HADOOP-9021. Enforce configured SASL method on the server (daryn via bobby)

git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1408473 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Robert Joseph Evans 2012-11-12 22:13:00 +00:00
parent cf6ab9b2e7
commit 4755ef989a
4 changed files with 99 additions and 63 deletions

View File

@ -361,6 +361,9 @@ Release 2.0.3-alpha - Unreleased
HADOOP-8860. Split MapReduce and YARN sections in documentation navigation. HADOOP-8860. Split MapReduce and YARN sections in documentation navigation.
(tomwhite via tucu) (tomwhite via tucu)
HADOOP-9021. Enforce configured SASL method on the server (daryn via
bobby)
OPTIMIZATIONS OPTIMIZATIONS
HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang HADOOP-8866. SampleQuantiles#query is O(N^2) instead of O(N). (Andrew Wang

View File

@ -45,6 +45,7 @@
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
@ -87,7 +88,9 @@
import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler; import org.apache.hadoop.security.SaslRpcServer.SaslDigestCallbackHandler;
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler; import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
import org.apache.hadoop.security.SaslRpcServer.SaslStatus; import org.apache.hadoop.security.SaslRpcServer.SaslStatus;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
import org.apache.hadoop.security.authentication.util.KerberosName; import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authorize.AuthorizationException; import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.authorize.PolicyProvider; import org.apache.hadoop.security.authorize.PolicyProvider;
@ -113,7 +116,7 @@
@InterfaceStability.Evolving @InterfaceStability.Evolving
public abstract class Server { public abstract class Server {
private final boolean authorize; private final boolean authorize;
private boolean isSecurityEnabled; private EnumSet<AuthMethod> enabledAuthMethods;
private ExceptionsHandler exceptionsHandler = new ExceptionsHandler(); private ExceptionsHandler exceptionsHandler = new ExceptionsHandler();
public void addTerseExceptions(Class<?>... exceptionClass) { public void addTerseExceptions(Class<?>... exceptionClass) {
@ -1334,34 +1337,9 @@ public int readAndProcess() throws IOException, InterruptedException {
if (authMethod == null) { if (authMethod == null) {
throw new IOException("Unable to read authentication method"); throw new IOException("Unable to read authentication method");
} }
boolean useSaslServer = isSecurityEnabled;
final boolean clientUsingSasl; // this may create a SASL server, or switch us into SIMPLE
switch (authMethod) { authMethod = initializeAuthContext(authMethod);
case SIMPLE: { // no sasl for simple
clientUsingSasl = false;
break;
}
case DIGEST: { // always allow tokens if there's a secret manager
useSaslServer |= (secretManager != null);
clientUsingSasl = true;
break;
}
default: {
clientUsingSasl = true;
break;
}
}
if (useSaslServer) {
saslServer = createSaslServer(authMethod);
} else if (clientUsingSasl) { // security is off
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
authMethod = AuthMethod.SIMPLE;
// client has already sent the initial Sasl message and we
// should ignore it. Both client and server should fall back
// to simple auth from now on.
skipInitialSaslHandshake = true;
}
connectionHeaderBuf = null; connectionHeaderBuf = null;
connectionHeaderRead = true; connectionHeaderRead = true;
@ -1409,10 +1387,24 @@ public int readAndProcess() throws IOException, InterruptedException {
} }
} }
private SaslServer createSaslServer(AuthMethod authMethod) private AuthMethod initializeAuthContext(AuthMethod authMethod)
throws IOException { throws IOException {
try { try {
return createSaslServerInternal(authMethod); if (enabledAuthMethods.contains(authMethod)) {
saslServer = createSaslServer(authMethod);
} else if (enabledAuthMethods.contains(AuthMethod.SIMPLE)) {
doSaslReply(SaslStatus.SUCCESS, new IntWritable(
SaslRpcServer.SWITCH_TO_SIMPLE_AUTH), null, null);
authMethod = AuthMethod.SIMPLE;
// client has already sent the initial Sasl message and we
// should ignore it. Both client and server should fall back
// to simple auth from now on.
skipInitialSaslHandshake = true;
} else {
throw new AccessControlException(
authMethod + " authentication is not enabled."
+ " Available:" + enabledAuthMethods);
}
} catch (IOException ioe) { } catch (IOException ioe) {
final String ioeClass = ioe.getClass().getName(); final String ioeClass = ioe.getClass().getName();
final String ioeMessage = ioe.getLocalizedMessage(); final String ioeMessage = ioe.getLocalizedMessage();
@ -1425,9 +1417,10 @@ private SaslServer createSaslServer(AuthMethod authMethod)
} }
throw ioe; throw ioe;
} }
return authMethod;
} }
private SaslServer createSaslServerInternal(AuthMethod authMethod) private SaslServer createSaslServer(AuthMethod authMethod)
throws IOException { throws IOException {
SaslServer saslServer = null; SaslServer saslServer = null;
String hostname = null; String hostname = null;
@ -1436,18 +1429,9 @@ private SaslServer createSaslServerInternal(AuthMethod authMethod)
switch (authMethod) { switch (authMethod) {
case SIMPLE: { case SIMPLE: {
throw new AccessControlException("Authorization (" return null; // no sasl for simple
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION
+ ") is enabled but authentication ("
+ CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION
+ ") is configured as simple. Please configure another method "
+ "like kerberos or digest.");
} }
case DIGEST: { case DIGEST: {
if (secretManager == null) {
throw new AccessControlException(
"Server is not configured to do DIGEST authentication.");
}
secretManager.checkAvailableForRead(); secretManager.checkAvailableForRead();
hostname = SaslRpcServer.SASL_DEFAULT_REALM; hostname = SaslRpcServer.SASL_DEFAULT_REALM;
saslCallback = new SaslDigestCallbackHandler(secretManager, this); saslCallback = new SaslDigestCallbackHandler(secretManager, this);
@ -1469,6 +1453,7 @@ private SaslServer createSaslServerInternal(AuthMethod authMethod)
break; break;
} }
default: default:
// we should never be able to get here
throw new AccessControlException( throw new AccessControlException(
"Server does not support SASL " + authMethod); "Server does not support SASL " + authMethod);
} }
@ -1908,7 +1893,9 @@ protected Server(String bindAddress, int port,
this.authorize = this.authorize =
conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, conf.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
false); false);
this.isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
// configure supported authentications
this.enabledAuthMethods = getAuthMethods(secretManager, conf);
// Start the listener here and let it bind to the port // Start the listener here and let it bind to the port
listener = new Listener(); listener = new Listener();
@ -1929,6 +1916,31 @@ protected Server(String bindAddress, int port,
this.exceptionsHandler.addTerseExceptions(StandbyException.class); this.exceptionsHandler.addTerseExceptions(StandbyException.class);
} }
// get the security type from the conf. implicitly include token support
// if a secret manager is provided, or fail if token is the conf value but
// there is no secret manager
private EnumSet<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
Configuration conf) {
AuthenticationMethod confAuthenticationMethod =
SecurityUtil.getAuthenticationMethod(conf);
EnumSet<AuthMethod> authMethods =
EnumSet.of(confAuthenticationMethod.getAuthMethod());
if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
if (secretManager == null) {
throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
" authentication requires a secret manager");
}
} else if (secretManager != null) {
LOG.debug(AuthenticationMethod.TOKEN +
" authentication enabled for secret manager");
authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
}
LOG.debug("Server accepts auth methods:" + authMethods);
return authMethods;
}
private void closeConnection(Connection connection) { private void closeConnection(Connection connection) {
synchronized (connectionList) { synchronized (connectionList) {
if (connectionList.remove(connection)) if (connectionList.remove(connection))
@ -2045,16 +2057,6 @@ Configuration getConf() {
return conf; return conf;
} }
/** for unit testing only, should be called before server is started */
void disableSecurity() {
this.isSecurityEnabled = false;
}
/** for unit testing only, should be called before server is started */
void enableSecurity() {
this.isSecurityEnabled = true;
}
/** Sets the socket buffer size used for responding to RPCs */ /** Sets the socket buffer size used for responding to RPCs */
public void setSocketSendBufSize(int size) { this.socketSendBufferSize = size; } public void setSocketSendBufSize(int size) { this.socketSendBufferSize = size; }

View File

@ -240,6 +240,7 @@ private static synchronized void initUGI(Configuration conf) {
AuthenticationMethod auth = SecurityUtil.getAuthenticationMethod(conf); AuthenticationMethod auth = SecurityUtil.getAuthenticationMethod(conf);
switch (auth) { switch (auth) {
case SIMPLE: case SIMPLE:
case TOKEN:
useKerberos = false; useKerberos = false;
break; break;
case KERBEROS: case KERBEROS:

View File

@ -569,10 +569,13 @@ public void handle(Callback[] callbacks)
private static Pattern KrbFailed = private static Pattern KrbFailed =
Pattern.compile(".*Failed on local exception:.* " + Pattern.compile(".*Failed on local exception:.* " +
"Failed to specify server's Kerberos principal name.*"); "Failed to specify server's Kerberos principal name.*");
private static Pattern Denied = private static Pattern Denied(AuthenticationMethod method) {
Pattern.compile(".*Authorization .* is enabled .*"); return Pattern.compile(".*RemoteException.*AccessControlException.*: "
private static Pattern NoDigest = +method.getAuthMethod() + " authentication is not enabled.*");
Pattern.compile(".*Server is not configured to do DIGEST auth.*"); }
private static Pattern NoTokenAuth =
Pattern.compile(".*IllegalArgumentException: " +
"TOKEN authentication requires a secret manager");
/* /*
* simple server * simple server
@ -604,13 +607,40 @@ public void testSimpleServerWithInvalidTokens() throws Exception {
assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false)); assertAuthEquals(SIMPLE, getAuthMethod(KERBEROS, SIMPLE, false));
} }
/*
* token server
*/
@Test
public void testTokenOnlyServer() throws Exception {
assertAuthEquals(Denied(SIMPLE), getAuthMethod(SIMPLE, TOKEN));
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, TOKEN));
}
@Test
public void testTokenOnlyServerWithTokens() throws Exception {
assertAuthEquals(TOKEN, getAuthMethod(SIMPLE, TOKEN, true));
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, TOKEN, true));
forceSecretManager = false;
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, true));
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, true));
}
@Test
public void testTokenOnlyServerWithInvalidTokens() throws Exception {
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, TOKEN, false));
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, TOKEN, false));
forceSecretManager = false;
assertAuthEquals(NoTokenAuth, getAuthMethod(SIMPLE, TOKEN, false));
assertAuthEquals(NoTokenAuth, getAuthMethod(KERBEROS, TOKEN, false));
}
/* /*
* kerberos server * kerberos server
*/ */
@Test @Test
public void testKerberosServer() throws Exception { public void testKerberosServer() throws Exception {
assertAuthEquals(Denied, getAuthMethod(SIMPLE, KERBEROS)); assertAuthEquals(Denied(SIMPLE), getAuthMethod(SIMPLE, KERBEROS));
assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, KERBEROS)); assertAuthEquals(KrbFailed, getAuthMethod(KERBEROS, KERBEROS));
} }
@Test @Test
@ -620,8 +650,8 @@ public void testKerberosServerWithTokens() throws Exception {
assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true)); assertAuthEquals(TOKEN, getAuthMethod(KERBEROS, KERBEROS, true));
// can't fallback to simple when using kerberos w/o tokens // can't fallback to simple when using kerberos w/o tokens
forceSecretManager = false; forceSecretManager = false;
assertAuthEquals(NoDigest, getAuthMethod(SIMPLE, KERBEROS, true)); assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, true));
assertAuthEquals(NoDigest, getAuthMethod(KERBEROS, KERBEROS, true)); assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, true));
} }
@Test @Test
@ -629,8 +659,8 @@ public void testKerberosServerWithInvalidTokens() throws Exception {
assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false)); assertAuthEquals(BadToken, getAuthMethod(SIMPLE, KERBEROS, false));
assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false)); assertAuthEquals(BadToken, getAuthMethod(KERBEROS, KERBEROS, false));
forceSecretManager = false; forceSecretManager = false;
assertAuthEquals(NoDigest, getAuthMethod(SIMPLE, KERBEROS, true)); assertAuthEquals(Denied(TOKEN), getAuthMethod(SIMPLE, KERBEROS, false));
assertAuthEquals(NoDigest, getAuthMethod(KERBEROS, KERBEROS, true)); assertAuthEquals(Denied(TOKEN), getAuthMethod(KERBEROS, KERBEROS, false));
} }