diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java index f0d6ba23a06..738c9c28610 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java @@ -18,10 +18,15 @@ */ package org.apache.hadoop.hbase.zookeeper; -import org.apache.hadoop.hbase.classification.InterfaceAudience; -import org.apache.hadoop.hbase.classification.InterfaceStability; +import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT; +import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.hbase.HConstants; +import org.apache.hadoop.hbase.classification.InterfaceAudience; +import org.apache.hadoop.hbase.classification.InterfaceStability; import org.apache.hadoop.hbase.util.Strings; import org.apache.hadoop.net.DNS; import org.apache.hadoop.util.StringUtils; @@ -42,11 +47,6 @@ import java.util.List; import java.util.Map.Entry; import java.util.Properties; -import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT; -import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT; -import org.apache.hadoop.hbase.classification.InterfaceAudience; -import org.apache.hadoop.hbase.classification.InterfaceStability; -import org.apache.hadoop.hbase.HBaseInterfaceAudience; /** * HBase's version of ZooKeeper's QuorumPeer. When HBase is set to manage @@ -72,8 +72,8 @@ public class HQuorumPeer { zkConfig.parseProperties(zkProperties); // login the zookeeper server principal (if using security) - ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file", - "hbase.zookeeper.server.kerberos.principal", + ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE, + HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, zkConfig.getClientPortAddress().getHostName()); runZKServer(zkConfig); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java index 97b86a61700..c4c98196598 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/ZKUtil.java @@ -1005,7 +1005,10 @@ public class ZKUtil { && testConfig.getAppConfigurationEntry( JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null && testConfig.getAppConfigurationEntry( - JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) { + JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null + && conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null + && conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) { + return false; } } catch(Exception e) { diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java index 64bd8c5a612..a5c1d5c693f 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/HConstants.java @@ -1231,6 +1231,16 @@ public final class HConstants { public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY = "hbase.canary.write.table.check.period"; + + /** + * Configuration keys for programmatic JAAS configuration for secured ZK interaction + */ + public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file"; + public static final String ZK_CLIENT_KERBEROS_PRINCIPAL = + "hbase.zookeeper.client.kerberos.principal"; + public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file"; + public static final String ZK_SERVER_KERBEROS_PRINCIPAL = + "hbase.zookeeper.server.kerberos.principal"; private HConstants() { // Can't be instantiated with this ctor. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java index d6b436c4fbf..7e9a5cdfe1e 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/master/HMasterCommandLine.java @@ -198,8 +198,8 @@ public class HMasterCommandLine extends ServerCommandLine { } // login the zookeeper server principal (if using security) - ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file", - "hbase.zookeeper.server.kerberos.principal", null); + ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE, + HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null); int localZKClusterSessionTimeout = conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000); conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java index b0eb3bc5e2c..7bd13dd3128 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/regionserver/HRegionServer.java @@ -544,8 +544,8 @@ public class HRegionServer extends HasThread implements rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf); // login the zookeeper client principal (if using security) - ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file", - "hbase.zookeeper.client.kerberos.principal", hostName); + ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE, + HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, hostName); // login the server principal (if using secure Hadoop) login(userProvider, hostName); diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java index 26bba1409b2..954c5d2bd6a 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/zookeeper/TestZooKeeperACL.java @@ -25,6 +25,8 @@ import java.io.FileWriter; import java.io.IOException; import java.util.List; +import javax.security.auth.login.AppConfigurationEntry; + import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.conf.Configuration; @@ -33,7 +35,6 @@ import org.apache.hadoop.hbase.testclassification.MediumTests; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Stat; - import org.junit.AfterClass; import org.junit.Before; import org.junit.BeforeClass; @@ -283,5 +284,40 @@ public class TestZooKeeperACL { assertEquals(testJaasConfig, false); saslConfFile.delete(); } + + /** + * Check if Programmatic way of setting zookeeper security settings is valid. + */ + @Test + public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception { + + javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration()); + + Configuration config = new Configuration(HBaseConfiguration.create()); + boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config); + assertEquals(testJaasConfig, false); + + // Now set authentication scheme to Kerberos still it should return false + // because no configuration set + config.set("hbase.security.authentication", "kerberos"); + testJaasConfig = ZKUtil.isSecureZooKeeper(config); + assertEquals(testJaasConfig, false); + + // Now set programmatic options related to security + config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file"); + config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy"); + config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file"); + config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy"); + testJaasConfig = ZKUtil.isSecureZooKeeper(config); + assertEquals(true, testJaasConfig); + } + + private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + return null; + } + } + }