001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.http; 019 020import java.io.File; 021import java.net.HttpURLConnection; 022import java.net.URL; 023import java.security.Principal; 024import java.security.PrivilegedExceptionAction; 025import java.util.Set; 026import javax.security.auth.Subject; 027import javax.security.auth.kerberos.KerberosTicket; 028import org.apache.hadoop.conf.Configuration; 029import org.apache.hadoop.hbase.HBaseClassTestRule; 030import org.apache.hadoop.hbase.HBaseCommonTestingUtil; 031import org.apache.hadoop.hbase.http.TestHttpServer.EchoServlet; 032import org.apache.hadoop.hbase.http.resource.JerseyResource; 033import org.apache.hadoop.hbase.testclassification.MiscTests; 034import org.apache.hadoop.hbase.testclassification.SmallTests; 035import org.apache.hadoop.hbase.util.SimpleKdcServerUtil; 036import org.apache.hadoop.security.authentication.util.KerberosName; 037import org.apache.hadoop.security.authorize.AccessControlList; 038import org.apache.http.HttpHost; 039import org.apache.http.HttpResponse; 040import org.apache.http.auth.AuthSchemeProvider; 041import org.apache.http.auth.AuthScope; 042import org.apache.http.auth.KerberosCredentials; 043import org.apache.http.client.HttpClient; 044import org.apache.http.client.config.AuthSchemes; 045import org.apache.http.client.methods.HttpGet; 046import org.apache.http.client.protocol.HttpClientContext; 047import org.apache.http.config.Lookup; 048import org.apache.http.config.RegistryBuilder; 049import org.apache.http.impl.auth.SPNegoSchemeFactory; 050import org.apache.http.impl.client.BasicCredentialsProvider; 051import org.apache.http.impl.client.HttpClients; 052import org.apache.http.util.EntityUtils; 053import org.apache.kerby.kerberos.kerb.KrbException; 054import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil; 055import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer; 056import org.ietf.jgss.GSSCredential; 057import org.ietf.jgss.GSSManager; 058import org.ietf.jgss.GSSName; 059import org.ietf.jgss.Oid; 060import org.junit.AfterClass; 061import org.junit.BeforeClass; 062import org.junit.ClassRule; 063import org.junit.Test; 064import org.junit.experimental.categories.Category; 065import org.slf4j.Logger; 066import org.slf4j.LoggerFactory; 067 068/** 069 * Test class for SPNEGO Proxyuser authentication on the HttpServer. Uses Kerby's MiniKDC and Apache 070 * HttpComponents to verify that the doas= mechanicsm works, and that the proxyuser settings are 071 * observed. 072 */ 073@Category({ MiscTests.class, SmallTests.class }) 074public class TestProxyUserSpnegoHttpServer extends HttpServerFunctionalTest { 075 @ClassRule 076 public static final HBaseClassTestRule CLASS_RULE = 077 HBaseClassTestRule.forClass(TestProxyUserSpnegoHttpServer.class); 078 079 private static final Logger LOG = LoggerFactory.getLogger(TestProxyUserSpnegoHttpServer.class); 080 private static final String KDC_SERVER_HOST = "localhost"; 081 private static final String WHEEL_PRINCIPAL = "wheel"; 082 private static final String UNPRIVILEGED_PRINCIPAL = "unprivileged"; 083 private static final String PRIVILEGED_PRINCIPAL = "privileged"; 084 private static final String PRIVILEGED2_PRINCIPAL = "privileged2"; 085 086 private static HttpServer server; 087 private static URL baseUrl; 088 private static SimpleKdcServer kdc; 089 private static File infoServerKeytab; 090 private static File wheelKeytab; 091 private static File unprivilegedKeytab; 092 private static File privilegedKeytab; 093 private static File privileged2Keytab; 094 095 @BeforeClass 096 public static void setupServer() throws Exception { 097 Configuration conf = new Configuration(); 098 HBaseCommonTestingUtil htu = new HBaseCommonTestingUtil(conf); 099 100 final String serverPrincipal = "HTTP/" + KDC_SERVER_HOST; 101 102 kdc = SimpleKdcServerUtil.getRunningSimpleKdcServer(new File(htu.getDataTestDir().toString()), 103 HBaseCommonTestingUtil::randomFreePort); 104 File keytabDir = new File(htu.getDataTestDir("keytabs").toString()); 105 if (keytabDir.exists()) { 106 deleteRecursively(keytabDir); 107 } 108 keytabDir.mkdirs(); 109 110 infoServerKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab"); 111 wheelKeytab = new File(keytabDir, WHEEL_PRINCIPAL + ".keytab"); 112 unprivilegedKeytab = new File(keytabDir, UNPRIVILEGED_PRINCIPAL + ".keytab"); 113 privilegedKeytab = new File(keytabDir, PRIVILEGED_PRINCIPAL + ".keytab"); 114 privileged2Keytab = new File(keytabDir, PRIVILEGED2_PRINCIPAL + ".keytab"); 115 116 setupUser(kdc, wheelKeytab, WHEEL_PRINCIPAL); 117 setupUser(kdc, unprivilegedKeytab, UNPRIVILEGED_PRINCIPAL); 118 setupUser(kdc, privilegedKeytab, PRIVILEGED_PRINCIPAL); 119 setupUser(kdc, privileged2Keytab, PRIVILEGED2_PRINCIPAL); 120 121 setupUser(kdc, infoServerKeytab, serverPrincipal); 122 123 buildSpnegoConfiguration(conf, serverPrincipal, infoServerKeytab); 124 AccessControlList acl = buildAdminAcl(conf); 125 126 server = createTestServerWithSecurityAndAcl(conf, acl); 127 server.addPrivilegedServlet("echo", "/echo", EchoServlet.class); 128 server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*"); 129 server.start(); 130 baseUrl = getServerURL(server); 131 132 LOG.info("HTTP server started: " + baseUrl); 133 } 134 135 @AfterClass 136 public static void stopServer() throws Exception { 137 try { 138 if (null != server) { 139 server.stop(); 140 } 141 } catch (Exception e) { 142 LOG.info("Failed to stop info server", e); 143 } 144 try { 145 if (null != kdc) { 146 kdc.stop(); 147 } 148 } catch (Exception e) { 149 LOG.info("Failed to stop mini KDC", e); 150 } 151 } 152 153 private static void setupUser(SimpleKdcServer kdc, File keytab, String principal) 154 throws KrbException { 155 kdc.createPrincipal(principal); 156 kdc.exportPrincipal(principal, keytab); 157 } 158 159 protected static Configuration buildSpnegoConfiguration(Configuration conf, 160 String serverPrincipal, File serverKeytab) { 161 KerberosName.setRules("DEFAULT"); 162 163 conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS); 164 165 // Enable Kerberos (pre-req) 166 conf.set("hbase.security.authentication", "kerberos"); 167 conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos"); 168 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal); 169 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath()); 170 171 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, PRIVILEGED_PRINCIPAL); 172 conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY, "true"); 173 conf.set("hadoop.security.authorization", "true"); 174 175 conf.set("hadoop.proxyuser.wheel.hosts", "*"); 176 conf.set("hadoop.proxyuser.wheel.users", PRIVILEGED_PRINCIPAL + "," + UNPRIVILEGED_PRINCIPAL); 177 return conf; 178 } 179 180 /** 181 * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI which 182 * are meant only for administrators. 183 */ 184 public static AccessControlList buildAdminAcl(Configuration conf) { 185 final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null); 186 final String adminGroups = 187 conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null); 188 if (userGroups == null && adminGroups == null) { 189 // Backwards compatibility - if the user doesn't have anything set, allow all users in. 190 return new AccessControlList("*", null); 191 } 192 return new AccessControlList(userGroups, adminGroups); 193 } 194 195 @Test 196 public void testProxyAllowed() throws Exception { 197 testProxy(WHEEL_PRINCIPAL, PRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_OK, null); 198 } 199 200 @Test 201 public void testProxyDisallowedForUnprivileged() throws Exception { 202 testProxy(WHEEL_PRINCIPAL, UNPRIVILEGED_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN, 203 "403 User unprivileged is unauthorized to access this page."); 204 } 205 206 @Test 207 public void testProxyDisallowedForNotSudoAble() throws Exception { 208 testProxy(WHEEL_PRINCIPAL, PRIVILEGED2_PRINCIPAL, HttpURLConnection.HTTP_FORBIDDEN, 209 "403 Forbidden"); 210 } 211 212 public void testProxy(String clientPrincipal, String doAs, int responseCode, String statusLine) 213 throws Exception { 214 // Create the subject for the client 215 final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(WHEEL_PRINCIPAL, wheelKeytab); 216 final Set<Principal> clientPrincipals = clientSubject.getPrincipals(); 217 // Make sure the subject has a principal 218 assertFalse(clientPrincipals.isEmpty()); 219 220 // Get a TGT for the subject (might have many, different encryption types). The first should 221 // be the default encryption type. 222 Set<KerberosTicket> privateCredentials = 223 clientSubject.getPrivateCredentials(KerberosTicket.class); 224 assertFalse(privateCredentials.isEmpty()); 225 KerberosTicket tgt = privateCredentials.iterator().next(); 226 assertNotNull(tgt); 227 228 // The name of the principal 229 final String principalName = clientPrincipals.iterator().next().getName(); 230 231 // Run this code, logged in as the subject (the client) 232 HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() { 233 @Override 234 public HttpResponse run() throws Exception { 235 // Logs in with Kerberos via GSS 236 GSSManager gssManager = GSSManager.getInstance(); 237 // jGSS Kerberos login constant 238 Oid oid = new Oid("1.2.840.113554.1.2.2"); 239 GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME); 240 GSSCredential credential = gssManager.createCredential(gssClient, 241 GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY); 242 243 HttpClientContext context = HttpClientContext.create(); 244 Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider> create() 245 .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build(); 246 247 HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build(); 248 BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); 249 credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential)); 250 251 URL url = new URL(getServerURL(server), "/echo?doAs=" + doAs + "&a=b"); 252 context.setTargetHost(new HttpHost(url.getHost(), url.getPort())); 253 context.setCredentialsProvider(credentialsProvider); 254 context.setAuthSchemeRegistry(authRegistry); 255 256 HttpGet get = new HttpGet(url.toURI()); 257 return client.execute(get, context); 258 } 259 }); 260 261 assertNotNull(resp); 262 assertEquals(responseCode, resp.getStatusLine().getStatusCode()); 263 if (responseCode == HttpURLConnection.HTTP_OK) { 264 assertTrue(EntityUtils.toString(resp.getEntity()).trim().contains("a:b")); 265 } else { 266 assertTrue(resp.getStatusLine().toString().contains(statusLine) 267 || EntityUtils.toString(resp.getEntity()).contains(statusLine)); 268 } 269 } 270 271}