Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
.getSaslQop().equalsIgnoreCase(qop); boolean isCryptoAesEncryption = isEncryption && this.rpcServer.conf.getBoolean( "hbase.rpc.crypto.encryption.aes.enabled", false);
/** * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection} * corresponding to the given {@code stringQop} value. * @throws IllegalArgumentException If stringQop doesn't match any QOP. */ public static QualityOfProtection getQop(String stringQop) { for (QualityOfProtection qop : QualityOfProtection.values()) { if (qop.matches(stringQop)) { return qop; } } throw new IllegalArgumentException("Invalid qop: " + stringQop + ". It must be one of 'authentication', 'integrity', 'privacy'."); }
Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
return new TTransportFactory(); } else { Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
return new SaslClientHandler(realTicket, authMethod, token, serverPrincipal, client.fallbackAllowed, client.conf.get("hbase.rpc.protection", SaslUtil.QualityOfProtection.AUTHENTICATION.name().toLowerCase()), new SaslClientHandler.SaslExceptionHandler() { @Override
return new TTransportFactory(); } else { Map<String, String> saslProperties = SaslUtil.initSaslProperties(qop.name()); TSaslServerTransport.Factory saslFactory = new TSaslServerTransport.Factory(); saslFactory.addServerDefinition("GSSAPI", name, host, saslProperties,
/** * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection} * corresponding to the given {@code stringQop} value. Returns null if value is * invalid. */ public static QualityOfProtection getQop(String stringQop) { QualityOfProtection qop = null; if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop) || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) { qop = QualityOfProtection.AUTHENTICATION; } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop) || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) { qop = QualityOfProtection.INTEGRITY; } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop) || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) { qop = QualityOfProtection.PRIVACY; } if (qop == null) { throw new IllegalArgumentException("Invalid qop: " + stringQop + ". It must be one of 'authentication', 'integrity', 'privacy'."); } if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop) || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop) || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) { log.warn("Use authentication/integrity/privacy as value for rpc protection " + "configurations instead of auth/auth-int/auth-conf."); } return qop; }
/** * @param rpcProtection Value of 'hbase.rpc.protection' configuration. * @return Map with values for SASL properties. */ public static Map<String, String> initSaslProperties(String rpcProtection) { String saslQop; if (rpcProtection.isEmpty()) { saslQop = QualityOfProtection.AUTHENTICATION.getSaslQop(); } else { String[] qops = rpcProtection.split(","); StringBuilder saslQopBuilder = new StringBuilder(); for (int i = 0; i < qops.length; ++i) { QualityOfProtection qop = getQop(qops[i]); saslQopBuilder.append(",").append(qop.getSaslQop()); } saslQop = saslQopBuilder.substring(1); // remove first ',' } Map<String, String> saslProps = new TreeMap<>(); saslProps.put(Sasl.QOP, saslQop); saslProps.put(Sasl.SERVER_AUTH, "true"); return saslProps; }
/** * Write the connection header. */ private void writeConnectionHeader() throws IOException { boolean isCryptoAesEnable = false; // check if Crypto AES is enabled if (saslRpcClient != null) { boolean saslEncryptionEnabled = SaslUtil.QualityOfProtection.PRIVACY. getSaslQop().equalsIgnoreCase(saslRpcClient.getSaslQOP()); isCryptoAesEnable = saslEncryptionEnabled && conf.getBoolean( CRYPTO_AES_ENABLED_KEY, CRYPTO_AES_ENABLED_DEFAULT); } // if Crypto AES is enabled, set transformation and negotiate with server if (isCryptoAesEnable) { waitingConnectionHeaderResponse = true; } this.out.write(connectionHeaderWithLength); this.out.flush(); }
/** * Returns {@link org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection} * corresponding to the given {@code stringQop} value. * @throws IllegalArgumentException If stringQop doesn't match any QOP. */ public static QualityOfProtection getQop(String stringQop) { for (QualityOfProtection qop : QualityOfProtection.values()) { if (qop.matches(stringQop)) { return qop; } } throw new IllegalArgumentException("Invalid qop: " + stringQop + ". It must be one of 'authentication', 'integrity', 'privacy'."); }
public static void init(Configuration conf) { SaslUtil.initSaslProperties(conf.get("hbase.rpc.protection", QualityOfProtection.AUTHENTICATION.name().toLowerCase())); }
/** * @param saslPromise {@code true} if success, {@code false} if server tells us to fallback to * simple. */ public NettyHBaseSaslRpcClientHandler(Promise<Boolean> saslPromise, UserGroupInformation ugi, AuthMethod method, Token<? extends TokenIdentifier> token, String serverPrincipal, boolean fallbackAllowed, Configuration conf) throws IOException { this.saslPromise = saslPromise; this.ugi = ugi; this.conf = conf; this.saslRpcClient = new NettyHBaseSaslRpcClient(method, token, serverPrincipal, fallbackAllowed, conf.get( "hbase.rpc.protection", SaslUtil.QualityOfProtection.AUTHENTICATION.name().toLowerCase())); }
private synchronized boolean setupSaslConnection(final InputStream in2, final OutputStream out2) throws IOException { saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal, fallbackAllowed, conf.get("hbase.rpc.protection", QualityOfProtection.AUTHENTICATION.name().toLowerCase())); return saslRpcClient.saslConnect(in2, out2); }
static void initSaslProperties(String rpcProtection) { QualityOfProtection saslQOP = getQop(rpcProtection); if (saslQOP == null) { saslQOP = QualityOfProtection.AUTHENTICATION; } SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop()); SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true"); } }
public boolean matches(String stringQop) { if (saslQop.equals(stringQop)) { LOG.warn("Use authentication/integrity/privacy as value for rpc protection " + "configurations instead of auth/auth-int/auth-conf."); return true; } return name().equalsIgnoreCase(stringQop); } }
private boolean setupSaslConnection(final InputStream in2, final OutputStream out2) throws IOException { saslRpcClient = new HBaseSaslRpcClient(authMethod, token, serverPrincipal, this.rpcClient.fallbackAllowed, this.rpcClient.conf.get("hbase.rpc.protection", QualityOfProtection.AUTHENTICATION.name().toLowerCase(Locale.ROOT)), this.rpcClient.conf.getBoolean(CRYPTO_AES_ENABLED_KEY, CRYPTO_AES_ENABLED_DEFAULT)); return saslRpcClient.saslConnect(in2, out2); }