HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken

Signed-off-by: Andrew Purtell <apurtell@apache.org> Conflicts: hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
2015-09-22 11:19:14 +05:30 · 2015-09-22 11:19:14 +05:30 · 373c75dde6
parent d7c7cc8c8c
commit 373c75dde6
6 changed files with 64 additions and 15 deletions
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
@ -18,10 +18,15 @@
 */
 package org.apache.hadoop.hbase.zookeeper;

-import org.apache.hadoop.hbase.classification.InterfaceAudience;
-import org.apache.hadoop.hbase.classification.InterfaceStability;
+import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
+import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseConfiguration;
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.hbase.HConstants;
+import org.apache.hadoop.hbase.classification.InterfaceAudience;
+import org.apache.hadoop.hbase.classification.InterfaceStability;
 import org.apache.hadoop.hbase.util.Strings;
 import org.apache.hadoop.net.DNS;
 import org.apache.hadoop.util.StringUtils;
@ -42,11 +47,6 @@ import java.util.List;
 import java.util.Map.Entry;
 import java.util.Properties;

-import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
-import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
-import org.apache.hadoop.hbase.classification.InterfaceAudience;
-import org.apache.hadoop.hbase.classification.InterfaceStability;
-import org.apache.hadoop.hbase.HBaseInterfaceAudience;

 /**
 * HBase's version of ZooKeeper's QuorumPeer. When HBase is set to manage
@ -72,8 +72,8 @@ public class HQuorumPeer {
      zkConfig.parseProperties(zkProperties);

      // login the zookeeper server principal (if using security)
-      ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-        "hbase.zookeeper.server.kerberos.principal",
+      ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+        HConstants.ZK_SERVER_KERBEROS_PRINCIPAL,
        zkConfig.getClientPortAddress().getHostName());

      runZKServer(zkConfig);
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java
@ -1005,7 +1005,10 @@ public class ZKUtil {
          && testConfig.getAppConfigurationEntry(
            JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
          && testConfig.getAppConfigurationEntry(
-              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) {
+              JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null
+          && conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null
+          && conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) {
+              
        return false;
      }
    } catch(Exception e) {
--- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
+++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java
@ -1231,6 +1231,16 @@ public final class HConstants {

  public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
      "hbase.canary.write.table.check.period";
+  
+  /**
+   * Configuration keys for programmatic JAAS configuration for secured ZK interaction
+   */
+  public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file";
+  public static final String ZK_CLIENT_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.client.kerberos.principal";
+  public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file";
+  public static final String ZK_SERVER_KERBEROS_PRINCIPAL =
+      "hbase.zookeeper.server.kerberos.principal";  

  private HConstants() {
    // Can't be instantiated with this ctor.
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java
@ -198,8 +198,8 @@ public class HMasterCommandLine extends ServerCommandLine {
        }

        // login the zookeeper server principal (if using security)
-        ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
-          "hbase.zookeeper.server.kerberos.principal", null);
+        ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
+          HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null);
        int localZKClusterSessionTimeout =
          conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000);
        conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout);
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java
@ -544,8 +544,8 @@ public class HRegionServer extends HasThread implements
    rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf);

    // login the zookeeper client principal (if using security)
-    ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
-      "hbase.zookeeper.client.kerberos.principal", hostName);
+    ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
+      HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, hostName);
    // login the server principal (if using secure Hadoop)
    login(userProvider, hostName);

--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java
@ -25,6 +25,8 @@ import java.io.FileWriter;
 import java.io.IOException;
 import java.util.List;

+import javax.security.auth.login.AppConfigurationEntry;
+
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.hadoop.conf.Configuration;
@ -33,7 +35,6 @@ import org.apache.hadoop.hbase.testclassification.MediumTests;
 import org.apache.zookeeper.ZooDefs;
 import org.apache.zookeeper.data.ACL;
 import org.apache.zookeeper.data.Stat;
-
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@ -283,5 +284,40 @@ public class TestZooKeeperACL {
    assertEquals(testJaasConfig, false);
    saslConfFile.delete();
  }
+  
+  /**
+   * Check if Programmatic way of setting zookeeper security settings is valid.
+   */
+  @Test
+  public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception {
+
+    javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration());
+
+    Configuration config = new Configuration(HBaseConfiguration.create());
+    boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set authentication scheme to Kerberos still it should return false
+    // because no configuration set
+    config.set("hbase.security.authentication", "kerberos");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(testJaasConfig, false);
+
+    // Now set programmatic options related to security
+    config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy");
+    config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file");
+    config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy");
+    testJaasConfig = ZKUtil.isSecureZooKeeper(config);
+    assertEquals(true, testJaasConfig);
+  }
+
+  private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration {
+    @Override
+    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+      return null;
+    }
+  }
+
 }