HBASE-19118 Use SaslUtil to set Sasl.QOP in 'Thrift'
Signed-off-by: Josh Elser <elserj@apache.org>
This commit is contained in:
parent
663f3c7b50
commit
e61606231f
|
@ -23,7 +23,6 @@ import static org.apache.hadoop.hbase.util.Bytes.getBytes;
|
|||
import javax.security.auth.callback.Callback;
|
||||
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||
import javax.security.sasl.AuthorizeCallback;
|
||||
import javax.security.sasl.Sasl;
|
||||
import javax.security.sasl.SaslServer;
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
|
@ -80,6 +79,8 @@ import org.apache.hadoop.hbase.filter.Filter;
|
|||
import org.apache.hadoop.hbase.filter.ParseFilter;
|
||||
import org.apache.hadoop.hbase.filter.PrefixFilter;
|
||||
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
|
||||
import org.apache.hadoop.hbase.security.SaslUtil;
|
||||
import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection;
|
||||
import org.apache.hadoop.hbase.security.SecurityUtil;
|
||||
import org.apache.hadoop.hbase.security.UserProvider;
|
||||
import org.apache.hadoop.hbase.thrift.generated.AlreadyExists;
|
||||
|
@ -207,7 +208,7 @@ public class ThriftServerRunner implements Runnable {
|
|||
private final HBaseHandler hbaseHandler;
|
||||
private final UserGroupInformation realUser;
|
||||
|
||||
private final String qop;
|
||||
private SaslUtil.QualityOfProtection qop;
|
||||
private String host;
|
||||
|
||||
private final boolean securityEnabled;
|
||||
|
@ -334,7 +335,10 @@ public class ThriftServerRunner implements Runnable {
|
|||
this.handler = HbaseHandlerMetricsProxy.newInstance(
|
||||
hbaseHandler, metrics, conf);
|
||||
this.realUser = userProvider.getCurrent().getUGI();
|
||||
qop = conf.get(THRIFT_QOP_KEY);
|
||||
String strQop = conf.get(THRIFT_QOP_KEY);
|
||||
if (strQop != null) {
|
||||
this.qop = SaslUtil.getQop(strQop);
|
||||
}
|
||||
doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER, false);
|
||||
if (doAsEnabled) {
|
||||
if (!conf.getBoolean(USE_HTTP_CONF_KEY, false)) {
|
||||
|
@ -342,10 +346,14 @@ public class ThriftServerRunner implements Runnable {
|
|||
}
|
||||
}
|
||||
if (qop != null) {
|
||||
if (!qop.equals("auth") && !qop.equals("auth-int")
|
||||
&& !qop.equals("auth-conf")) {
|
||||
throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop
|
||||
+ ", it must be 'auth', 'auth-int', or 'auth-conf'");
|
||||
if (qop != QualityOfProtection.AUTHENTICATION &&
|
||||
qop != QualityOfProtection.INTEGRITY &&
|
||||
qop != QualityOfProtection.PRIVACY) {
|
||||
throw new IOException(String.format("Invalide %s: It must be one of %s, %s, or %s.",
|
||||
THRIFT_QOP_KEY,
|
||||
QualityOfProtection.AUTHENTICATION.name(),
|
||||
QualityOfProtection.INTEGRITY.name(),
|
||||
QualityOfProtection.PRIVACY.name()));
|
||||
}
|
||||
if (!securityEnabled) {
|
||||
throw new IOException("Thrift server must"
|
||||
|
@ -524,8 +532,7 @@ public class ThriftServerRunner implements Runnable {
|
|||
// Extract the name from the principal
|
||||
String name = SecurityUtil.getUserFromPrincipal(
|
||||
conf.get("hbase.thrift.kerberos.principal"));
|
||||
Map<String, String> saslProperties = new HashMap<>();
|
||||
saslProperties.put(Sasl.QOP, qop);
|
||||
Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name());
|
||||
TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
|
||||
saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
|
||||
new SaslGssCallbackHandler() {
|
||||
|
|
|
@ -23,7 +23,6 @@ import java.net.InetAddress;
|
|||
import java.net.InetSocketAddress;
|
||||
import java.net.UnknownHostException;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.ExecutorService;
|
||||
|
@ -35,7 +34,6 @@ import java.util.concurrent.TimeUnit;
|
|||
import javax.security.auth.callback.Callback;
|
||||
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||
import javax.security.sasl.AuthorizeCallback;
|
||||
import javax.security.sasl.Sasl;
|
||||
import javax.security.sasl.SaslServer;
|
||||
|
||||
import org.apache.commons.cli.CommandLine;
|
||||
|
@ -197,8 +195,7 @@ public class ThriftServer extends Configured implements Tool {
|
|||
} else if (qop == null) {
|
||||
return new TTransportFactory();
|
||||
} else {
|
||||
Map<String, String> saslProperties = new HashMap<>();
|
||||
saslProperties.put(Sasl.QOP, qop.getSaslQop());
|
||||
Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name());
|
||||
TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory();
|
||||
saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
|
||||
new SaslGssCallbackHandler() {
|
||||
|
|
Loading…
Reference in New Issue