider implementation. 043 */ 044@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) 045@InterfaceStability.Evolving 046public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider { 047 048 /** 049 * Creates the SASL client instance for this authentication method. 050 * @deprecated Since 2.6.0. In our own code will not call this method any more, customized 051 * authentication method should implement 052 * {@link #createClient(Configuration, InetAddress, String, Token, boolean, Map)} 053 * instead. Will be removed in 4.0.0. 054 */ 055 @Deprecated 056 default SaslClient createClient(Configuration conf, InetAddress serverAddr, 057 SecurityInfo securityInfo, Token<? extends TokenIdentifier> token, boolean fallbackAllowed, 058 Map<String, String> saslProps) throws IOException { 059 throw new UnsupportedOperationException("should not be used any more"); 060 } 061 062 /** 063 * Create the SASL client instance for this authentication method. 064 * <p> 065 * The default implementation is create a fake {@link SecurityInfo} and call the above method, for 066 * keeping compatible with old customized authentication method 067 */ 068 default SaslClient createClient(Configuration conf, InetAddress serverAddr, 069 String serverPrincipal, Token<? extends TokenIdentifier> token, boolean fallbackAllowed, 070 Map<String, String> saslProps) throws IOException { 071 String principalKey = "hbase.fake.kerberos.principal"; 072 conf.set(principalKey, serverPrincipal); 073 return createClient(conf, serverAddr, new SecurityInfo(principalKey, Kind.HBASE_AUTH_TOKEN), 074 token, fallbackAllowed, saslProps); 075 } 076 077 /** 078 * Constructs a {@link UserInformation} from the given {@link UserGroupInformation} 079 */ 080 UserInformation getUserInfo(User user); 081 082 /** 083 * Returns the "real" user, the user who has the credentials being authenticated by the remote 084 * service, in the form of an {@link UserGroupInformation} object. It is common in the Hadoop 085 * "world" to have distinct notions of a "real" user and a "proxy" user. A "real" user is the user 086 * which actually has the credentials (often, a Kerberos ticket), but some code may be running as 087 * some other user who has no credentials. This method gives the authentication provider a chance 088 * to acknowledge this is happening and ensure that any RPCs are executed with the real user's 089 * credentials, because executing them as the proxy user would result in failure because no 090 * credentials exist to authenticate the RPC. Not all implementations will need to implement this 091 * method. By default, the provided User's UGI is returned directly. 092 */ 093 default UserGroupInformation getRealUser(User ugi) { 094 return ugi.getUGI(); 095 } 096 097 /** 098 * Returns true if the implementation is capable of performing some action which may allow a 099 * failed authentication to become a successful authentication. Otherwise, returns false 100 */ 101 default boolean canRetry() { 102 return false; 103 } 104 105 /** 106 * Executes any necessary logic to re-login the client. Not all implementations will have any 107 * logic that needs to be executed. 108 */ 109 default void relogin() throws IOException { 110 } 111}