HBASE-20590 REST Java client is not able to negotiate with the server in the secure mode
Signed-off-by: Ashish Singhi <ashishsinghi@apache.org>
This commit is contained in:
parent
81937df3bb
commit
805e2db3e2
|
@ -182,6 +182,10 @@
|
|||
<groupId>com.github.stephenc.findbugs</groupId>
|
||||
<artifactId>findbugs-annotations</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.apache.hbase</groupId>
|
||||
<artifactId>hbase-rest</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
|
|
|
@ -0,0 +1,144 @@
|
|||
/**
|
||||
* Licensed to the Apache Software Foundation (ASF) under one
|
||||
* or more contributor license agreements. See the NOTICE file
|
||||
* distributed with this work for additional information
|
||||
* regarding copyright ownership. The ASF licenses this file
|
||||
* to you under the Apache License, Version 2.0 (the
|
||||
* "License"); you may not use this file except in compliance
|
||||
* with the License. You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.apache.hadoop.hbase.rest;
|
||||
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.Configuration;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
|
||||
import org.apache.hadoop.hbase.Cell;
|
||||
import org.apache.hadoop.hbase.CellUtil;
|
||||
import org.apache.hadoop.hbase.HBaseConfiguration;
|
||||
import org.apache.hadoop.hbase.client.Get;
|
||||
import org.apache.hadoop.hbase.client.Put;
|
||||
import org.apache.hadoop.hbase.client.Result;
|
||||
import org.apache.hadoop.hbase.rest.client.Client;
|
||||
import org.apache.hadoop.hbase.rest.client.Cluster;
|
||||
import org.apache.hadoop.hbase.rest.client.RemoteHTable;
|
||||
import org.apache.hadoop.hbase.util.Bytes;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.apache.hbase.thirdparty.com.google.common.base.Preconditions;
|
||||
|
||||
@InterfaceAudience.Private
|
||||
public class RESTDemoClient {
|
||||
|
||||
private static String host = "localhost";
|
||||
private static int port = 9090;
|
||||
private static boolean secure = false;
|
||||
private static org.apache.hadoop.conf.Configuration conf = null;
|
||||
|
||||
public static void main(String[] args) throws Exception {
|
||||
System.out.println("REST Demo");
|
||||
System.out.println("Usage: RESTDemoClient [host=localhost] [port=9090] [secure=false]");
|
||||
System.out.println("This demo assumes you have a table called \"example\""
|
||||
+ " with a column family called \"family1\"");
|
||||
|
||||
// use passed in arguments instead of defaults
|
||||
if (args.length >= 1) {
|
||||
host = args[0];
|
||||
}
|
||||
if (args.length >= 2) {
|
||||
port = Integer.parseInt(args[1]);
|
||||
}
|
||||
conf = HBaseConfiguration.create();
|
||||
String principal = conf.get(Constants.REST_KERBEROS_PRINCIPAL);
|
||||
if (principal != null) {
|
||||
secure = true;
|
||||
}
|
||||
if (args.length >= 3) {
|
||||
secure = Boolean.parseBoolean(args[2]);
|
||||
}
|
||||
|
||||
final RESTDemoClient client = new RESTDemoClient();
|
||||
Subject.doAs(getSubject(), new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws Exception {
|
||||
client.run();
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
public void run() throws Exception {
|
||||
Cluster cluster = new Cluster();
|
||||
cluster.add(host, port);
|
||||
Client restClient = new Client(cluster, conf.getBoolean(Constants.REST_SSL_ENABLED, false));
|
||||
try (RemoteHTable remoteTable = new RemoteHTable(restClient, conf, "example")) {
|
||||
// Write data to the table
|
||||
String rowKey = "row1";
|
||||
Put p = new Put(rowKey.getBytes());
|
||||
p.addColumn("family1".getBytes(), "qualifier1".getBytes(), "value1".getBytes());
|
||||
remoteTable.put(p);
|
||||
|
||||
// Get the data from the table
|
||||
Get g = new Get(rowKey.getBytes());
|
||||
Result result = remoteTable.get(g);
|
||||
|
||||
Preconditions.checkArgument(result != null,
|
||||
Bytes.toString(remoteTable.getTableName()) + " should have a row with key as " + rowKey);
|
||||
System.out.println("row = " + new String(result.getRow()));
|
||||
for (Cell cell : result.rawCells()) {
|
||||
System.out.print("family = " + Bytes.toString(CellUtil.cloneFamily(cell)) + "\t");
|
||||
System.out.print("qualifier = " + Bytes.toString(CellUtil.cloneQualifier(cell)) + "\t");
|
||||
System.out.print("value = " + Bytes.toString(CellUtil.cloneValue(cell)) + "\t");
|
||||
System.out.println("timestamp = " + Long.toString(cell.getTimestamp()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static Subject getSubject() throws Exception {
|
||||
if (!secure) {
|
||||
return new Subject();
|
||||
}
|
||||
|
||||
/*
|
||||
* To authenticate the demo client, kinit should be invoked ahead. Here we try to get the
|
||||
* Kerberos credential from the ticket cache.
|
||||
*/
|
||||
LoginContext context = new LoginContext("", new Subject(), null, new Configuration() {
|
||||
@Override
|
||||
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
|
||||
Map<String, String> options = new HashMap<>();
|
||||
options.put("useKeyTab", "false");
|
||||
options.put("storeKey", "false");
|
||||
options.put("doNotPrompt", "true");
|
||||
options.put("useTicketCache", "true");
|
||||
options.put("renewTGT", "true");
|
||||
options.put("refreshKrb5Config", "true");
|
||||
options.put("isInitiator", "true");
|
||||
String ticketCache = System.getenv("KRB5CCNAME");
|
||||
if (ticketCache != null) {
|
||||
options.put("ticketCache", ticketCache);
|
||||
}
|
||||
options.put("debug", "true");
|
||||
|
||||
return new AppConfigurationEntry[] {
|
||||
new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
|
||||
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) };
|
||||
}
|
||||
});
|
||||
context.login();
|
||||
return context.getSubject();
|
||||
}
|
||||
}
|
|
@ -25,15 +25,17 @@ import java.io.IOException;
|
|||
import java.io.InputStream;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.net.URL;
|
||||
import java.util.Collections;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.ConcurrentHashMap;
|
||||
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
|
||||
import org.apache.hadoop.security.authentication.client.AuthenticationException;
|
||||
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
|
||||
import org.apache.http.Header;
|
||||
import org.apache.http.HttpResponse;
|
||||
import org.apache.http.HttpStatus;
|
||||
import org.apache.http.client.HttpClient;
|
||||
import org.apache.http.client.methods.HttpDelete;
|
||||
import org.apache.http.client.methods.HttpGet;
|
||||
|
@ -46,6 +48,9 @@ import org.apache.http.impl.client.DefaultHttpClient;
|
|||
import org.apache.http.message.BasicHeader;
|
||||
import org.apache.http.params.CoreConnectionPNames;
|
||||
import org.apache.http.util.EntityUtils;
|
||||
import org.apache.yetus.audience.InterfaceAudience;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
/**
|
||||
* A wrapper around HttpClient which provides some useful function and
|
||||
|
@ -65,6 +70,10 @@ public class Client {
|
|||
|
||||
private Map<String, String> extraHeaders;
|
||||
|
||||
private static final String AUTH_COOKIE = "hadoop.auth";
|
||||
private static final String AUTH_COOKIE_EQ = AUTH_COOKIE + "=";
|
||||
private static final String COOKIE = "Cookie";
|
||||
|
||||
/**
|
||||
* Default Constructor
|
||||
*/
|
||||
|
@ -224,6 +233,12 @@ public class Client {
|
|||
long startTime = System.currentTimeMillis();
|
||||
if (resp != null) EntityUtils.consumeQuietly(resp.getEntity());
|
||||
resp = httpClient.execute(method);
|
||||
if (resp.getStatusLine().getStatusCode() == HttpStatus.SC_UNAUTHORIZED) {
|
||||
// Authentication error
|
||||
LOG.debug("Performing negotiation with the server.");
|
||||
negotiate(method, uri);
|
||||
resp = httpClient.execute(method);
|
||||
}
|
||||
|
||||
long endTime = System.currentTimeMillis();
|
||||
if (LOG.isTraceEnabled()) {
|
||||
|
@ -252,6 +267,40 @@ public class Client {
|
|||
return executeURI(method, headers, path);
|
||||
}
|
||||
|
||||
/**
|
||||
* Initiate client side Kerberos negotiation with the server.
|
||||
* @param method method to inject the authentication token into.
|
||||
* @param uri the String to parse as a URL.
|
||||
* @throws IOException if unknown protocol is found.
|
||||
*/
|
||||
private void negotiate(HttpUriRequest method, String uri) throws IOException {
|
||||
try {
|
||||
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
|
||||
KerberosAuthenticator authenticator = new KerberosAuthenticator();
|
||||
authenticator.authenticate(new URL(uri), token);
|
||||
// Inject the obtained negotiated token in the method cookie
|
||||
injectToken(method, token);
|
||||
} catch (AuthenticationException e) {
|
||||
LOG.error("Failed to negotiate with the server.", e);
|
||||
throw new IOException(e);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method that injects an authentication token to send with the method.
|
||||
* @param method method to inject the authentication token into.
|
||||
* @param token authentication token to inject.
|
||||
*/
|
||||
private void injectToken(HttpUriRequest method, AuthenticatedURL.Token token) {
|
||||
String t = token.toString();
|
||||
if (t != null) {
|
||||
if (!t.startsWith("\"")) {
|
||||
t = "\"" + t + "\"";
|
||||
}
|
||||
method.addHeader(COOKIE, AUTH_COOKIE_EQ + t);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the cluster definition
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue