HBASE-11960 Provide a sample to show how to use Thrift client authentication
This commit is contained in:
parent
e05f78ec01
commit
0ff05f46e7
|
@ -25,8 +25,10 @@ Example code.
|
||||||
for f in `find . -name "libthrift-*.jar" -or -name "slf4j-*.jar" -or -name "log4j-*.jar"`; do
|
for f in `find . -name "libthrift-*.jar" -or -name "slf4j-*.jar" -or -name "log4j-*.jar"`; do
|
||||||
HBASE_EXAMPLE_CLASSPATH=${HBASE_EXAMPLE_CLASSPATH}:$f;
|
HBASE_EXAMPLE_CLASSPATH=${HBASE_EXAMPLE_CLASSPATH}:$f;
|
||||||
done
|
done
|
||||||
2. Execute:
|
2. If HBase server is not secure, or authentication is not enabled for the Thrift server, execute:
|
||||||
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port>}
|
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port>}
|
||||||
|
3. If HBase server is secure, and authentication is enabled for the Thrift server, run kinit at first, then execute:
|
||||||
|
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port> true}
|
||||||
|
|
||||||
* Ruby: hbase-examples/src/main/ruby/DemoClient.rb
|
* Ruby: hbase-examples/src/main/ruby/DemoClient.rb
|
||||||
1. Modify the import path in the file to point to {$THRIFT_HOME}/lib/rb/lib.
|
1. Modify the import path in the file to point to {$THRIFT_HOME}/lib/rb/lib.
|
||||||
|
|
|
@ -23,29 +23,34 @@ import java.nio.ByteBuffer;
|
||||||
import java.nio.charset.CharacterCodingException;
|
import java.nio.charset.CharacterCodingException;
|
||||||
import java.nio.charset.Charset;
|
import java.nio.charset.Charset;
|
||||||
import java.nio.charset.CharsetDecoder;
|
import java.nio.charset.CharsetDecoder;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.text.NumberFormat;
|
import java.text.NumberFormat;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.TreeMap;
|
|
||||||
import java.util.SortedMap;
|
import java.util.SortedMap;
|
||||||
|
import java.util.TreeMap;
|
||||||
|
|
||||||
|
import javax.security.auth.Subject;
|
||||||
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
|
import javax.security.auth.login.Configuration;
|
||||||
|
import javax.security.auth.login.LoginContext;
|
||||||
|
import javax.security.sasl.Sasl;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.thrift.generated.AlreadyExists;
|
import org.apache.hadoop.hbase.thrift.generated.AlreadyExists;
|
||||||
import org.apache.hadoop.hbase.thrift.generated.ColumnDescriptor;
|
import org.apache.hadoop.hbase.thrift.generated.ColumnDescriptor;
|
||||||
import org.apache.hadoop.hbase.thrift.generated.Hbase;
|
import org.apache.hadoop.hbase.thrift.generated.Hbase;
|
||||||
import org.apache.hadoop.hbase.thrift.generated.IOError;
|
|
||||||
import org.apache.hadoop.hbase.thrift.generated.IllegalArgument;
|
|
||||||
import org.apache.hadoop.hbase.thrift.generated.Mutation;
|
import org.apache.hadoop.hbase.thrift.generated.Mutation;
|
||||||
import org.apache.hadoop.hbase.thrift.generated.TCell;
|
import org.apache.hadoop.hbase.thrift.generated.TCell;
|
||||||
import org.apache.hadoop.hbase.thrift.generated.TRowResult;
|
import org.apache.hadoop.hbase.thrift.generated.TRowResult;
|
||||||
|
|
||||||
import org.apache.thrift.TException;
|
|
||||||
import org.apache.thrift.protocol.TBinaryProtocol;
|
import org.apache.thrift.protocol.TBinaryProtocol;
|
||||||
import org.apache.thrift.protocol.TProtocol;
|
import org.apache.thrift.protocol.TProtocol;
|
||||||
|
import org.apache.thrift.transport.TSaslClientTransport;
|
||||||
import org.apache.thrift.transport.TSocket;
|
import org.apache.thrift.transport.TSocket;
|
||||||
import org.apache.thrift.transport.TTransport;
|
import org.apache.thrift.transport.TTransport;
|
||||||
|
|
||||||
/*
|
/**
|
||||||
* See the instructions under hbase-examples/README.txt
|
* See the instructions under hbase-examples/README.txt
|
||||||
*/
|
*/
|
||||||
public class DemoClient {
|
public class DemoClient {
|
||||||
|
@ -54,23 +59,33 @@ public class DemoClient {
|
||||||
static protected String host;
|
static protected String host;
|
||||||
CharsetDecoder decoder = null;
|
CharsetDecoder decoder = null;
|
||||||
|
|
||||||
public static void main(String[] args)
|
private static boolean secure = false;
|
||||||
throws IOError, TException, UnsupportedEncodingException, IllegalArgument, AlreadyExists {
|
|
||||||
|
|
||||||
if (args.length != 2) {
|
public static void main(String[] args) throws Exception {
|
||||||
|
|
||||||
|
if (args.length < 2 || args.length > 3) {
|
||||||
|
|
||||||
System.out.println("Invalid arguments!");
|
System.out.println("Invalid arguments!");
|
||||||
System.out.println("Usage: DemoClient host port");
|
System.out.println("Usage: DemoClient host port [secure=false]");
|
||||||
|
|
||||||
System.exit(-1);
|
System.exit(-1);
|
||||||
}
|
}
|
||||||
|
|
||||||
port = Integer.parseInt(args[1]);
|
port = Integer.parseInt(args[1]);
|
||||||
host = args[0];
|
host = args[0];
|
||||||
|
if (args.length > 2) {
|
||||||
|
secure = Boolean.parseBoolean(args[2]);
|
||||||
|
}
|
||||||
|
|
||||||
|
final DemoClient client = new DemoClient();
|
||||||
DemoClient client = new DemoClient();
|
Subject.doAs(getSubject(),
|
||||||
client.run();
|
new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws Exception {
|
||||||
|
client.run();
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
DemoClient() {
|
DemoClient() {
|
||||||
|
@ -96,15 +111,28 @@ public class DemoClient {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private void run() throws IOError, TException, IllegalArgument,
|
private void run() throws Exception {
|
||||||
AlreadyExists {
|
|
||||||
|
|
||||||
TTransport transport = new TSocket(host, port);
|
TTransport transport = new TSocket(host, port);
|
||||||
TProtocol protocol = new TBinaryProtocol(transport, true, true);
|
if (secure) {
|
||||||
Hbase.Client client = new Hbase.Client(protocol);
|
Map<String, String> saslProperties = new HashMap<String, String>();
|
||||||
|
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
|
||||||
|
/**
|
||||||
|
* The Thrift server the DemoClient is trying to connect to
|
||||||
|
* must have a matching principal, and support authentication.
|
||||||
|
*
|
||||||
|
* The HBase cluster must be secure, allow proxy user.
|
||||||
|
*/
|
||||||
|
transport = new TSaslClientTransport("GSSAPI", null,
|
||||||
|
"hbase", // Thrift server user name, should be an authorized proxy user.
|
||||||
|
host, // Thrift server domain
|
||||||
|
saslProperties, null, transport);
|
||||||
|
}
|
||||||
|
|
||||||
transport.open();
|
transport.open();
|
||||||
|
|
||||||
|
TProtocol protocol = new TBinaryProtocol(transport, true, true);
|
||||||
|
Hbase.Client client = new Hbase.Client(protocol);
|
||||||
|
|
||||||
byte[] t = bytes("demo_table");
|
byte[] t = bytes("demo_table");
|
||||||
|
|
||||||
//
|
//
|
||||||
|
@ -130,10 +158,12 @@ public class DemoClient {
|
||||||
ColumnDescriptor col;
|
ColumnDescriptor col;
|
||||||
col = new ColumnDescriptor();
|
col = new ColumnDescriptor();
|
||||||
col.name = ByteBuffer.wrap(bytes("entry:"));
|
col.name = ByteBuffer.wrap(bytes("entry:"));
|
||||||
|
col.timeToLive = Integer.MAX_VALUE;
|
||||||
col.maxVersions = 10;
|
col.maxVersions = 10;
|
||||||
columns.add(col);
|
columns.add(col);
|
||||||
col = new ColumnDescriptor();
|
col = new ColumnDescriptor();
|
||||||
col.name = ByteBuffer.wrap(bytes("unused:"));
|
col.name = ByteBuffer.wrap(bytes("unused:"));
|
||||||
|
col.timeToLive = Integer.MAX_VALUE;
|
||||||
columns.add(col);
|
columns.add(col);
|
||||||
|
|
||||||
System.out.println("creating table: " + utf8(t));
|
System.out.println("creating table: " + utf8(t));
|
||||||
|
@ -337,4 +367,39 @@ public class DemoClient {
|
||||||
printRow(rowResult);
|
printRow(rowResult);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static Subject getSubject() throws Exception {
|
||||||
|
if (!secure) return new Subject();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To authenticate the DemoClient, kinit should be invoked ahead.
|
||||||
|
* Here we try to get the Kerberos credential from the ticket cache.
|
||||||
|
*/
|
||||||
|
LoginContext context = new LoginContext("", new Subject(), null,
|
||||||
|
new Configuration() {
|
||||||
|
@Override
|
||||||
|
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||||
|
Map<String, String> options = new HashMap<String, String>();
|
||||||
|
options.put("useKeyTab", "false");
|
||||||
|
options.put("storeKey", "false");
|
||||||
|
options.put("doNotPrompt", "true");
|
||||||
|
options.put("useTicketCache", "true");
|
||||||
|
options.put("renewTGT", "true");
|
||||||
|
options.put("refreshKrb5Config", "true");
|
||||||
|
options.put("isInitiator", "true");
|
||||||
|
String ticketCache = System.getenv("KRB5CCNAME");
|
||||||
|
if (ticketCache != null) {
|
||||||
|
options.put("ticketCache", ticketCache);
|
||||||
|
}
|
||||||
|
options.put("debug", "true");
|
||||||
|
|
||||||
|
return new AppConfigurationEntry[]{
|
||||||
|
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||||
|
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
|
||||||
|
options)};
|
||||||
|
}
|
||||||
|
});
|
||||||
|
context.login();
|
||||||
|
return context.getSubject();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,30 +19,40 @@
|
||||||
package org.apache.hadoop.hbase.thrift2;
|
package org.apache.hadoop.hbase.thrift2;
|
||||||
|
|
||||||
import java.nio.ByteBuffer;
|
import java.nio.ByteBuffer;
|
||||||
|
import java.security.PrivilegedExceptionAction;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.security.auth.Subject;
|
||||||
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
|
import javax.security.auth.login.Configuration;
|
||||||
|
import javax.security.auth.login.LoginContext;
|
||||||
|
import javax.security.sasl.Sasl;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TColumnValue;
|
import org.apache.hadoop.hbase.thrift2.generated.TColumnValue;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TGet;
|
import org.apache.hadoop.hbase.thrift2.generated.TGet;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TIOError;
|
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TPut;
|
import org.apache.hadoop.hbase.thrift2.generated.TPut;
|
||||||
import org.apache.hadoop.hbase.thrift2.generated.TResult;
|
import org.apache.hadoop.hbase.thrift2.generated.TResult;
|
||||||
import org.apache.thrift.TException;
|
|
||||||
import org.apache.thrift.protocol.TBinaryProtocol;
|
import org.apache.thrift.protocol.TBinaryProtocol;
|
||||||
import org.apache.thrift.protocol.TProtocol;
|
import org.apache.thrift.protocol.TProtocol;
|
||||||
import org.apache.thrift.transport.TFramedTransport;
|
import org.apache.thrift.transport.TFramedTransport;
|
||||||
|
import org.apache.thrift.transport.TSaslClientTransport;
|
||||||
import org.apache.thrift.transport.TSocket;
|
import org.apache.thrift.transport.TSocket;
|
||||||
import org.apache.thrift.transport.TTransport;
|
import org.apache.thrift.transport.TTransport;
|
||||||
|
|
||||||
public class DemoClient {
|
public class DemoClient {
|
||||||
public static void main(String[] args) throws TIOError, TException {
|
|
||||||
System.out.println("Thrift2 Demo");
|
|
||||||
System.out.println("Usage: DemoClient [host=localhost] [port=9090]");
|
|
||||||
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
|
|
||||||
|
|
||||||
String host = "localhost";
|
private static String host = "localhost";
|
||||||
int port = 9090;
|
private static int port = 9090;
|
||||||
|
private static boolean secure = false;
|
||||||
|
|
||||||
|
public static void main(String[] args) throws Exception {
|
||||||
|
System.out.println("Thrift2 Demo");
|
||||||
|
System.out.println("Usage: DemoClient [host=localhost] [port=9090] [secure=false]");
|
||||||
|
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
|
||||||
|
|
||||||
// use passed in arguments instead of defaults
|
// use passed in arguments instead of defaults
|
||||||
if (args.length >= 1) {
|
if (args.length >= 1) {
|
||||||
|
@ -51,14 +61,43 @@ public class DemoClient {
|
||||||
if (args.length >= 2) {
|
if (args.length >= 2) {
|
||||||
port = Integer.parseInt(args[1]);
|
port = Integer.parseInt(args[1]);
|
||||||
}
|
}
|
||||||
|
if (args.length >= 3) {
|
||||||
|
secure = Boolean.parseBoolean(args[2]);
|
||||||
|
}
|
||||||
|
|
||||||
|
final DemoClient client = new DemoClient();
|
||||||
|
Subject.doAs(getSubject(),
|
||||||
|
new PrivilegedExceptionAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() throws Exception {
|
||||||
|
client.run();
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
public void run() throws Exception {
|
||||||
int timeout = 10000;
|
int timeout = 10000;
|
||||||
boolean framed = false;
|
boolean framed = false;
|
||||||
|
|
||||||
TTransport transport = new TSocket(host, port, timeout);
|
TTransport transport = new TSocket(host, port, timeout);
|
||||||
if (framed) {
|
if (framed) {
|
||||||
transport = new TFramedTransport(transport);
|
transport = new TFramedTransport(transport);
|
||||||
|
} else if (secure) {
|
||||||
|
/**
|
||||||
|
* The Thrift server the DemoClient is trying to connect to
|
||||||
|
* must have a matching principal, and support authentication.
|
||||||
|
*
|
||||||
|
* The HBase cluster must be secure, allow proxy user.
|
||||||
|
*/
|
||||||
|
Map<String, String> saslProperties = new HashMap<String, String>();
|
||||||
|
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
|
||||||
|
transport = new TSaslClientTransport("GSSAPI", null,
|
||||||
|
"hbase", // Thrift server user name, should be an authorized proxy user.
|
||||||
|
host, // Thrift server domain
|
||||||
|
saslProperties, null, transport);
|
||||||
}
|
}
|
||||||
|
|
||||||
TProtocol protocol = new TBinaryProtocol(transport);
|
TProtocol protocol = new TBinaryProtocol(transport);
|
||||||
// This is our thrift client.
|
// This is our thrift client.
|
||||||
THBaseService.Iface client = new THBaseService.Client(protocol);
|
THBaseService.Iface client = new THBaseService.Client(protocol);
|
||||||
|
@ -96,4 +135,39 @@ public class DemoClient {
|
||||||
|
|
||||||
transport.close();
|
transport.close();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static Subject getSubject() throws Exception {
|
||||||
|
if (!secure) return new Subject();
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To authenticate the DemoClient, kinit should be invoked ahead.
|
||||||
|
* Here we try to get the Kerberos credential from the ticket cache.
|
||||||
|
*/
|
||||||
|
LoginContext context = new LoginContext("", new Subject(), null,
|
||||||
|
new Configuration() {
|
||||||
|
@Override
|
||||||
|
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||||
|
Map<String, String> options = new HashMap<String, String>();
|
||||||
|
options.put("useKeyTab", "false");
|
||||||
|
options.put("storeKey", "false");
|
||||||
|
options.put("doNotPrompt", "true");
|
||||||
|
options.put("useTicketCache", "true");
|
||||||
|
options.put("renewTGT", "true");
|
||||||
|
options.put("refreshKrb5Config", "true");
|
||||||
|
options.put("isInitiator", "true");
|
||||||
|
String ticketCache = System.getenv("KRB5CCNAME");
|
||||||
|
if (ticketCache != null) {
|
||||||
|
options.put("ticketCache", ticketCache);
|
||||||
|
}
|
||||||
|
options.put("debug", "true");
|
||||||
|
|
||||||
|
return new AppConfigurationEntry[]{
|
||||||
|
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||||
|
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
|
||||||
|
options)};
|
||||||
|
}
|
||||||
|
});
|
||||||
|
context.login();
|
||||||
|
return context.getSubject();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue