001/**
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.rest;
019
020import static org.apache.hadoop.hbase.rest.RESTServlet.HBASE_REST_SUPPORT_PROXYUSER;
021import static org.junit.Assert.assertEquals;
022import static org.junit.Assert.assertTrue;
023
024import com.fasterxml.jackson.databind.ObjectMapper;
025import java.io.File;
026import java.io.IOException;
027import java.net.HttpURLConnection;
028import java.net.URL;
029import java.security.Principal;
030import java.security.PrivilegedExceptionAction;
031import org.apache.commons.io.FileUtils;
032import org.apache.hadoop.conf.Configuration;
033import org.apache.hadoop.hbase.HBaseClassTestRule;
034import org.apache.hadoop.hbase.HBaseTestingUtil;
035import org.apache.hadoop.hbase.SingleProcessHBaseCluster;
036import org.apache.hadoop.hbase.StartTestingClusterOption;
037import org.apache.hadoop.hbase.TableName;
038import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
039import org.apache.hadoop.hbase.client.Connection;
040import org.apache.hadoop.hbase.client.ConnectionFactory;
041import org.apache.hadoop.hbase.client.Put;
042import org.apache.hadoop.hbase.client.Table;
043import org.apache.hadoop.hbase.client.TableDescriptor;
044import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
045import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
046import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil;
047import org.apache.hadoop.hbase.rest.model.CellModel;
048import org.apache.hadoop.hbase.rest.model.CellSetModel;
049import org.apache.hadoop.hbase.rest.model.RowModel;
050import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
051import org.apache.hadoop.hbase.security.access.AccessControlClient;
052import org.apache.hadoop.hbase.security.access.AccessControlConstants;
053import org.apache.hadoop.hbase.security.access.AccessController;
054import org.apache.hadoop.hbase.security.access.Permission.Action;
055import org.apache.hadoop.hbase.security.token.TokenProvider;
056import org.apache.hadoop.hbase.testclassification.MediumTests;
057import org.apache.hadoop.hbase.testclassification.MiscTests;
058import org.apache.hadoop.hbase.util.Bytes;
059import org.apache.hadoop.hbase.util.Pair;
060import org.apache.hadoop.hdfs.DFSConfigKeys;
061import org.apache.hadoop.http.HttpConfig;
062import org.apache.hadoop.minikdc.MiniKdc;
063import org.apache.hadoop.security.UserGroupInformation;
064import org.apache.hadoop.security.authentication.util.KerberosName;
065import org.apache.http.HttpEntity;
066import org.apache.http.HttpHost;
067import org.apache.http.auth.AuthSchemeProvider;
068import org.apache.http.auth.AuthScope;
069import org.apache.http.auth.Credentials;
070import org.apache.http.client.AuthCache;
071import org.apache.http.client.CredentialsProvider;
072import org.apache.http.client.config.AuthSchemes;
073import org.apache.http.client.methods.CloseableHttpResponse;
074import org.apache.http.client.methods.HttpGet;
075import org.apache.http.client.methods.HttpPut;
076import org.apache.http.client.protocol.HttpClientContext;
077import org.apache.http.config.Registry;
078import org.apache.http.config.RegistryBuilder;
079import org.apache.http.conn.HttpClientConnectionManager;
080import org.apache.http.entity.ContentType;
081import org.apache.http.entity.StringEntity;
082import org.apache.http.impl.auth.SPNegoSchemeFactory;
083import org.apache.http.impl.client.BasicAuthCache;
084import org.apache.http.impl.client.BasicCredentialsProvider;
085import org.apache.http.impl.client.CloseableHttpClient;
086import org.apache.http.impl.client.HttpClients;
087import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
088import org.apache.http.util.EntityUtils;
089import org.junit.AfterClass;
090import org.junit.BeforeClass;
091import org.junit.ClassRule;
092import org.junit.Test;
093import org.junit.experimental.categories.Category;
094import org.slf4j.Logger;
095import org.slf4j.LoggerFactory;
096
097import org.apache.hbase.thirdparty.com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
098import org.apache.hbase.thirdparty.javax.ws.rs.core.MediaType;
099
100/**
101 * Test class for SPNEGO authentication on the HttpServer. Uses Kerby's MiniKDC and Apache
102 * HttpComponents to verify that a simple Servlet is reachable via SPNEGO and unreachable w/o.
103 */
104@Category({MiscTests.class, MediumTests.class})
105public class TestSecureRESTServer {
106
107  @ClassRule
108  public static final HBaseClassTestRule CLASS_RULE =
109      HBaseClassTestRule.forClass(TestSecureRESTServer.class);
110
111  private static final Logger LOG = LoggerFactory.getLogger(TestSecureRESTServer.class);
112  private static final HBaseTestingUtil TEST_UTIL = new HBaseTestingUtil();
113  private static final HBaseRESTTestingUtility REST_TEST = new HBaseRESTTestingUtility();
114  private static SingleProcessHBaseCluster CLUSTER;
115
116  private static final String HOSTNAME = "localhost";
117  private static final String CLIENT_PRINCIPAL = "client";
118  private static final String WHEEL_PRINCIPAL = "wheel";
119  // The principal for accepting SPNEGO authn'ed requests (*must* be HTTP/fqdn)
120  private static final String SPNEGO_SERVICE_PRINCIPAL = "HTTP/" + HOSTNAME;
121  // The principal we use to connect to HBase
122  private static final String REST_SERVER_PRINCIPAL = "rest";
123  private static final String SERVICE_PRINCIPAL = "hbase/" + HOSTNAME;
124
125  private static URL baseUrl;
126  private static MiniKdc KDC;
127  private static RESTServer server;
128  private static File restServerKeytab;
129  private static File clientKeytab;
130  private static File wheelKeytab;
131  private static File serviceKeytab;
132
133  @BeforeClass
134  public static void setupServer() throws Exception {
135    final File target = new File(System.getProperty("user.dir"), "target");
136    assertTrue(target.exists());
137
138    /*
139     * Keytabs
140     */
141    File keytabDir = new File(target, TestSecureRESTServer.class.getSimpleName()
142        + "_keytabs");
143    if (keytabDir.exists()) {
144      FileUtils.deleteDirectory(keytabDir);
145    }
146    keytabDir.mkdirs();
147    // Keytab for HBase services (RS, Master)
148    serviceKeytab = new File(keytabDir, "hbase.service.keytab");
149    // The keytab for the REST server
150    restServerKeytab = new File(keytabDir, "spnego.keytab");
151    // Keytab for the client
152    clientKeytab = new File(keytabDir, CLIENT_PRINCIPAL + ".keytab");
153    // Keytab for wheel
154    wheelKeytab = new File(keytabDir, WHEEL_PRINCIPAL + ".keytab");
155
156    /*
157     * Update UGI
158     */
159    Configuration conf = TEST_UTIL.getConfiguration();
160
161    /*
162     * Start KDC
163     */
164    KDC = TEST_UTIL.setupMiniKdc(serviceKeytab);
165    KDC.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
166    KDC.createPrincipal(wheelKeytab, WHEEL_PRINCIPAL);
167    KDC.createPrincipal(serviceKeytab, SERVICE_PRINCIPAL);
168    // REST server's keytab contains keys for both principals REST uses
169    KDC.createPrincipal(restServerKeytab, SPNEGO_SERVICE_PRINCIPAL, REST_SERVER_PRINCIPAL);
170
171    // Set configuration for HBase
172    HBaseKerberosUtils.setPrincipalForTesting(SERVICE_PRINCIPAL + "@" + KDC.getRealm());
173    HBaseKerberosUtils.setKeytabFileForTesting(serviceKeytab.getAbsolutePath());
174    // Why doesn't `setKeytabFileForTesting` do this?
175    conf.set("hbase.master.keytab.file", serviceKeytab.getAbsolutePath());
176    conf.set("hbase.unsafe.regionserver.hostname", "localhost");
177    conf.set("hbase.master.hostname", "localhost");
178    HBaseKerberosUtils.setSecuredConfiguration(conf,
179        SERVICE_PRINCIPAL+ "@" + KDC.getRealm(), SPNEGO_SERVICE_PRINCIPAL+ "@" + KDC.getRealm());
180    setHdfsSecuredConfiguration(conf);
181    conf.setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,
182        TokenProvider.class.getName(), AccessController.class.getName());
183    conf.setStrings(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY,
184        AccessController.class.getName());
185    conf.setStrings(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY,
186        AccessController.class.getName());
187    // Enable EXEC permission checking
188    conf.setBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, true);
189    conf.set("hbase.superuser", "hbase");
190    conf.set("hadoop.proxyuser.rest.hosts", "*");
191    conf.set("hadoop.proxyuser.rest.users", "*");
192    conf.set("hadoop.proxyuser.wheel.hosts", "*");
193    conf.set("hadoop.proxyuser.wheel.users", "*");
194    UserGroupInformation.setConfiguration(conf);
195
196    updateKerberosConfiguration(conf, REST_SERVER_PRINCIPAL, SPNEGO_SERVICE_PRINCIPAL,
197        restServerKeytab);
198
199    // Start HDFS
200    TEST_UTIL.startMiniCluster(StartTestingClusterOption.builder()
201        .numMasters(1)
202        .numRegionServers(1)
203        .numZkServers(1)
204        .build());
205
206    // Start REST
207    UserGroupInformation restUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
208        REST_SERVER_PRINCIPAL, restServerKeytab.getAbsolutePath());
209    restUser.doAs(new PrivilegedExceptionAction<Void>() {
210      @Override
211      public Void run() throws Exception {
212        REST_TEST.startServletContainer(conf);
213        return null;
214      }
215    });
216    baseUrl = new URL("http://localhost:" + REST_TEST.getServletPort());
217
218    LOG.info("HTTP server started: "+ baseUrl);
219    TEST_UTIL.waitTableAvailable(TableName.valueOf("hbase:acl"));
220
221    // Let the REST server create, read, and write globally
222    UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
223        SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
224    superuser.doAs(new PrivilegedExceptionAction<Void>() {
225      @Override
226      public Void run() throws Exception {
227        try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
228          AccessControlClient.grant(
229              conn, REST_SERVER_PRINCIPAL, Action.CREATE, Action.READ, Action.WRITE);
230        } catch (Throwable t) {
231          if (t instanceof Exception) {
232            throw (Exception) t;
233          } else {
234            throw new Exception(t);
235          }
236        }
237        return null;
238      }
239    });
240    instertData();
241  }
242
243  @AfterClass
244  public static void stopServer() throws Exception {
245    try {
246      if (null != server) {
247        server.stop();
248      }
249    } catch (Exception e) {
250      LOG.info("Failed to stop info server", e);
251    }
252    try {
253      if (CLUSTER != null) {
254        CLUSTER.shutdown();
255      }
256    } catch (Exception e) {
257      LOG.info("Failed to stop HBase cluster", e);
258    }
259    try {
260      if (null != KDC) {
261        KDC.stop();
262      }
263    } catch (Exception e) {
264      LOG.info("Failed to stop mini KDC", e);
265    }
266  }
267
268  private static void setHdfsSecuredConfiguration(Configuration conf) throws Exception {
269    // Set principal+keytab configuration for HDFS
270    conf.set(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY,
271        SERVICE_PRINCIPAL + "@" + KDC.getRealm());
272    conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, serviceKeytab.getAbsolutePath());
273    conf.set(DFSConfigKeys.DFS_DATANODE_KERBEROS_PRINCIPAL_KEY,
274        SERVICE_PRINCIPAL + "@" + KDC.getRealm());
275    conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, serviceKeytab.getAbsolutePath());
276    conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY,
277        SPNEGO_SERVICE_PRINCIPAL + "@" + KDC.getRealm());
278    // Enable token access for HDFS blocks
279    conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
280    // Only use HTTPS (required because we aren't using "secure" ports)
281    conf.set(DFSConfigKeys.DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());
282    // Bind on localhost for spnego to have a chance at working
283    conf.set(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
284    conf.set(DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
285
286    // Generate SSL certs
287    File keystoresDir = new File(TEST_UTIL.getDataTestDir("keystore").toUri().getPath());
288    keystoresDir.mkdirs();
289    String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSecureRESTServer.class);
290    KeyStoreTestUtil.setupSSLConfig(keystoresDir.getAbsolutePath(), sslConfDir, conf, false);
291
292    // Magic flag to tell hdfs to not fail on using ports above 1024
293    conf.setBoolean("ignore.secure.ports.for.testing", true);
294  }
295
296  private static void updateKerberosConfiguration(Configuration conf,
297      String serverPrincipal, String spnegoPrincipal, File serverKeytab) {
298    KerberosName.setRules("DEFAULT");
299
300    // Enable Kerberos (pre-req)
301    conf.set("hbase.security.authentication", "kerberos");
302    conf.set(RESTServer.REST_AUTHENTICATION_TYPE, "kerberos");
303    // User to talk to HBase as
304    conf.set(RESTServer.REST_KERBEROS_PRINCIPAL, serverPrincipal);
305    // User to accept SPNEGO-auth'd http calls as
306    conf.set("hbase.rest.authentication.kerberos.principal", spnegoPrincipal);
307    // Keytab for both principals above
308    conf.set(RESTServer.REST_KEYTAB_FILE, serverKeytab.getAbsolutePath());
309    conf.set("hbase.rest.authentication.kerberos.keytab", serverKeytab.getAbsolutePath());
310    conf.set(HBASE_REST_SUPPORT_PROXYUSER, "true");
311  }
312
313  private static void instertData() throws IOException, InterruptedException {
314    // Create a table, write a row to it, grant read perms to the client
315    UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
316      SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
317    final TableName table = TableName.valueOf("publicTable");
318    superuser.doAs(new PrivilegedExceptionAction<Void>() {
319      @Override
320      public Void run() throws Exception {
321        try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
322          TableDescriptor desc = TableDescriptorBuilder.newBuilder(table)
323            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
324            .build();
325          conn.getAdmin().createTable(desc);
326          try (Table t = conn.getTable(table)) {
327            Put p = new Put(Bytes.toBytes("a"));
328            p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
329            t.put(p);
330          }
331          AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ);
332        } catch (Throwable e) {
333          if (e instanceof Exception) {
334            throw (Exception) e;
335          } else {
336            throw new Exception(e);
337          }
338        }
339        return null;
340      }
341    });
342  }
343
344  public void testProxy(String extraArgs, String PRINCIPAL, File keytab, int responseCode) throws Exception{
345    UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
346      SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
347    final TableName table = TableName.valueOf("publicTable");
348
349    // Read that row as the client
350    Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
351    CloseableHttpClient client = pair.getFirst();
352    HttpClientContext context = pair.getSecond();
353
354    HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI()
355      + "/" + table + "/a" + extraArgs);
356    get.addHeader("Accept", "application/json");
357    UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
358      PRINCIPAL, keytab.getAbsolutePath());
359    String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() {
360      @Override
361      public String run() throws Exception {
362        try (CloseableHttpResponse response = client.execute(get, context)) {
363          final int statusCode = response.getStatusLine().getStatusCode();
364          assertEquals(response.getStatusLine().toString(), responseCode, statusCode);
365          HttpEntity entity = response.getEntity();
366          return EntityUtils.toString(entity);
367        }
368      }
369    });
370    if(responseCode == HttpURLConnection.HTTP_OK) {
371      ObjectMapper mapper = new JacksonJaxbJsonProvider().locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE);
372      CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class);
373      assertEquals(1, model.getRows().size());
374      RowModel row = model.getRows().get(0);
375      assertEquals("a", Bytes.toString(row.getKey()));
376      assertEquals(1, row.getCells().size());
377      CellModel cell = row.getCells().get(0);
378      assertEquals("1", Bytes.toString(cell.getValue()));
379    }
380  }
381
382  @Test
383  public void testPositiveAuthorization() throws Exception {
384    testProxy("", CLIENT_PRINCIPAL, clientKeytab, HttpURLConnection.HTTP_OK);
385  }
386
387  @Test
388  public void testDoAs() throws Exception {
389    testProxy("?doAs="+CLIENT_PRINCIPAL, WHEEL_PRINCIPAL, wheelKeytab, HttpURLConnection.HTTP_OK);
390  }
391
392  @Test
393  public void testDoas() throws Exception {
394    testProxy("?doas="+CLIENT_PRINCIPAL, WHEEL_PRINCIPAL, wheelKeytab, HttpURLConnection.HTTP_OK);
395  }
396
397  @Test
398  public void testWithoutDoAs() throws Exception {
399    testProxy("", WHEEL_PRINCIPAL, wheelKeytab, HttpURLConnection.HTTP_FORBIDDEN);
400  }
401
402
403  @Test
404  public void testNegativeAuthorization() throws Exception {
405    Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
406    CloseableHttpClient client = pair.getFirst();
407    HttpClientContext context = pair.getSecond();
408
409    StringEntity entity = new StringEntity(
410        "{\"name\":\"test\", \"ColumnSchema\":[{\"name\":\"f\"}]}", ContentType.APPLICATION_JSON);
411    HttpPut put = new HttpPut("http://localhost:"+ REST_TEST.getServletPort() + "/test/schema");
412    put.setEntity(entity);
413
414
415    UserGroupInformation unprivileged = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
416        CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath());
417    unprivileged.doAs(new PrivilegedExceptionAction<Void>() {
418      @Override
419      public Void run() throws Exception {
420        try (CloseableHttpResponse response = client.execute(put, context)) {
421          final int statusCode = response.getStatusLine().getStatusCode();
422          HttpEntity entity = response.getEntity();
423          assertEquals("Got response: "+ EntityUtils.toString(entity),
424              HttpURLConnection.HTTP_FORBIDDEN, statusCode);
425        }
426        return null;
427      }
428    });
429  }
430
431  private Pair<CloseableHttpClient,HttpClientContext> getClient() {
432    HttpClientConnectionManager pool = new PoolingHttpClientConnectionManager();
433    HttpHost host = new HttpHost("localhost", REST_TEST.getServletPort());
434    Registry<AuthSchemeProvider> authRegistry =
435        RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO,
436            new SPNegoSchemeFactory(true, true)).build();
437    CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
438    credentialsProvider.setCredentials(AuthScope.ANY, EmptyCredentials.INSTANCE);
439    AuthCache authCache = new BasicAuthCache();
440
441    CloseableHttpClient client = HttpClients.custom()
442        .setDefaultAuthSchemeRegistry(authRegistry)
443        .setConnectionManager(pool).build();
444
445    HttpClientContext context = HttpClientContext.create();
446    context.setTargetHost(host);
447    context.setCredentialsProvider(credentialsProvider);
448    context.setAuthSchemeRegistry(authRegistry);
449    context.setAuthCache(authCache);
450
451    return new Pair<>(client, context);
452  }
453
454  private static class EmptyCredentials implements Credentials {
455    public static final EmptyCredentials INSTANCE = new EmptyCredentials();
456
457    @Override public String getPassword() {
458      return null;
459    }
460    @Override public Principal getUserPrincipal() {
461      return null;
462    }
463  }
464}