HBASE-11960 Provide a sample to show how to use Thrift client authentication

This commit is contained in:
Jimmy Xiang 2014-09-15 10:27:41 -07:00
parent e05f78ec01
commit 0ff05f46e7
3 changed files with 171 additions and 30 deletions

View File

@ -25,8 +25,10 @@ Example code.
for f in `find . -name "libthrift-*.jar" -or -name "slf4j-*.jar" -or -name "log4j-*.jar"`; do for f in `find . -name "libthrift-*.jar" -or -name "slf4j-*.jar" -or -name "log4j-*.jar"`; do
HBASE_EXAMPLE_CLASSPATH=${HBASE_EXAMPLE_CLASSPATH}:$f; HBASE_EXAMPLE_CLASSPATH=${HBASE_EXAMPLE_CLASSPATH}:$f;
done done
2. Execute: 2. If HBase server is not secure, or authentication is not enabled for the Thrift server, execute:
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port>} {java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port>}
3. If HBase server is secure, and authentication is enabled for the Thrift server, run kinit at first, then execute:
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port> true}
* Ruby: hbase-examples/src/main/ruby/DemoClient.rb * Ruby: hbase-examples/src/main/ruby/DemoClient.rb
1. Modify the import path in the file to point to {$THRIFT_HOME}/lib/rb/lib. 1. Modify the import path in the file to point to {$THRIFT_HOME}/lib/rb/lib.

View File

@ -23,29 +23,34 @@ import java.nio.ByteBuffer;
import java.nio.charset.CharacterCodingException; import java.nio.charset.CharacterCodingException;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder; import java.nio.charset.CharsetDecoder;
import java.security.PrivilegedExceptionAction;
import java.text.NumberFormat; import java.text.NumberFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.TreeMap;
import java.util.SortedMap; import java.util.SortedMap;
import java.util.TreeMap;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import org.apache.hadoop.hbase.thrift.generated.AlreadyExists; import org.apache.hadoop.hbase.thrift.generated.AlreadyExists;
import org.apache.hadoop.hbase.thrift.generated.ColumnDescriptor; import org.apache.hadoop.hbase.thrift.generated.ColumnDescriptor;
import org.apache.hadoop.hbase.thrift.generated.Hbase; import org.apache.hadoop.hbase.thrift.generated.Hbase;
import org.apache.hadoop.hbase.thrift.generated.IOError;
import org.apache.hadoop.hbase.thrift.generated.IllegalArgument;
import org.apache.hadoop.hbase.thrift.generated.Mutation; import org.apache.hadoop.hbase.thrift.generated.Mutation;
import org.apache.hadoop.hbase.thrift.generated.TCell; import org.apache.hadoop.hbase.thrift.generated.TCell;
import org.apache.hadoop.hbase.thrift.generated.TRowResult; import org.apache.hadoop.hbase.thrift.generated.TRowResult;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.protocol.TProtocol; import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket; import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport; import org.apache.thrift.transport.TTransport;
/* /**
* See the instructions under hbase-examples/README.txt * See the instructions under hbase-examples/README.txt
*/ */
public class DemoClient { public class DemoClient {
@ -54,23 +59,33 @@ public class DemoClient {
static protected String host; static protected String host;
CharsetDecoder decoder = null; CharsetDecoder decoder = null;
public static void main(String[] args) private static boolean secure = false;
throws IOError, TException, UnsupportedEncodingException, IllegalArgument, AlreadyExists {
if (args.length != 2) { public static void main(String[] args) throws Exception {
if (args.length < 2 || args.length > 3) {
System.out.println("Invalid arguments!"); System.out.println("Invalid arguments!");
System.out.println("Usage: DemoClient host port"); System.out.println("Usage: DemoClient host port [secure=false]");
System.exit(-1); System.exit(-1);
} }
port = Integer.parseInt(args[1]); port = Integer.parseInt(args[1]);
host = args[0]; host = args[0];
if (args.length > 2) {
secure = Boolean.parseBoolean(args[2]);
}
final DemoClient client = new DemoClient();
DemoClient client = new DemoClient(); Subject.doAs(getSubject(),
client.run(); new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
client.run();
return null;
}
});
} }
DemoClient() { DemoClient() {
@ -96,15 +111,28 @@ public class DemoClient {
} }
} }
private void run() throws IOError, TException, IllegalArgument, private void run() throws Exception {
AlreadyExists {
TTransport transport = new TSocket(host, port); TTransport transport = new TSocket(host, port);
TProtocol protocol = new TBinaryProtocol(transport, true, true); if (secure) {
Hbase.Client client = new Hbase.Client(protocol); Map<String, String> saslProperties = new HashMap<String, String>();
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
/**
* The Thrift server the DemoClient is trying to connect to
* must have a matching principal, and support authentication.
*
* The HBase cluster must be secure, allow proxy user.
*/
transport = new TSaslClientTransport("GSSAPI", null,
"hbase", // Thrift server user name, should be an authorized proxy user.
host, // Thrift server domain
saslProperties, null, transport);
}
transport.open(); transport.open();
TProtocol protocol = new TBinaryProtocol(transport, true, true);
Hbase.Client client = new Hbase.Client(protocol);
byte[] t = bytes("demo_table"); byte[] t = bytes("demo_table");
// //
@ -130,10 +158,12 @@ public class DemoClient {
ColumnDescriptor col; ColumnDescriptor col;
col = new ColumnDescriptor(); col = new ColumnDescriptor();
col.name = ByteBuffer.wrap(bytes("entry:")); col.name = ByteBuffer.wrap(bytes("entry:"));
col.timeToLive = Integer.MAX_VALUE;
col.maxVersions = 10; col.maxVersions = 10;
columns.add(col); columns.add(col);
col = new ColumnDescriptor(); col = new ColumnDescriptor();
col.name = ByteBuffer.wrap(bytes("unused:")); col.name = ByteBuffer.wrap(bytes("unused:"));
col.timeToLive = Integer.MAX_VALUE;
columns.add(col); columns.add(col);
System.out.println("creating table: " + utf8(t)); System.out.println("creating table: " + utf8(t));
@ -337,4 +367,39 @@ public class DemoClient {
printRow(rowResult); printRow(rowResult);
} }
} }
static Subject getSubject() throws Exception {
if (!secure) return new Subject();
/*
* To authenticate the DemoClient, kinit should be invoked ahead.
* Here we try to get the Kerberos credential from the ticket cache.
*/
LoginContext context = new LoginContext("", new Subject(), null,
new Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
options.put("useKeyTab", "false");
options.put("storeKey", "false");
options.put("doNotPrompt", "true");
options.put("useTicketCache", "true");
options.put("renewTGT", "true");
options.put("refreshKrb5Config", "true");
options.put("isInitiator", "true");
String ticketCache = System.getenv("KRB5CCNAME");
if (ticketCache != null) {
options.put("ticketCache", ticketCache);
}
options.put("debug", "true");
return new AppConfigurationEntry[]{
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options)};
}
});
context.login();
return context.getSubject();
}
} }

View File

@ -19,30 +19,40 @@
package org.apache.hadoop.hbase.thrift2; package org.apache.hadoop.hbase.thrift2;
import java.nio.ByteBuffer; import java.nio.ByteBuffer;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import org.apache.hadoop.hbase.thrift2.generated.TColumnValue; import org.apache.hadoop.hbase.thrift2.generated.TColumnValue;
import org.apache.hadoop.hbase.thrift2.generated.TGet; import org.apache.hadoop.hbase.thrift2.generated.TGet;
import org.apache.hadoop.hbase.thrift2.generated.THBaseService; import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
import org.apache.hadoop.hbase.thrift2.generated.TIOError;
import org.apache.hadoop.hbase.thrift2.generated.TPut; import org.apache.hadoop.hbase.thrift2.generated.TPut;
import org.apache.hadoop.hbase.thrift2.generated.TResult; import org.apache.hadoop.hbase.thrift2.generated.TResult;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TBinaryProtocol; import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.protocol.TProtocol; import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.transport.TFramedTransport; import org.apache.thrift.transport.TFramedTransport;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket; import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport; import org.apache.thrift.transport.TTransport;
public class DemoClient { public class DemoClient {
public static void main(String[] args) throws TIOError, TException {
System.out.println("Thrift2 Demo");
System.out.println("Usage: DemoClient [host=localhost] [port=9090]");
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
String host = "localhost"; private static String host = "localhost";
int port = 9090; private static int port = 9090;
private static boolean secure = false;
public static void main(String[] args) throws Exception {
System.out.println("Thrift2 Demo");
System.out.println("Usage: DemoClient [host=localhost] [port=9090] [secure=false]");
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
// use passed in arguments instead of defaults // use passed in arguments instead of defaults
if (args.length >= 1) { if (args.length >= 1) {
@ -51,14 +61,43 @@ public class DemoClient {
if (args.length >= 2) { if (args.length >= 2) {
port = Integer.parseInt(args[1]); port = Integer.parseInt(args[1]);
} }
if (args.length >= 3) {
secure = Boolean.parseBoolean(args[2]);
}
final DemoClient client = new DemoClient();
Subject.doAs(getSubject(),
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
client.run();
return null;
}
});
}
public void run() throws Exception {
int timeout = 10000; int timeout = 10000;
boolean framed = false; boolean framed = false;
TTransport transport = new TSocket(host, port, timeout); TTransport transport = new TSocket(host, port, timeout);
if (framed) { if (framed) {
transport = new TFramedTransport(transport); transport = new TFramedTransport(transport);
} else if (secure) {
/**
* The Thrift server the DemoClient is trying to connect to
* must have a matching principal, and support authentication.
*
* The HBase cluster must be secure, allow proxy user.
*/
Map<String, String> saslProperties = new HashMap<String, String>();
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
transport = new TSaslClientTransport("GSSAPI", null,
"hbase", // Thrift server user name, should be an authorized proxy user.
host, // Thrift server domain
saslProperties, null, transport);
} }
TProtocol protocol = new TBinaryProtocol(transport); TProtocol protocol = new TBinaryProtocol(transport);
// This is our thrift client. // This is our thrift client.
THBaseService.Iface client = new THBaseService.Client(protocol); THBaseService.Iface client = new THBaseService.Client(protocol);
@ -96,4 +135,39 @@ public class DemoClient {
transport.close(); transport.close();
} }
static Subject getSubject() throws Exception {
if (!secure) return new Subject();
/*
* To authenticate the DemoClient, kinit should be invoked ahead.
* Here we try to get the Kerberos credential from the ticket cache.
*/
LoginContext context = new LoginContext("", new Subject(), null,
new Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
Map<String, String> options = new HashMap<String, String>();
options.put("useKeyTab", "false");
options.put("storeKey", "false");
options.put("doNotPrompt", "true");
options.put("useTicketCache", "true");
options.put("renewTGT", "true");
options.put("refreshKrb5Config", "true");
options.put("isInitiator", "true");
String ticketCache = System.getenv("KRB5CCNAME");
if (ticketCache != null) {
options.put("ticketCache", ticketCache);
}
options.put("debug", "true");
return new AppConfigurationEntry[]{
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options)};
}
});
context.login();
return context.getSubject();
}
} }