HBASE-13770 Programmatic JAAS configuration option for secure zookeeper may be broken
Signed-off-by: Andrew Purtell <apurtell@apache.org> Conflicts: hbase-client/src/main/java/org/apache/hadoop/hbase/zookeeper/HQuorumPeer.java
This commit is contained in:
smaddineni
Andrew Purtell
parent
d7c7cc8c8c
commit
373c75dde6
|
|
@ -18,10 +18,15 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.hbase.zookeeper;
|
package org.apache.hadoop.hbase.zookeeper;
|
||||||
|
|
||||||
import org.apache.hadoop.hbase.classification.InterfaceAudience;
|
import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
|
||||||
import org.apache.hadoop.hbase.classification.InterfaceStability;
|
import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
|
||||||
|
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
import org.apache.hadoop.hbase.HBaseConfiguration;
|
import org.apache.hadoop.hbase.HBaseConfiguration;
|
||||||
|
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
|
||||||
|
import org.apache.hadoop.hbase.HConstants;
|
||||||
|
import org.apache.hadoop.hbase.classification.InterfaceAudience;
|
||||||
|
import org.apache.hadoop.hbase.classification.InterfaceStability;
|
||||||
import org.apache.hadoop.hbase.util.Strings;
|
import org.apache.hadoop.hbase.util.Strings;
|
||||||
import org.apache.hadoop.net.DNS;
|
import org.apache.hadoop.net.DNS;
|
||||||
import org.apache.hadoop.util.StringUtils;
|
import org.apache.hadoop.util.StringUtils;
|
||||||
|
|
@ -42,11 +47,6 @@ import java.util.List;
|
||||||
import java.util.Map.Entry;
|
import java.util.Map.Entry;
|
||||||
import java.util.Properties;
|
import java.util.Properties;
|
||||||
|
|
||||||
import static org.apache.hadoop.hbase.HConstants.DEFAULT_ZK_SESSION_TIMEOUT;
|
|
||||||
import static org.apache.hadoop.hbase.HConstants.ZK_SESSION_TIMEOUT;
|
|
||||||
import org.apache.hadoop.hbase.classification.InterfaceAudience;
|
|
||||||
import org.apache.hadoop.hbase.classification.InterfaceStability;
|
|
||||||
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* HBase's version of ZooKeeper's QuorumPeer. When HBase is set to manage
|
* HBase's version of ZooKeeper's QuorumPeer. When HBase is set to manage
|
||||||
|
|
@ -72,8 +72,8 @@ public class HQuorumPeer {
|
||||||
zkConfig.parseProperties(zkProperties);
|
zkConfig.parseProperties(zkProperties);
|
||||||
|
|
||||||
// login the zookeeper server principal (if using security)
|
// login the zookeeper server principal (if using security)
|
||||||
ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
|
ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
|
||||||
"hbase.zookeeper.server.kerberos.principal",
|
HConstants.ZK_SERVER_KERBEROS_PRINCIPAL,
|
||||||
zkConfig.getClientPortAddress().getHostName());
|
zkConfig.getClientPortAddress().getHostName());
|
||||||
|
|
||||||
runZKServer(zkConfig);
|
runZKServer(zkConfig);
|
||||||
|
|
|
||||||
|
|
@ -1005,7 +1005,10 @@ public class ZKUtil {
|
||||||
&& testConfig.getAppConfigurationEntry(
|
&& testConfig.getAppConfigurationEntry(
|
||||||
JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
|
JaasConfiguration.CLIENT_KEYTAB_KERBEROS_CONFIG_NAME) == null
|
||||||
&& testConfig.getAppConfigurationEntry(
|
&& testConfig.getAppConfigurationEntry(
|
||||||
JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null) {
|
JaasConfiguration.SERVER_KEYTAB_KERBEROS_CONFIG_NAME) == null
|
||||||
|
&& conf.get(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL) == null
|
||||||
|
&& conf.get(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL) == null) {
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} catch(Exception e) {
|
} catch(Exception e) {
|
||||||
|
|
|
||||||
|
|
@ -1231,6 +1231,16 @@ public final class HConstants {
|
||||||
|
|
||||||
public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
|
public static final String HBASE_CANARY_WRITE_TABLE_CHECK_PERIOD_KEY =
|
||||||
"hbase.canary.write.table.check.period";
|
"hbase.canary.write.table.check.period";
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Configuration keys for programmatic JAAS configuration for secured ZK interaction
|
||||||
|
*/
|
||||||
|
public static final String ZK_CLIENT_KEYTAB_FILE = "hbase.zookeeper.client.keytab.file";
|
||||||
|
public static final String ZK_CLIENT_KERBEROS_PRINCIPAL =
|
||||||
|
"hbase.zookeeper.client.kerberos.principal";
|
||||||
|
public static final String ZK_SERVER_KEYTAB_FILE = "hbase.zookeeper.server.keytab.file";
|
||||||
|
public static final String ZK_SERVER_KERBEROS_PRINCIPAL =
|
||||||
|
"hbase.zookeeper.server.kerberos.principal";
|
||||||
|
|
||||||
private HConstants() {
|
private HConstants() {
|
||||||
// Can't be instantiated with this ctor.
|
// Can't be instantiated with this ctor.
|
||||||
|
|
|
||||||
|
|
@ -198,8 +198,8 @@ public class HMasterCommandLine extends ServerCommandLine {
|
||||||
}
|
}
|
||||||
|
|
||||||
// login the zookeeper server principal (if using security)
|
// login the zookeeper server principal (if using security)
|
||||||
ZKUtil.loginServer(conf, "hbase.zookeeper.server.keytab.file",
|
ZKUtil.loginServer(conf, HConstants.ZK_SERVER_KEYTAB_FILE,
|
||||||
"hbase.zookeeper.server.kerberos.principal", null);
|
HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, null);
|
||||||
int localZKClusterSessionTimeout =
|
int localZKClusterSessionTimeout =
|
||||||
conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000);
|
conf.getInt(HConstants.ZK_SESSION_TIMEOUT + ".localHBaseCluster", 10*1000);
|
||||||
conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout);
|
conf.setInt(HConstants.ZK_SESSION_TIMEOUT, localZKClusterSessionTimeout);
|
||||||
|
|
|
||||||
|
|
@ -544,8 +544,8 @@ public class HRegionServer extends HasThread implements
|
||||||
rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf);
|
rpcRetryingCallerFactory = RpcRetryingCallerFactory.instantiate(this.conf);
|
||||||
|
|
||||||
// login the zookeeper client principal (if using security)
|
// login the zookeeper client principal (if using security)
|
||||||
ZKUtil.loginClient(this.conf, "hbase.zookeeper.client.keytab.file",
|
ZKUtil.loginClient(this.conf, HConstants.ZK_CLIENT_KEYTAB_FILE,
|
||||||
"hbase.zookeeper.client.kerberos.principal", hostName);
|
HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, hostName);
|
||||||
// login the server principal (if using secure Hadoop)
|
// login the server principal (if using secure Hadoop)
|
||||||
login(userProvider, hostName);
|
login(userProvider, hostName);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,8 @@ import java.io.FileWriter;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
|
|
||||||
import org.apache.commons.logging.Log;
|
import org.apache.commons.logging.Log;
|
||||||
import org.apache.commons.logging.LogFactory;
|
import org.apache.commons.logging.LogFactory;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
|
@ -33,7 +35,6 @@ import org.apache.hadoop.hbase.testclassification.MediumTests;
|
||||||
import org.apache.zookeeper.ZooDefs;
|
import org.apache.zookeeper.ZooDefs;
|
||||||
import org.apache.zookeeper.data.ACL;
|
import org.apache.zookeeper.data.ACL;
|
||||||
import org.apache.zookeeper.data.Stat;
|
import org.apache.zookeeper.data.Stat;
|
||||||
|
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
|
|
@ -283,5 +284,40 @@ public class TestZooKeeperACL {
|
||||||
assertEquals(testJaasConfig, false);
|
assertEquals(testJaasConfig, false);
|
||||||
saslConfFile.delete();
|
saslConfFile.delete();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if Programmatic way of setting zookeeper security settings is valid.
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testIsZooKeeperSecureWithProgrammaticConfig() throws Exception {
|
||||||
|
|
||||||
|
javax.security.auth.login.Configuration.setConfiguration(new DummySecurityConfiguration());
|
||||||
|
|
||||||
|
Configuration config = new Configuration(HBaseConfiguration.create());
|
||||||
|
boolean testJaasConfig = ZKUtil.isSecureZooKeeper(config);
|
||||||
|
assertEquals(testJaasConfig, false);
|
||||||
|
|
||||||
|
// Now set authentication scheme to Kerberos still it should return false
|
||||||
|
// because no configuration set
|
||||||
|
config.set("hbase.security.authentication", "kerberos");
|
||||||
|
testJaasConfig = ZKUtil.isSecureZooKeeper(config);
|
||||||
|
assertEquals(testJaasConfig, false);
|
||||||
|
|
||||||
|
// Now set programmatic options related to security
|
||||||
|
config.set(HConstants.ZK_CLIENT_KEYTAB_FILE, "/dummy/file");
|
||||||
|
config.set(HConstants.ZK_CLIENT_KERBEROS_PRINCIPAL, "dummy");
|
||||||
|
config.set(HConstants.ZK_SERVER_KEYTAB_FILE, "/dummy/file");
|
||||||
|
config.set(HConstants.ZK_SERVER_KERBEROS_PRINCIPAL, "dummy");
|
||||||
|
testJaasConfig = ZKUtil.isSecureZooKeeper(config);
|
||||||
|
assertEquals(true, testJaasConfig);
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class DummySecurityConfiguration extends javax.security.auth.login.Configuration {
|
||||||
|
@Override
|
||||||
|
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue