HADOOP-9021. Enforce configured SASL method on the server (daryn via bobby)
git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1408473 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
cf6ab9b2e7
commit
4755ef989a
@ -361,6 +361,9 @@ Release 2.0.3-alpha - Unreleased
|
|||||||
HADOOP-8860. Split MapReduce and YARN sections in documentation navigation.
|
HADOOP-8860. Split MapReduce and YARN sections in documentation navigation.
|
||||||
(tomwhite via tucu)
|
(tomwhite via tucu)
|
||||||
|
|
||||||
|
HADOOP-9021. Enforce configured SASL method on the server (daryn via
|
||||||
|
bobby)
|
||||||
|
|
||||||
OPTIMIZATIONS
|
OPTIMIZATIONS
|
||||||
|
|
||||||
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang
|
||||||
|
@ -45,6 +45,7 @@
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
|
import java.util.EnumSet;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.Iterator;
|
import java.util.Iterator;
|
||||||
@ -87,7 +88,9 @@
|
|||||||
import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
|
import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
|
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
|
||||||
import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
|
import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
|
||||||
|
import org.apache.hadoop.security.SecurityUtil;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
|
||||||
import org.apache.hadoop.security.authentication.util.KerberosName;
|
import org.apache.hadoop.security.authentication.util.KerberosName;
|
||||||
import org.apache.hadoop.security.authorize.AuthorizationException;
|
import org.apache.hadoop.security.authorize.AuthorizationException;
|
||||||
import org.apache.hadoop.security.authorize.PolicyProvider;
|
import org.apache.hadoop.security.authorize.PolicyProvider;
|
||||||
@ -113,7 +116,7 @@
|
|||||||
@InterfaceStability.Evolving
|
@InterfaceStability.Evolving
|
||||||
public abstract class Server {
|
public abstract class Server {
|
||||||
private final boolean authorize;
|
private final boolean authorize;
|
||||||
private boolean isSecurityEnabled;
|
private EnumSet<AuthMethod> enabledAuthMethods;
|
||||||
private ExceptionsHandler exceptionsHandler = new ExceptionsHandler();
|
private ExceptionsHandler exceptionsHandler = new ExceptionsHandler();
|
||||||
|
|
||||||
public void addTerseExceptions(Class<?>... exceptionClass) {
|
public void addTerseExceptions(Class<?>... exceptionClass) {
|
||||||
@ -1334,34 +1337,9 @@ public int readAndProcess() throws IOException, InterruptedException {
|
|||||||
if (authMethod == null) {
|
if (authMethod == null) {
|
||||||
throw new IOException("Unable to read authentication method");
|
throw new IOException("Unable to read authentication method");
|
||||||
}
|
}
|
||||||
boolean useSaslServer = isSecurityEnabled;
|
|
||||||
final boolean clientUsingSasl;
|
// this may create a SASL server, or switch us into SIMPLE
|
||||||
switch (authMethod) {
|
authMethod = initializeAuthContext(authMethod);
|
||||||
case SIMPLE: { // no sasl for simple
|
|
||||||
clientUsingSasl = false;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
case DIGEST: { // always allow tokens if there's a secret manager
|
|
||||||
useSaslServer |= (secretManager != null);
|
|
||||||
clientUsingSasl = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
default: {
|
|
||||||
clientUsingSasl = true;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (useSaslServer) {
|
|
||||||
saslServer = createSaslServer(authMethod);
|
|
||||||
} else if (clientUsingSasl) { // security is off
|
|
||||||
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
|
|
||||||
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
|
|
||||||
authMethod = AuthMethod.SIMPLE;
|
|
||||||
// client has already sent the initial Sasl message and we
|
|
||||||
// should ignore it. Both client and server should fall back
|
|
||||||
// to simple auth from now on.
|
|
||||||
skipInitialSaslHandshake = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
connectionHeaderBuf = null;
|
connectionHeaderBuf = null;
|
||||||
connectionHeaderRead = true;
|
connectionHeaderRead = true;
|
||||||
@ -1409,10 +1387,24 @@ public int readAndProcess() throws IOException, InterruptedException {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private SaslServer createSaslServer(AuthMethod authMethod)
|
private AuthMethod initializeAuthContext(AuthMethod authMethod)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
try {
|
try {
|
||||||
return createSaslServerInternal(authMethod);
|
if (enabledAuthMethods.contains(authMethod)) {
|
||||||
|
saslServer = createSaslServer(authMethod);
|
||||||
|
} else if (enabledAuthMethods.contains(AuthMethod.SIMPLE)) {
|
||||||
|
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
|
||||||
|
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
|
||||||
|
authMethod = AuthMethod.SIMPLE;
|
||||||
|
// client has already sent the initial Sasl message and we
|
||||||
|
// should ignore it. Both client and server should fall back
|
||||||
|
// to simple auth from now on.
|
||||||
|
skipInitialSaslHandshake = true;
|
||||||
|
} else {
|
||||||
|
throw new AccessControlException(
|
||||||
|
authMethod + " authentication is not enabled."
|
||||||
|
+ " Available:" + enabledAuthMethods);
|
||||||
|
}
|
||||||
} catch (IOException ioe) {
|
} catch (IOException ioe) {
|
||||||
final String ioeClass = ioe.getClass().getName();
|
final String ioeClass = ioe.getClass().getName();
|
||||||
final String ioeMessage = ioe.getLocalizedMessage();
|
final String ioeMessage = ioe.getLocalizedMessage();
|
||||||
@ -1425,9 +1417,10 @@ private SaslServer createSaslServer(AuthMethod authMethod)
|
|||||||
}
|
}
|
||||||
throw ioe;
|
throw ioe;
|
||||||
}
|
}
|
||||||
|
return authMethod;
|
||||||
}
|
}
|
||||||
|
|
||||||
private SaslServer createSaslServerInternal(AuthMethod authMethod)
|
private SaslServer createSaslServer(AuthMethod authMethod)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
SaslServer saslServer = null;
|
SaslServer saslServer = null;
|
||||||
String hostname = null;
|
String hostname = null;
|
||||||
@ -1436,18 +1429,9 @@ private SaslServer createSaslServerInternal(AuthMethod authMethod)
|
|||||||
|
|
||||||
switch (authMethod) {
|
switch (authMethod) {
|
||||||
case SIMPLE: {
|
case SIMPLE: {
|
||||||
throw new AccessControlException("Authorization ("
|
return null; // no sasl for simple
|
||||||
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
|
|
||||||
+ ") is enabled but authentication ("
|
|
||||||
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION
|
|
||||||
+ ") is configured as simple. Please configure another method "
|
|
||||||
+ "like kerberos or digest.");
|
|
||||||
}
|
}
|
||||||
case DIGEST: {
|
case DIGEST: {
|
||||||
if (secretManager == null) {
|
|
||||||
throw new AccessControlException(
|
|
||||||
"Server is not configured to do DIGEST authentication.");
|
|
||||||
}
|
|
||||||
secretManager.checkAvailableForRead();
|
secretManager.checkAvailableForRead();
|
||||||
hostname = SaslRpcServer.SASL_DEFAULT_REALM;
|
hostname = SaslRpcServer.SASL_DEFAULT_REALM;
|
||||||
saslCallback = new SaslDigestCallbackHandler(secretManager, this);
|
saslCallback = new SaslDigestCallbackHandler(secretManager, this);
|
||||||
@ -1469,6 +1453,7 @@ private SaslServer createSaslServerInternal(AuthMethod authMethod)
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
|
// we should never be able to get here
|
||||||
throw new AccessControlException(
|
throw new AccessControlException(
|
||||||
"Server does not support SASL " + authMethod);
|
"Server does not support SASL " + authMethod);
|
||||||
}
|
}
|
||||||
@ -1908,7 +1893,9 @@ protected Server(String bindAddress, int port,
|
|||||||
this.authorize =
|
this.authorize =
|
||||||
conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
|
conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
|
||||||
false);
|
false);
|
||||||
this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
|
|
||||||
|
// configure supported authentications
|
||||||
|
this.enabledAuthMethods = getAuthMethods(secretManager, conf);
|
||||||
|
|
||||||
// Start the listener here and let it bind to the port
|
// Start the listener here and let it bind to the port
|
||||||
listener = new Listener();
|
listener = new Listener();
|
||||||
@ -1929,6 +1916,31 @@ protected Server(String bindAddress, int port,
|
|||||||
this.exceptionsHandler.addTerseExceptions(StandbyException.class);
|
this.exceptionsHandler.addTerseExceptions(StandbyException.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// get the security type from the conf. implicitly include token support
|
||||||
|
// if a secret manager is provided, or fail if token is the conf value but
|
||||||
|
// there is no secret manager
|
||||||
|
private EnumSet<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
|
||||||
|
Configuration conf) {
|
||||||
|
AuthenticationMethod confAuthenticationMethod =
|
||||||
|
SecurityUtil.getAuthenticationMethod(conf);
|
||||||
|
EnumSet<AuthMethod> authMethods =
|
||||||
|
EnumSet.of(confAuthenticationMethod.getAuthMethod());
|
||||||
|
|
||||||
|
if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
|
||||||
|
if (secretManager == null) {
|
||||||
|
throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
|
||||||
|
" authentication requires a secret manager");
|
||||||
|
}
|
||||||
|
} else if (secretManager != null) {
|
||||||
|
LOG.debug(AuthenticationMethod.TOKEN +
|
||||||
|
" authentication enabled for secret manager");
|
||||||
|
authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
|
||||||
|
}
|
||||||
|
|
||||||
|
LOG.debug("Server accepts auth methods:" + authMethods);
|
||||||
|
return authMethods;
|
||||||
|
}
|
||||||
|
|
||||||
private void closeConnection(Connection connection) {
|
private void closeConnection(Connection connection) {
|
||||||
synchronized (connectionList) {
|
synchronized (connectionList) {
|
||||||
if (connectionList.remove(connection))
|
if (connectionList.remove(connection))
|
||||||
@ -2045,16 +2057,6 @@ Configuration getConf() {
|
|||||||
return conf;
|
return conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** for unit testing only, should be called before server is started */
|
|
||||||
void disableSecurity() {
|
|
||||||
this.isSecurityEnabled = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** for unit testing only, should be called before server is started */
|
|
||||||
void enableSecurity() {
|
|
||||||
this.isSecurityEnabled = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Sets the socket buffer size used for responding to RPCs */
|
/** Sets the socket buffer size used for responding to RPCs */
|
||||||
public void setSocketSendBufSize(int size) { this.socketSendBufferSize = size; }
|
public void setSocketSendBufSize(int size) { this.socketSendBufferSize = size; }
|
||||||
|
|
||||||
|
@ -240,6 +240,7 @@ private static synchronized void initUGI(Configuration conf) {
|
|||||||
AuthenticationMethod auth = SecurityUtil.getAuthenticationMethod(conf);
|
AuthenticationMethod auth = SecurityUtil.getAuthenticationMethod(conf);
|
||||||
switch (auth) {
|
switch (auth) {
|
||||||
case SIMPLE:
|
case SIMPLE:
|
||||||
|
case TOKEN:
|
||||||
useKerberos = false;
|
useKerberos = false;
|
||||||
break;
|
break;
|
||||||
case KERBEROS:
|
case KERBEROS:
|
||||||
|
@ -569,10 +569,13 @@ public void handle(Callback[] callbacks)
|
|||||||
private static Pattern KrbFailed =
|
private static Pattern KrbFailed =
|
||||||
Pattern.compile(".*Failed on local exception:.* " +
|
Pattern.compile(".*Failed on local exception:.* " +
|
||||||
"Failed to specify server's Kerberos principal name.*");
|
"Failed to specify server's Kerberos principal name.*");
|
||||||
private static Pattern Denied =
|
private static Pattern Denied(AuthenticationMethod method) {
|
||||||
Pattern.compile(".*Authorization .* is enabled .*");
|
return Pattern.compile(".*RemoteException.*AccessControlException.*: "
|
||||||
private static Pattern NoDigest =
|
+method.getAuthMethod() + " authentication is not enabled.*");
|
||||||
Pattern.compile(".*Server is not configured to do DIGEST auth.*");
|
}
|
||||||
|
private static Pattern NoTokenAuth =
|
||||||
|
Pattern.compile(".*IllegalArgumentException: " +
|
||||||
|
"TOKEN authentication requires a secret manager");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* simple server
|
* simple server
|
||||||
@ -604,12 +607,39 @@ public void testSimpleServerWithInvalidTokens() throws Exception {
|
|||||||
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* token server
|
||||||
|
*/
|
||||||
|
@Test
|
||||||
|
public void testTokenOnlyServer() throws Exception {
|
||||||
|
assertAuthEquals(Denied(SIMPLE), getAuthMethod(SIMPLE, TOKEN));
|
||||||
|
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, TOKEN));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTokenOnlyServerWithTokens() throws Exception {
|
||||||
|
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, TOKEN, true));
|
||||||
|
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, TOKEN, true));
|
||||||
|
forceSecretManager = false;
|
||||||
|
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, true));
|
||||||
|
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, true));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testTokenOnlyServerWithInvalidTokens() throws Exception {
|
||||||
|
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, TOKEN, false));
|
||||||
|
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, TOKEN, false));
|
||||||
|
forceSecretManager = false;
|
||||||
|
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, false));
|
||||||
|
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, false));
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* kerberos server
|
* kerberos server
|
||||||
*/
|
*/
|
||||||
@Test
|
@Test
|
||||||
public void testKerberosServer() throws Exception {
|
public void testKerberosServer() throws Exception {
|
||||||
assertAuthEquals(Denied, getAuthMethod(SIMPLE, KERBEROS));
|
assertAuthEquals(Denied(SIMPLE), getAuthMethod(SIMPLE, KERBEROS));
|
||||||
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, KERBEROS));
|
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, KERBEROS));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -620,8 +650,8 @@ public void testKerberosServerWithTokens() throws Exception {
|
|||||||
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true));
|
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true));
|
||||||
// can't fallback to simple when using kerberos w/o tokens
|
// can't fallback to simple when using kerberos w/o tokens
|
||||||
forceSecretManager = false;
|
forceSecretManager = false;
|
||||||
assertAuthEquals(NoDigest, getAuthMethod(SIMPLE, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, true));
|
||||||
assertAuthEquals(NoDigest, getAuthMethod(KERBEROS, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, true));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -629,8 +659,8 @@ public void testKerberosServerWithInvalidTokens() throws Exception {
|
|||||||
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false));
|
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false));
|
||||||
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false));
|
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false));
|
||||||
forceSecretManager = false;
|
forceSecretManager = false;
|
||||||
assertAuthEquals(NoDigest, getAuthMethod(SIMPLE, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, false));
|
||||||
assertAuthEquals(NoDigest, getAuthMethod(KERBEROS, KERBEROS, true));
|
assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, false));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user