HBASE-11960 Provide a sample to show how to use Thrift client authentication
This commit is contained in:
parent
e05f78ec01
commit
0ff05f46e7
|
@ -25,8 +25,10 @@ Example code.
|
|||
for f in `find . -name "libthrift-*.jar" -or -name "slf4j-*.jar" -or -name "log4j-*.jar"`; do
|
||||
HBASE_EXAMPLE_CLASSPATH=${HBASE_EXAMPLE_CLASSPATH}:$f;
|
||||
done
|
||||
2. Execute:
|
||||
2. If HBase server is not secure, or authentication is not enabled for the Thrift server, execute:
|
||||
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port>}
|
||||
3. If HBase server is secure, and authentication is enabled for the Thrift server, run kinit at first, then execute:
|
||||
{java -cp hbase-examples-[VERSION].jar:${HBASE_EXAMPLE_CLASSPATH} org.apache.hadoop.hbase.thrift.DemoClient <host> <port> true}
|
||||
|
||||
* Ruby: hbase-examples/src/main/ruby/DemoClient.rb
|
||||
1. Modify the import path in the file to point to {$THRIFT_HOME}/lib/rb/lib.
|
||||
|
|
|
@ -23,29 +23,34 @@ import java.nio.ByteBuffer;
|
|||
import java.nio.charset.CharacterCodingException;
|
||||
import java.nio.charset.Charset;
|
||||
import java.nio.charset.CharsetDecoder;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.text.NumberFormat;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.TreeMap;
|
||||
import java.util.SortedMap;
|
||||
import java.util.TreeMap;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.Configuration;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import javax.security.sasl.Sasl;
|
||||
|
||||
import org.apache.hadoop.hbase.thrift.generated.AlreadyExists;
|
||||
import org.apache.hadoop.hbase.thrift.generated.ColumnDescriptor;
|
||||
import org.apache.hadoop.hbase.thrift.generated.Hbase;
|
||||
import org.apache.hadoop.hbase.thrift.generated.IOError;
|
||||
import org.apache.hadoop.hbase.thrift.generated.IllegalArgument;
|
||||
import org.apache.hadoop.hbase.thrift.generated.Mutation;
|
||||
import org.apache.hadoop.hbase.thrift.generated.TCell;
|
||||
import org.apache.hadoop.hbase.thrift.generated.TRowResult;
|
||||
|
||||
import org.apache.thrift.TException;
|
||||
import org.apache.thrift.protocol.TBinaryProtocol;
|
||||
import org.apache.thrift.protocol.TProtocol;
|
||||
import org.apache.thrift.transport.TSaslClientTransport;
|
||||
import org.apache.thrift.transport.TSocket;
|
||||
import org.apache.thrift.transport.TTransport;
|
||||
|
||||
/*
|
||||
/**
|
||||
* See the instructions under hbase-examples/README.txt
|
||||
*/
|
||||
public class DemoClient {
|
||||
|
@ -54,23 +59,33 @@ public class DemoClient {
|
|||
static protected String host;
|
||||
CharsetDecoder decoder = null;
|
||||
|
||||
public static void main(String[] args)
|
||||
throws IOError, TException, UnsupportedEncodingException, IllegalArgument, AlreadyExists {
|
||||
private static boolean secure = false;
|
||||
|
||||
if (args.length != 2) {
|
||||
public static void main(String[] args) throws Exception {
|
||||
|
||||
if (args.length < 2 || args.length > 3) {
|
||||
|
||||
System.out.println("Invalid arguments!");
|
||||
System.out.println("Usage: DemoClient host port");
|
||||
System.out.println("Usage: DemoClient host port [secure=false]");
|
||||
|
||||
System.exit(-1);
|
||||
}
|
||||
|
||||
port = Integer.parseInt(args[1]);
|
||||
host = args[0];
|
||||
if (args.length > 2) {
|
||||
secure = Boolean.parseBoolean(args[2]);
|
||||
}
|
||||
|
||||
|
||||
DemoClient client = new DemoClient();
|
||||
client.run();
|
||||
final DemoClient client = new DemoClient();
|
||||
Subject.doAs(getSubject(),
|
||||
new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
client.run();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
DemoClient() {
|
||||
|
@ -96,15 +111,28 @@ public class DemoClient {
|
|||
}
|
||||
}
|
||||
|
||||
private void run() throws IOError, TException, IllegalArgument,
|
||||
AlreadyExists {
|
||||
|
||||
private void run() throws Exception {
|
||||
TTransport transport = new TSocket(host, port);
|
||||
TProtocol protocol = new TBinaryProtocol(transport, true, true);
|
||||
Hbase.Client client = new Hbase.Client(protocol);
|
||||
if (secure) {
|
||||
Map<String, String> saslProperties = new HashMap<String, String>();
|
||||
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
|
||||
/**
|
||||
* The Thrift server the DemoClient is trying to connect to
|
||||
* must have a matching principal, and support authentication.
|
||||
*
|
||||
* The HBase cluster must be secure, allow proxy user.
|
||||
*/
|
||||
transport = new TSaslClientTransport("GSSAPI", null,
|
||||
"hbase", // Thrift server user name, should be an authorized proxy user.
|
||||
host, // Thrift server domain
|
||||
saslProperties, null, transport);
|
||||
}
|
||||
|
||||
transport.open();
|
||||
|
||||
TProtocol protocol = new TBinaryProtocol(transport, true, true);
|
||||
Hbase.Client client = new Hbase.Client(protocol);
|
||||
|
||||
byte[] t = bytes("demo_table");
|
||||
|
||||
//
|
||||
|
@ -130,10 +158,12 @@ public class DemoClient {
|
|||
ColumnDescriptor col;
|
||||
col = new ColumnDescriptor();
|
||||
col.name = ByteBuffer.wrap(bytes("entry:"));
|
||||
col.timeToLive = Integer.MAX_VALUE;
|
||||
col.maxVersions = 10;
|
||||
columns.add(col);
|
||||
col = new ColumnDescriptor();
|
||||
col.name = ByteBuffer.wrap(bytes("unused:"));
|
||||
col.timeToLive = Integer.MAX_VALUE;
|
||||
columns.add(col);
|
||||
|
||||
System.out.println("creating table: " + utf8(t));
|
||||
|
@ -337,4 +367,39 @@ public class DemoClient {
|
|||
printRow(rowResult);
|
||||
}
|
||||
}
|
||||
|
||||
static Subject getSubject() throws Exception {
|
||||
if (!secure) return new Subject();
|
||||
|
||||
/*
|
||||
* To authenticate the DemoClient, kinit should be invoked ahead.
|
||||
* Here we try to get the Kerberos credential from the ticket cache.
|
||||
*/
|
||||
LoginContext context = new LoginContext("", new Subject(), null,
|
||||
new Configuration() {
|
||||
@Override
|
||||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
Map<String, String> options = new HashMap<String, String>();
|
||||
options.put("useKeyTab", "false");
|
||||
options.put("storeKey", "false");
|
||||
options.put("doNotPrompt", "true");
|
||||
options.put("useTicketCache", "true");
|
||||
options.put("renewTGT", "true");
|
||||
options.put("refreshKrb5Config", "true");
|
||||
options.put("isInitiator", "true");
|
||||
String ticketCache = System.getenv("KRB5CCNAME");
|
||||
if (ticketCache != null) {
|
||||
options.put("ticketCache", ticketCache);
|
||||
}
|
||||
options.put("debug", "true");
|
||||
|
||||
return new AppConfigurationEntry[]{
|
||||
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
|
||||
options)};
|
||||
}
|
||||
});
|
||||
context.login();
|
||||
return context.getSubject();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,30 +19,40 @@
|
|||
package org.apache.hadoop.hbase.thrift2;
|
||||
|
||||
import java.nio.ByteBuffer;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.Configuration;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import javax.security.sasl.Sasl;
|
||||
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TColumnValue;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TGet;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.THBaseService;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TIOError;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TPut;
|
||||
import org.apache.hadoop.hbase.thrift2.generated.TResult;
|
||||
import org.apache.thrift.TException;
|
||||
import org.apache.thrift.protocol.TBinaryProtocol;
|
||||
import org.apache.thrift.protocol.TProtocol;
|
||||
import org.apache.thrift.transport.TFramedTransport;
|
||||
import org.apache.thrift.transport.TSaslClientTransport;
|
||||
import org.apache.thrift.transport.TSocket;
|
||||
import org.apache.thrift.transport.TTransport;
|
||||
|
||||
public class DemoClient {
|
||||
public static void main(String[] args) throws TIOError, TException {
|
||||
System.out.println("Thrift2 Demo");
|
||||
System.out.println("Usage: DemoClient [host=localhost] [port=9090]");
|
||||
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
|
||||
|
||||
String host = "localhost";
|
||||
int port = 9090;
|
||||
private static String host = "localhost";
|
||||
private static int port = 9090;
|
||||
private static boolean secure = false;
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
System.out.println("Thrift2 Demo");
|
||||
System.out.println("Usage: DemoClient [host=localhost] [port=9090] [secure=false]");
|
||||
System.out.println("This demo assumes you have a table called \"example\" with a column family called \"family1\"");
|
||||
|
||||
// use passed in arguments instead of defaults
|
||||
if (args.length >= 1) {
|
||||
|
@ -51,14 +61,43 @@ public class DemoClient {
|
|||
if (args.length >= 2) {
|
||||
port = Integer.parseInt(args[1]);
|
||||
}
|
||||
if (args.length >= 3) {
|
||||
secure = Boolean.parseBoolean(args[2]);
|
||||
}
|
||||
|
||||
final DemoClient client = new DemoClient();
|
||||
Subject.doAs(getSubject(),
|
||||
new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
client.run();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
public void run() throws Exception {
|
||||
int timeout = 10000;
|
||||
boolean framed = false;
|
||||
|
||||
TTransport transport = new TSocket(host, port, timeout);
|
||||
if (framed) {
|
||||
transport = new TFramedTransport(transport);
|
||||
} else if (secure) {
|
||||
/**
|
||||
* The Thrift server the DemoClient is trying to connect to
|
||||
* must have a matching principal, and support authentication.
|
||||
*
|
||||
* The HBase cluster must be secure, allow proxy user.
|
||||
*/
|
||||
Map<String, String> saslProperties = new HashMap<String, String>();
|
||||
saslProperties.put(Sasl.QOP, "auth-conf,auth-int,auth");
|
||||
transport = new TSaslClientTransport("GSSAPI", null,
|
||||
"hbase", // Thrift server user name, should be an authorized proxy user.
|
||||
host, // Thrift server domain
|
||||
saslProperties, null, transport);
|
||||
}
|
||||
|
||||
TProtocol protocol = new TBinaryProtocol(transport);
|
||||
// This is our thrift client.
|
||||
THBaseService.Iface client = new THBaseService.Client(protocol);
|
||||
|
@ -96,4 +135,39 @@ public class DemoClient {
|
|||
|
||||
transport.close();
|
||||
}
|
||||
|
||||
static Subject getSubject() throws Exception {
|
||||
if (!secure) return new Subject();
|
||||
|
||||
/*
|
||||
* To authenticate the DemoClient, kinit should be invoked ahead.
|
||||
* Here we try to get the Kerberos credential from the ticket cache.
|
||||
*/
|
||||
LoginContext context = new LoginContext("", new Subject(), null,
|
||||
new Configuration() {
|
||||
@Override
|
||||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
Map<String, String> options = new HashMap<String, String>();
|
||||
options.put("useKeyTab", "false");
|
||||
options.put("storeKey", "false");
|
||||
options.put("doNotPrompt", "true");
|
||||
options.put("useTicketCache", "true");
|
||||
options.put("renewTGT", "true");
|
||||
options.put("refreshKrb5Config", "true");
|
||||
options.put("isInitiator", "true");
|
||||
String ticketCache = System.getenv("KRB5CCNAME");
|
||||
if (ticketCache != null) {
|
||||
options.put("ticketCache", ticketCache);
|
||||
}
|
||||
options.put("debug", "true");
|
||||
|
||||
return new AppConfigurationEntry[]{
|
||||
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
|
||||
options)};
|
||||
}
|
||||
});
|
||||
context.login();
|
||||
return context.getSubject();
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue