diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/AuthenticationProviderSelector.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/AuthenticationProviderSelector.java index 5bb011b77ae2..69afec787914 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/AuthenticationProviderSelector.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/AuthenticationProviderSelector.java @@ -1,4 +1,4 @@ -/** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInSaslAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInSaslAuthenticationProvider.java new file mode 100644 index 000000000000..7ee435abcae3 --- /dev/null +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInSaslAuthenticationProvider.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.provider; + +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.io.Text; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.yetus.audience.InterfaceStability; + +/** + * Base class for all Apache HBase, built-in {@link SaslAuthenticationProvider}'s to extend. + */ +@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) +@InterfaceStability.Evolving +public abstract class BuiltInSaslAuthenticationProvider implements SaslAuthenticationProvider { + + public static final Text AUTH_TOKEN_TYPE = new Text("HBASE_AUTH_TOKEN"); + + @Override + public Text getTokenKind() { + return AUTH_TOKEN_TYPE; + } +} diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslAuthenticationProvider.java new file mode 100644 index 000000000000..980a0c89d720 --- /dev/null +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslAuthenticationProvider.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.provider; + +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.yetus.audience.InterfaceStability; + +/** + * Base client for client/server implementations for the HBase delegation token auth'n method. + */ +@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) +@InterfaceStability.Evolving +public class DigestSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider { + + static final String MECHANISM = "DIGEST-MD5"; + static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( + "DIGEST", (byte)82, MECHANISM, AuthenticationMethod.TOKEN); + + @Override + public SaslAuthMethod getSaslAuthMethod() { + return SASL_AUTH_METHOD; + } +} diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslClientAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslClientAuthenticationProvider.java index 67e01d54c430..79076f750168 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslClientAuthenticationProvider.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslClientAuthenticationProvider.java @@ -36,7 +36,6 @@ import org.apache.hadoop.hbase.security.SaslUtil; import org.apache.hadoop.hbase.security.SecurityInfo; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.yetus.audience.InterfaceAudience; @@ -48,16 +47,10 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public class DigestSaslClientAuthenticationProvider extends - AbstractSaslClientAuthenticationProvider { +public class DigestSaslClientAuthenticationProvider extends DigestSaslAuthenticationProvider + implements SaslClientAuthenticationProvider { private static final String MECHANISM = "DIGEST-MD5"; - private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( - "DIGEST", (byte)82, MECHANISM, AuthenticationMethod.TOKEN); - - public static String getMechanism() { - return MECHANISM; - } @Override public SaslClient createClient(Configuration conf, InetAddress serverAddr, @@ -67,11 +60,6 @@ public SaslClient createClient(Configuration conf, InetAddress serverAddr, SaslUtil.SASL_DEFAULT_REALM, saslProps, new DigestSaslClientCallbackHandler(token)); } - @Override - public SaslAuthMethod getSaslAuthMethod() { - return SASL_AUTH_METHOD; - } - public static class DigestSaslClientCallbackHandler implements CallbackHandler { private static final Logger LOG = LoggerFactory.getLogger(DigestSaslClientCallbackHandler.class); diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslAuthenticationProvider.java new file mode 100644 index 000000000000..509163821a5d --- /dev/null +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslAuthenticationProvider.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.provider; + +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.yetus.audience.InterfaceStability; + +/** + * Base client for client/server implementations for the "KERBEROS" HBase auth'n method. + */ +@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) +@InterfaceStability.Evolving +public class GssSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider { + + static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( + "KERBEROS", (byte)81, "GSSAPI", AuthenticationMethod.KERBEROS); + + @Override + public SaslAuthMethod getSaslAuthMethod() { + return SASL_AUTH_METHOD; + } +} diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslClientAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslClientAuthenticationProvider.java index 07242788a3a1..e50c04d9ab7e 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslClientAuthenticationProvider.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslClientAuthenticationProvider.java @@ -30,7 +30,6 @@ import org.apache.hadoop.hbase.security.SecurityInfo; import org.apache.hadoop.security.SecurityUtil; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.yetus.audience.InterfaceAudience; @@ -42,12 +41,10 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public class GssSaslClientAuthenticationProvider extends AbstractSaslClientAuthenticationProvider { +public class GssSaslClientAuthenticationProvider extends GssSaslAuthenticationProvider + implements SaslClientAuthenticationProvider { private static final Logger LOG = LoggerFactory.getLogger( GssSaslClientAuthenticationProvider.class); - private static final String MECHANISM = "GSSAPI"; - private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( - "KERBEROS", (byte)81, MECHANISM, AuthenticationMethod.KERBEROS); String getServerPrincipal(Configuration conf, SecurityInfo securityInfo, InetAddress server) throws IOException { @@ -70,13 +67,8 @@ public SaslClient createClient(Configuration conf, InetAddress serverAddr, throw new IOException("Kerberos principal '" + serverPrincipal + "' does not have the expected format"); } - return Sasl.createSaslClient(new String[] { MECHANISM }, null, names[0], names[1], saslProps, - null); - } - - @Override - public SaslAuthMethod getSaslAuthMethod() { - return SASL_AUTH_METHOD; + return Sasl.createSaslClient(new String[] { getSaslAuthMethod().getSaslMechanism() }, null, + names[0], names[1], saslProps, null); } @Override diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslAuthenticationProvider.java new file mode 100644 index 000000000000..72a01b318d75 --- /dev/null +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslAuthenticationProvider.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.provider; + +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.io.Text; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.yetus.audience.InterfaceStability; + +/** + * Encapsulation of client-side logic to authenticate to HBase via some means over SASL. + * Implementations should not directly implement this interface, but instead extend + * {@link AbstractSaslClientAuthenticationProvider}. + * + * Implementations of this interface must make an implementation of {@code hashCode()} + * which returns the same value across multiple instances of the provider implementation. + */ +@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) +@InterfaceStability.Evolving +public interface SaslAuthenticationProvider { + + /** + * Returns the attributes which identify how this provider authenticates. + */ + SaslAuthMethod getSaslAuthMethod(); + + /** + * Returns the name of the type used by the TokenIdentifier. + */ + Text getTokenKind(); +} diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProvider.java index 20f6ad26fce1..6709f0a4fd76 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProvider.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProvider.java @@ -26,14 +26,14 @@ import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.hbase.HBaseInterfaceAudience; import org.apache.hadoop.hbase.security.SecurityInfo; -import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation; -import org.apache.hadoop.io.Text; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.yetus.audience.InterfaceAudience; import org.apache.yetus.audience.InterfaceStability; +import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation; + /** * Encapsulation of client-side logic to authenticate to HBase via some means over SASL. * Implementations should not directly implement this interface, but instead extend @@ -44,7 +44,7 @@ */ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public interface SaslClientAuthenticationProvider { +public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider { /** * Creates the SASL client instance for this auth'n method. @@ -53,16 +53,6 @@ SaslClient createClient(Configuration conf, InetAddress serverAddr, SecurityInfo Token token, boolean fallbackAllowed, Map saslProps) throws IOException; - /** - * Returns the attributes which identify how this provider authenticates. - */ - SaslAuthMethod getSaslAuthMethod(); - - /** - * Returns the name of the type used by the TokenIdentifier. - */ - Text getTokenKind(); - /** * Constructs a {@link UserInformation} from the given {@link UserGroupInformation} */ diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslAuthenticationProvider.java new file mode 100644 index 000000000000..85c8caec6199 --- /dev/null +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslAuthenticationProvider.java @@ -0,0 +1,38 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.hadoop.hbase.security.provider; + +import org.apache.hadoop.hbase.HBaseInterfaceAudience; +import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; +import org.apache.yetus.audience.InterfaceAudience; +import org.apache.yetus.audience.InterfaceStability; + +/** + * Base client for client/server implementations for the "SIMPLE" HBase auth'n method. + */ +@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) +@InterfaceStability.Evolving +public class SimpleSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider { + private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( + "SIMPLE", (byte)80, "", AuthenticationMethod.SIMPLE); + + @Override + public SaslAuthMethod getSaslAuthMethod() { + return SASL_AUTH_METHOD; + } +} diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslClientAuthenticationProvider.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslClientAuthenticationProvider.java index c53c26ed0e21..e885a0cc2484 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslClientAuthenticationProvider.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslClientAuthenticationProvider.java @@ -27,7 +27,6 @@ import org.apache.hadoop.hbase.HBaseInterfaceAudience; import org.apache.hadoop.hbase.security.SecurityInfo; import org.apache.hadoop.security.UserGroupInformation; -import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod; import org.apache.hadoop.security.token.Token; import org.apache.hadoop.security.token.TokenIdentifier; import org.apache.yetus.audience.InterfaceAudience; @@ -38,9 +37,7 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving public class SimpleSaslClientAuthenticationProvider extends - AbstractSaslClientAuthenticationProvider { - private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod( - "SIMPLE", (byte)80, "", AuthenticationMethod.SIMPLE); + SimpleSaslAuthenticationProvider implements SaslClientAuthenticationProvider { @Override public SaslClient createClient(Configuration conf, InetAddress serverAddress, @@ -59,9 +56,4 @@ public UserInformation getUserInfo(UserGroupInformation user) { } return userInfoPB.build(); } - - @Override - public SaslAuthMethod getSaslAuthMethod() { - return SASL_AUTH_METHOD; - } } diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider.java index cdcc0b190eac..16bec7237c8c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider.java @@ -45,7 +45,7 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public class DigestSaslServerAuthenticationProvider extends DigestSaslClientAuthenticationProvider +public class DigestSaslServerAuthenticationProvider extends DigestSaslAuthenticationProvider implements SaslServerAuthenticationProvider { private static final Logger LOG = LoggerFactory.getLogger( DigestSaslServerAuthenticationProvider.class); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslServerAuthenticationProvider.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslServerAuthenticationProvider.java index 48cc379745dc..86100a36719d 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslServerAuthenticationProvider.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslServerAuthenticationProvider.java @@ -42,7 +42,7 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public class GssSaslServerAuthenticationProvider extends GssSaslClientAuthenticationProvider +public class GssSaslServerAuthenticationProvider extends GssSaslAuthenticationProvider implements SaslServerAuthenticationProvider { private static final Logger LOG = LoggerFactory.getLogger( GssSaslServerAuthenticationProvider.class); diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SaslServerAuthenticationProvider.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SaslServerAuthenticationProvider.java index 13561f635868..babc9d2172cf 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SaslServerAuthenticationProvider.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SaslServerAuthenticationProvider.java @@ -35,7 +35,7 @@ */ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public interface SaslServerAuthenticationProvider extends SaslClientAuthenticationProvider { +public interface SaslServerAuthenticationProvider extends SaslAuthenticationProvider { /** * Creates the SaslServer to accept incoming SASL authentication requests. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslServerAuthenticationProvider.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslServerAuthenticationProvider.java index 5f41eccd8223..a1fde3db4068 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslServerAuthenticationProvider.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslServerAuthenticationProvider.java @@ -31,7 +31,7 @@ @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION) @InterfaceStability.Evolving -public class SimpleSaslServerAuthenticationProvider extends SimpleSaslClientAuthenticationProvider +public class SimpleSaslServerAuthenticationProvider extends SimpleSaslAuthenticationProvider implements SaslServerAuthenticationProvider { @Override