From d76e24e05391b4e236c740c68d5d71f5c10e9c38 Mon Sep 17 00:00:00 2001 From: Wei-Chiu Chuang Date: Fri, 27 Jul 2018 15:45:33 -0700 Subject: [PATCH] HBASE-20950 Helper method to configure secure DFS cluster for tests Create a helper method HBaseKerberosUtils#setSecuredConfiguration(). TestSecureExport, TestSaslFanOutOneBlockAsyncDFSOutput, SecureTestCluster and TestThriftSpnegoHttpServer uses this new helper method. Signed-off-by: tedyu --- .../hbase/security/HBaseKerberosUtils.java | 89 +++++++++++++++++++ .../security/token/SecureTestCluster.java | 35 +------- 2 files changed, 92 insertions(+), 32 deletions(-) diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/HBaseKerberosUtils.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/HBaseKerberosUtils.java index 237efe9579..209bc72b48 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/HBaseKerberosUtils.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/HBaseKerberosUtils.java @@ -17,10 +17,22 @@ */ package org.apache.hadoop.hbase.security; +import java.io.File; +import java.io.IOException; +import java.net.InetAddress; + import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeys; import org.apache.hadoop.hbase.HBaseConfiguration; +import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.classification.InterfaceAudience; +import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil; +import org.apache.hadoop.hdfs.DFSConfigKeys; +import org.apache.hadoop.http.HttpConfig; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hadoop.yarn.conf.YarnConfiguration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import com.google.common.base.Strings; @@ -73,6 +85,19 @@ public class HBaseKerberosUtils { return conf; } + /** + * Set up configuration for a secure HDFS+HBase cluster. + * @param conf configuration object. + * @param servicePrincipal service principal used by NN, HM and RS. + * @param spnegoPrincipal SPNEGO principal used by NN web UI. + */ + public static void setSecuredConfiguration(Configuration conf, + String servicePrincipal, String spnegoPrincipal) { + setPrincipalForTesting(servicePrincipal); + setSecuredConfiguration(conf); + setSecuredHadoopConfiguration(conf, spnegoPrincipal); + } + public static void setSecuredConfiguration(Configuration conf) { conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); conf.set(User.HBASE_SECURITY_CONF_KEY, "kerberos"); @@ -81,4 +106,68 @@ public class HBaseKerberosUtils { conf.set(KRB_PRINCIPAL, System.getProperty(KRB_PRINCIPAL)); conf.set(MASTER_KRB_PRINCIPAL, System.getProperty(KRB_PRINCIPAL)); } + + private static void setSecuredHadoopConfiguration(Configuration conf, + String spnegoServerPrincipal) { + // if we drop support for hadoop-2.4.0 and hadoop-2.4.1, + // the following key should be changed. + // 1) DFS_NAMENODE_USER_NAME_KEY -> DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY + // 2) DFS_DATANODE_USER_NAME_KEY -> DFS_DATANODE_KERBEROS_PRINCIPAL_KEY + String serverPrincipal = System.getProperty(KRB_PRINCIPAL); + String keytabFilePath = System.getProperty(KRB_KEYTAB_FILE); + // HDFS + conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, serverPrincipal); + conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, keytabFilePath); + conf.set(DFSConfigKeys.DFS_DATANODE_USER_NAME_KEY, serverPrincipal); + conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, keytabFilePath); + conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true); + // YARN + conf.set(YarnConfiguration.RM_PRINCIPAL, KRB_PRINCIPAL); + conf.set(YarnConfiguration.NM_PRINCIPAL, KRB_PRINCIPAL); + + if (spnegoServerPrincipal != null) { + conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, + spnegoServerPrincipal); + } + + conf.setBoolean("ignore.secure.ports.for.testing", true); + + UserGroupInformation.setConfiguration(conf); + } + + /** + * Set up SSL configuration for HDFS NameNode and DataNode. + * @param utility a HBaseTestingUtility object. + * @param clazz the caller test class. + * @throws Exception if unable to set up SSL configuration + */ + public static void setSSLConfiguration(HBaseTestingUtility utility, Class clazz) + throws Exception { + Configuration conf = utility.getConfiguration(); + conf.set(DFSConfigKeys.DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name()); + conf.set(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0"); + conf.set(DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0"); + + File keystoresDir = new File(utility.getDataTestDir("keystore").toUri().getPath()); + keystoresDir.mkdirs(); + String sslConfDir = KeyStoreTestUtil.getClasspathDir(clazz); + KeyStoreTestUtil.setupSSLConfig(keystoresDir.getAbsolutePath(), sslConfDir, conf, false); + } + + public static UserGroupInformation loginAndReturnUGI(Configuration conf, String username) + throws IOException { + String hostname = InetAddress.getLocalHost().getHostName(); + String keyTabFileConfKey = "hbase." + username + ".keytab.file"; + String keyTabFileLocation = conf.get(keyTabFileConfKey); + String principalConfKey = "hbase." + username + ".kerberos.principal"; + String principal = org.apache.hadoop.security.SecurityUtil + .getServerPrincipal(conf.get(principalConfKey), hostname); + if (keyTabFileLocation == null || principal == null) { + LOG.warn("Principal or key tab file null for : " + principalConfKey + ", " + + keyTabFileConfKey); + } + UserGroupInformation ugi = + UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keyTabFileLocation); + return ugi; + } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/SecureTestCluster.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/SecureTestCluster.java index 2e3743765c..964ef140f2 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/SecureTestCluster.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/token/SecureTestCluster.java @@ -18,16 +18,12 @@ package org.apache.hadoop.hbase.security.token; -import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.Path; import org.apache.hadoop.hbase.HBaseTestingUtility; import org.apache.hadoop.hbase.LocalHBaseCluster; import org.apache.hadoop.hbase.coprocessor.CoprocessorHost; -import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil; import org.apache.hadoop.hbase.security.HBaseKerberosUtils; import org.apache.hadoop.hbase.util.FSUtils; -import org.apache.hadoop.hdfs.DFSConfigKeys; -import org.apache.hadoop.http.HttpConfig; import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.security.UserGroupInformation; import org.junit.AfterClass; @@ -55,30 +51,6 @@ public class SecureTestCluster { private static String HTTP_PRINCIPAL; - /** - * Setup the security configuration for hdfs. - */ - private static void setHdfsSecuredConfiguration(Configuration conf) throws Exception { - // change XXX_USER_NAME_KEY to XXX_KERBEROS_PRINCIPAL_KEY after we drop support for hadoop-2.4.1 - conf.set(DFSConfigKeys.DFS_NAMENODE_USER_NAME_KEY, PRINCIPAL + "@" + KDC.getRealm()); - conf.set(DFSConfigKeys.DFS_NAMENODE_KEYTAB_FILE_KEY, KEYTAB_FILE.getAbsolutePath()); - conf.set(DFSConfigKeys.DFS_DATANODE_USER_NAME_KEY, PRINCIPAL + "@" + KDC.getRealm()); - conf.set(DFSConfigKeys.DFS_DATANODE_KEYTAB_FILE_KEY, KEYTAB_FILE.getAbsolutePath()); - conf.set(DFSConfigKeys.DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, HTTP_PRINCIPAL + "@" - + KDC.getRealm()); - conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true); - conf.set(DFSConfigKeys.DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name()); - conf.set(DFSConfigKeys.DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0"); - conf.set(DFSConfigKeys.DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0"); - - File keystoresDir = new File(TEST_UTIL.getDataTestDir("keystore").toUri().getPath()); - keystoresDir.mkdirs(); - String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestGenerateDelegationToken.class); - KeyStoreTestUtil.setupSSLConfig(keystoresDir.getAbsolutePath(), sslConfDir, conf, false); - - conf.setBoolean("ignore.secure.ports.for.testing", true); - } - /** * Setup and start kerberos, hbase */ @@ -91,11 +63,10 @@ public class SecureTestCluster { KDC.createPrincipal(KEYTAB_FILE, PRINCIPAL, HTTP_PRINCIPAL); TEST_UTIL.startMiniZKCluster(); - HBaseKerberosUtils.setPrincipalForTesting(PRINCIPAL + "@" + KDC.getRealm()); - HBaseKerberosUtils.setSecuredConfiguration(TEST_UTIL.getConfiguration()); + HBaseKerberosUtils.setSecuredConfiguration(TEST_UTIL.getConfiguration(), + PRINCIPAL + "@" + KDC.getRealm(), HTTP_PRINCIPAL + "@" + KDC.getRealm()); + HBaseKerberosUtils.setSSLConfiguration(TEST_UTIL, SecureTestCluster.class); - setHdfsSecuredConfiguration(TEST_UTIL.getConfiguration()); - UserGroupInformation.setConfiguration(TEST_UTIL.getConfiguration()); TEST_UTIL.getConfiguration().setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, TokenProvider.class.getName()); TEST_UTIL.startMiniDFSCluster(1); -- 2.24.0