From 7fd1e1e25fb906fc61ec06059a8048de75bdef1a Mon Sep 17 00:00:00 2001 From: Reid Chan Date: Mon, 30 Oct 2017 15:49:17 +0800 Subject: [PATCH] HBASE-19118 Use SaslUtil to set Sasl.QOP in 'Thrift' --- .../hadoop/hbase/thrift/ThriftServerRunner.java | 25 ++++++++++++++-------- .../apache/hadoop/hbase/thrift2/ThriftServer.java | 3 +-- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java index a6c59c0a62..599713f793 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java @@ -23,7 +23,6 @@ import static org.apache.hadoop.hbase.util.Bytes.getBytes; import javax.security.auth.callback.Callback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.sasl.AuthorizeCallback; -import javax.security.sasl.Sasl; import javax.security.sasl.SaslServer; import java.io.IOException; import java.net.InetAddress; @@ -80,6 +79,8 @@ import org.apache.hadoop.hbase.filter.Filter; import org.apache.hadoop.hbase.filter.ParseFilter; import org.apache.hadoop.hbase.filter.PrefixFilter; import org.apache.hadoop.hbase.filter.WhileMatchFilter; +import org.apache.hadoop.hbase.security.SaslUtil; +import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection; import org.apache.hadoop.hbase.security.SecurityUtil; import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.thrift.generated.AlreadyExists; @@ -207,7 +208,7 @@ public class ThriftServerRunner implements Runnable { private final HBaseHandler hbaseHandler; private final UserGroupInformation realUser; - private final String qop; + private SaslUtil.QualityOfProtection qop; private String host; private final boolean securityEnabled; @@ -334,7 +335,10 @@ public class ThriftServerRunner implements Runnable { this.handler = HbaseHandlerMetricsProxy.newInstance( hbaseHandler, metrics, conf); this.realUser = userProvider.getCurrent().getUGI(); - qop = conf.get(THRIFT_QOP_KEY); + String strQop = conf.get(THRIFT_QOP_KEY); + if (strQop != null) { + this.qop = SaslUtil.getQop(strQop); + } doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER, false); if (doAsEnabled) { if (!conf.getBoolean(USE_HTTP_CONF_KEY, false)) { @@ -342,10 +346,14 @@ public class ThriftServerRunner implements Runnable { } } if (qop != null) { - if (!qop.equals("auth") && !qop.equals("auth-int") - && !qop.equals("auth-conf")) { - throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop - + ", it must be 'auth', 'auth-int', or 'auth-conf'"); + if (qop != QualityOfProtection.AUTHENTICATION && + qop != QualityOfProtection.INTEGRITY && + qop != QualityOfProtection.PRIVACY) { + throw new IOException(String.format("Invalide %s: It must be one of %s, %s, or %s.", + THRIFT_QOP_KEY, + QualityOfProtection.AUTHENTICATION.name(), + QualityOfProtection.INTEGRITY.name(), + QualityOfProtection.PRIVACY.name())); } if (!securityEnabled) { throw new IOException("Thrift server must" @@ -524,8 +532,7 @@ public class ThriftServerRunner implements Runnable { // Extract the name from the principal String name = SecurityUtil.getUserFromPrincipal( conf.get("hbase.thrift.kerberos.principal")); - Map saslProperties = new HashMap<>(); - saslProperties.put(Sasl.QOP, qop); + Map saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() { diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java index 68a71ffb64..24e1d6931c 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java @@ -197,8 +197,7 @@ public class ThriftServer extends Configured implements Tool { } else if (qop == null) { return new TTransportFactory(); } else { - Map saslProperties = new HashMap<>(); - saslProperties.put(Sasl.QOP, qop.getSaslQop()); + Map saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() { -- 2.13.5 (Apple Git-94)