From 8b17d3ad98b0e35413da7485a7a5a7b979301458 Mon Sep 17 00:00:00 2001 From: Reid Chan Date: Thu, 2 Nov 2017 14:27:15 +0800 Subject: [PATCH] HBASE-19118 Use SaslUtil to set Sasl.QOP in 'Thrift' --- .../hadoop/hbase/thrift/ThriftServerRunner.java | 25 +++++++++++++++------- .../apache/hadoop/hbase/thrift2/ThriftServer.java | 1 + 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java index 2d98b5a9c5..a564f37891 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java @@ -36,7 +36,6 @@ import java.util.TreeMap; import java.util.concurrent.BlockingQueue; import java.util.concurrent.ExecutorService; import java.util.concurrent.LinkedBlockingQueue; -import java.util.concurrent.ThreadPoolExecutor; import java.util.concurrent.TimeUnit; import javax.security.auth.callback.Callback; @@ -81,6 +80,8 @@ import org.apache.hadoop.hbase.filter.ParseFilter; import org.apache.hadoop.hbase.filter.PrefixFilter; import org.apache.hadoop.hbase.filter.WhileMatchFilter; import org.apache.hadoop.hbase.jetty.SslSelectChannelConnectorSecure; +import org.apache.hadoop.hbase.security.SaslUtil; +import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection; import org.apache.hadoop.hbase.security.SecurityUtil; import org.apache.hadoop.hbase.security.UserProvider; import org.apache.hadoop.hbase.thrift.CallQueue.Call; @@ -196,7 +197,7 @@ public class ThriftServerRunner implements Runnable { private final HBaseHandler hbaseHandler; private final UserGroupInformation realUser; - private final String qop; + private SaslUtil.QualityOfProtection qop; private String host; private final boolean securityEnabled; @@ -320,7 +321,10 @@ public class ThriftServerRunner implements Runnable { this.handler = HbaseHandlerMetricsProxy.newInstance( hbaseHandler, metrics, conf); this.realUser = userProvider.getCurrent().getUGI(); - qop = conf.get(THRIFT_QOP_KEY); + String strQop = conf.get(THRIFT_QOP_KEY); + if (strQop != null) { + this.qop = SaslUtil.getQop(strQop); + } doAsEnabled = conf.getBoolean(THRIFT_SUPPORT_PROXYUSER, false); if (doAsEnabled) { if (!conf.getBoolean(USE_HTTP_CONF_KEY, false)) { @@ -328,10 +332,14 @@ public class ThriftServerRunner implements Runnable { } } if (qop != null) { - if (!qop.equals("auth") && !qop.equals("auth-int") - && !qop.equals("auth-conf")) { - throw new IOException("Invalid " + THRIFT_QOP_KEY + ": " + qop - + ", it must be 'auth', 'auth-int', or 'auth-conf'"); + if (qop != SaslUtil.QualityOfProtection.AUTHENTICATION && + qop != SaslUtil.QualityOfProtection.INTEGRITY && + qop != SaslUtil.QualityOfProtection.PRIVACY) { + throw new IOException(String.format("Invalide %s: It must be one of %s, %s, or %s.", + THRIFT_QOP_KEY, + QualityOfProtection.AUTHENTICATION.name(), + QualityOfProtection.INTEGRITY.name(), + QualityOfProtection.PRIVACY.name())); } if (!securityEnabled) { throw new IOException("Thrift server must" @@ -475,7 +483,8 @@ public class ThriftServerRunner implements Runnable { String name = SecurityUtil.getUserFromPrincipal( conf.get("hbase.thrift.kerberos.principal")); Map saslProperties = new HashMap(); - saslProperties.put(Sasl.QOP, qop); + saslProperties.put(Sasl.QOP, qop.getSaslQop()); + saslProperties.put(Sasl.SERVER_AUTH, "true"); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() { diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java index 37d3e7223d..37bf06d727 100644 --- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java +++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift2/ThriftServer.java @@ -193,6 +193,7 @@ public class ThriftServer { } else { Map saslProperties = new HashMap(); saslProperties.put(Sasl.QOP, qop.getSaslQop()); + saslProperties.put(Sasl.SERVER_AUTH, "true"); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties, new SaslGssCallbackHandler() { -- 2.13.5 (Apple Git-94)