001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.thrift; 019 020import static org.apache.hadoop.hbase.thrift.Constants.THRIFT_SUPPORT_PROXYUSER_KEY; 021import static org.junit.jupiter.api.Assertions.assertFalse; 022import static org.junit.jupiter.api.Assertions.assertNotNull; 023import static org.junit.jupiter.api.Assertions.assertTrue; 024 025import java.io.File; 026import java.nio.file.Paths; 027import java.security.Principal; 028import java.security.PrivilegedExceptionAction; 029import java.util.Set; 030import java.util.function.Supplier; 031import javax.security.auth.Subject; 032import javax.security.auth.kerberos.KerberosTicket; 033import org.apache.hadoop.conf.Configuration; 034import org.apache.hadoop.hbase.HBaseTestingUtil; 035import org.apache.hadoop.hbase.HConstants; 036import org.apache.hadoop.hbase.security.HBaseKerberosUtils; 037import org.apache.hadoop.hbase.testclassification.ClientTests; 038import org.apache.hadoop.hbase.testclassification.LargeTests; 039import org.apache.hadoop.hbase.thrift.generated.Hbase; 040import org.apache.hadoop.hbase.util.SimpleKdcServerUtil; 041import org.apache.hadoop.security.authentication.util.KerberosName; 042import org.apache.http.HttpHeaders; 043import org.apache.http.auth.AuthSchemeProvider; 044import org.apache.http.auth.AuthScope; 045import org.apache.http.auth.KerberosCredentials; 046import org.apache.http.client.config.AuthSchemes; 047import org.apache.http.config.Lookup; 048import org.apache.http.config.RegistryBuilder; 049import org.apache.http.impl.auth.SPNegoSchemeFactory; 050import org.apache.http.impl.client.BasicCredentialsProvider; 051import org.apache.http.impl.client.CloseableHttpClient; 052import org.apache.http.impl.client.HttpClients; 053import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil; 054import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer; 055import org.ietf.jgss.GSSCredential; 056import org.ietf.jgss.GSSManager; 057import org.ietf.jgss.GSSName; 058import org.ietf.jgss.Oid; 059import org.junit.jupiter.api.AfterAll; 060import org.junit.jupiter.api.BeforeAll; 061import org.junit.jupiter.api.Disabled; 062import org.junit.jupiter.api.Tag; 063import org.junit.jupiter.api.Test; 064import org.slf4j.Logger; 065import org.slf4j.LoggerFactory; 066 067import org.apache.hbase.thirdparty.org.apache.thrift.protocol.TBinaryProtocol; 068import org.apache.hbase.thirdparty.org.apache.thrift.protocol.TProtocol; 069import org.apache.hbase.thirdparty.org.apache.thrift.transport.THttpClient; 070 071/** 072 * Start the HBase Thrift HTTP server on a random port through the command-line interface and talk 073 * to it from client side with SPNEGO security enabled. Supplemental test to 074 * TestThriftSpnegoHttpServer which falls back to the original Kerberos principal and keytab 075 * configuration properties, not the separate SPNEGO-specific properties. 076 */ 077@Tag(ClientTests.TAG) 078@Tag(LargeTests.TAG) 079public class TestThriftSpnegoHttpFallbackServer extends TestThriftHttpServerBase { 080 081 private static final Logger LOG = 082 LoggerFactory.getLogger(TestThriftSpnegoHttpFallbackServer.class); 083 084 private static SimpleKdcServer kdc; 085 private static File serverKeytab; 086 private static File clientKeytab; 087 088 private static String clientPrincipal; 089 private static String serverPrincipal; 090 private static String spnegoServerPrincipal; 091 092 private static void addSecurityConfigurations(Configuration conf) { 093 KerberosName.setRules("DEFAULT"); 094 095 HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath()); 096 097 conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true); 098 conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true); 099 100 conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal); 101 conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath()); 102 103 HBaseKerberosUtils.setSecuredConfiguration(conf, spnegoServerPrincipal, spnegoServerPrincipal); 104 conf.set("hadoop.proxyuser.HTTP.hosts", "*"); 105 conf.set("hadoop.proxyuser.HTTP.groups", "*"); 106 conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, spnegoServerPrincipal); 107 } 108 109 @BeforeAll 110 public static void beforeAll() throws Exception { 111 kdc = SimpleKdcServerUtil.getRunningSimpleKdcServer( 112 new File(TEST_UTIL.getDataTestDir().toString()), HBaseTestingUtil::randomFreePort); 113 114 File keytabDir = Paths.get(TEST_UTIL.getRandomDir().toString()).toAbsolutePath().toFile(); 115 assertTrue(keytabDir.mkdirs()); 116 117 clientPrincipal = "client@" + kdc.getKdcConfig().getKdcRealm(); 118 clientKeytab = new File(keytabDir, clientPrincipal + ".keytab"); 119 kdc.createAndExportPrincipals(clientKeytab, clientPrincipal); 120 121 serverPrincipal = "hbase/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm(); 122 serverKeytab = new File(keytabDir, serverPrincipal.replace('/', '_') + ".keytab"); 123 124 spnegoServerPrincipal = "HTTP/" + HConstants.LOCALHOST + "@" + kdc.getKdcConfig().getKdcRealm(); 125 // Add SPNEGO principal to server keytab 126 kdc.createAndExportPrincipals(serverKeytab, serverPrincipal, spnegoServerPrincipal); 127 128 TEST_UTIL.getConfiguration().setBoolean(Constants.USE_HTTP_CONF_KEY, true); 129 addSecurityConfigurations(TEST_UTIL.getConfiguration()); 130 131 TestThriftHttpServerBase.setUpBeforeClass(); 132 } 133 134 @AfterAll 135 public static void afterAll() throws Exception { 136 TestThriftHttpServerBase.tearDownAfterClass(); 137 138 try { 139 if (null != kdc) { 140 kdc.stop(); 141 kdc = null; 142 } 143 } catch (Exception e) { 144 LOG.info("Failed to stop mini KDC", e); 145 } 146 } 147 148 @Override 149 protected void talkToThriftServer(String url, int customHeaderSize) throws Exception { 150 // Close httpClient and THttpClient automatically on any failures 151 try (CloseableHttpClient httpClient = createHttpClient(); 152 THttpClient tHttpClient = new THttpClient(url, httpClient)) { 153 tHttpClient.open(); 154 if (customHeaderSize > 0) { 155 StringBuilder sb = new StringBuilder(); 156 for (int i = 0; i < customHeaderSize; i++) { 157 sb.append("a"); 158 } 159 tHttpClient.setCustomHeader(HttpHeaders.USER_AGENT, sb.toString()); 160 } 161 162 TProtocol prot = new TBinaryProtocol(tHttpClient); 163 Hbase.Client client = new Hbase.Client(prot); 164 TestThriftServer.createTestTables(client); 165 TestThriftServer.checkTableList(client); 166 TestThriftServer.dropTestTables(client); 167 } 168 } 169 170 private CloseableHttpClient createHttpClient() throws Exception { 171 final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab); 172 final Set<Principal> clientPrincipals = clientSubject.getPrincipals(); 173 // Make sure the subject has a principal 174 assertFalse(clientPrincipals.isEmpty(), "Found no client principals in the clientSubject."); 175 176 // Get a TGT for the subject (might have many, different encryption types). The first should 177 // be the default encryption type. 178 Set<KerberosTicket> privateCredentials = 179 clientSubject.getPrivateCredentials(KerberosTicket.class); 180 assertFalse(privateCredentials.isEmpty(), "Found no private credentials in the clientSubject."); 181 KerberosTicket tgt = privateCredentials.iterator().next(); 182 assertNotNull(tgt, "No kerberos ticket found."); 183 184 // The name of the principal 185 final String clientPrincipalName = clientPrincipals.iterator().next().getName(); 186 187 return Subject.doAs(clientSubject, (PrivilegedExceptionAction<CloseableHttpClient>) () -> { 188 // Logs in with Kerberos via GSS 189 GSSManager gssManager = GSSManager.getInstance(); 190 // jGSS Kerberos login constant 191 Oid oid = new Oid("1.2.840.113554.1.2.2"); 192 GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME); 193 GSSCredential credential = gssManager.createCredential(gssClient, 194 GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY); 195 196 Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider> create() 197 .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build(); 198 199 BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); 200 credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential)); 201 202 return HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry) 203 .setDefaultCredentialsProvider(credentialsProvider).build(); 204 }); 205 } 206 207 @Override 208 protected Supplier<ThriftServer> getThriftServerSupplier() { 209 return () -> new ThriftServer(TEST_UTIL.getConfiguration()); 210 } 211 212 /** 213 * Block call through to this method. It is a messy test that fails because of bad config and then 214 * succeeds only the first attempt adds a table which the second attempt doesn't want to be in 215 * place to succeed. Let the super impl of this test be responsible for verifying we fail if bad 216 * header size. 217 */ 218 @Disabled 219 @Test 220 @Override 221 public void testRunThriftServerWithHeaderBufferLength() throws Exception { 222 super.testRunThriftServerWithHeaderBufferLength(); 223 } 224}