org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.hadoop.hbase.security.provider;
import java.io.IOException;
import java.net.InetAddress;
import java.util.Map;
import javax.security.sasl.SaslClient;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.security.SecurityInfo;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.yetus.audience.InterfaceAudience;
import org.apache.yetus.audience.InterfaceStability;
import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation;
/**
* Encapsulation of client-side logic to authenticate to HBase via some means over SASL.
* Implementations should not directly implement this interface, but instead extend
* {@link AbstractSaslClientAuthenticationProvider}. Implementations of this interface must make an
* implementation of {@code hashCode()} which returns the same value across multiple instances of
* the provider implementation.
*/
@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
@InterfaceStability.Evolving
public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider {
/**
* Creates the SASL client instance for this auth'n method.
*/
SaslClient createClient(Configuration conf, InetAddress serverAddr, SecurityInfo securityInfo,
Token token, boolean fallbackAllowed, Map saslProps)
throws IOException;
/**
* Constructs a {@link UserInformation} from the given {@link UserGroupInformation}
*/
UserInformation getUserInfo(User user);
/**
* Returns the "real" user, the user who has the credentials being authenticated by the remote
* service, in the form of an {@link UserGroupInformation} object. It is common in the Hadoop
* "world" to have distinct notions of a "real" user and a "proxy" user. A "real" user is the user
* which actually has the credentials (often, a Kerberos ticket), but some code may be running as
* some other user who has no credentials. This method gives the authentication provider a chance
* to acknowledge this is happening and ensure that any RPCs are executed with the real user's
* credentials, because executing them as the proxy user would result in failure because no
* credentials exist to authenticate the RPC. Not all implementations will need to implement this
* method. By default, the provided User's UGI is returned directly.
*/
default UserGroupInformation getRealUser(User ugi) {
return ugi.getUGI();
}
/**
* Returns true if the implementation is capable of performing some action which may allow a
* failed authentication to become a successful authentication. Otherwise, returns false
*/
default boolean canRetry() {
return false;
}
/**
* Executes any necessary logic to re-login the client. Not all implementations will have any
* logic that needs to be executed.
*/
default void relogin() throws IOException {
}
}