• Home
• org.hbase
• asynchbase
• 1.8.1
• source code
• SecureRpcHelper94.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.hbase.async.SecureRpcHelper94 Maven / Gradle / Ivy

/*
 * Copyright (C) 2015 The Async HBase Authors.  All rights reserved.
 * This file is part of Async HBase.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *   - Redistributions of source code must retain the above copyright notice,
 *     this list of conditions and the following disclaimer.
 *   - Redistributions in binary form must reproduce the above copyright notice,
 *     this list of conditions and the following disclaimer in the documentation
 *     and/or other materials provided with the distribution.
 *   - Neither the name of the StumbleUpon nor the names of its contributors
 *     may be used to endorse or promote products derived from this software
 *     without specific prior written permission.
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */
package org.hbase.async;

import java.net.SocketAddress;

import org.jboss.netty.buffer.ChannelBuffer;
import org.jboss.netty.buffer.ChannelBuffers;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.channel.Channels;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.sasl.Sasl;

/**
 * Implementation for 0.94-security.
 * Enable it by setting the following system property:
 * 

 * org.hbase.async.security.94
 *
 * See {@link SecureRpcHelper} for configuration
 */
class SecureRpcHelper94 extends SecureRpcHelper {
  private static final Logger LOG = LoggerFactory.getLogger(
      SecureRpcHelper94.class);

  /** Code to switch to simple auth, sent by the region server */
  public static final int SWITCH_TO_SIMPLE_AUTH = -88;

  /**
   * Ctor that instantiates the authentication provider and attempts to 
   * authenticate at the same time.
   * @param hbase_client The Hbase client we belong to
   * @param region_client The region client we're dealing with
   * @param remote_endpoint The remote endpoint of the HBase Region server.
   */
  public SecureRpcHelper94(final HBaseClient hbase_client, 
      final RegionClient region_client, final SocketAddress remote_endpoint) {
    super(hbase_client, region_client, remote_endpoint);
  }

  @Override
  public void sendHello(final Channel channel) {
    final byte[] connectionHeader = {'s', 'r', 'p', 'c', 4};
    byte[] buf = new byte[4 + 1 + 1];
    ChannelBuffer buffer = ChannelBuffers.wrappedBuffer(buf);
    buffer.clear();
    buffer.writeBytes(connectionHeader);
    //code for Kerberos AuthMethod enum in HBaseRPC
    buffer.writeByte(client_auth_provider.getAuthMethodCode());
    Channels.write(channel, buffer);

    // sasl_client is null for Simple Auth case
    if(sasl_client != null)  {
      byte[] challengeBytes = null;
      if (sasl_client.hasInitialResponse()) {
        challengeBytes = processChallenge(new byte[0]);
      }
      if (challengeBytes != null) {
        buf = new byte[4 + challengeBytes.length];
        buffer = ChannelBuffers.wrappedBuffer(buf);
        buffer.clear();
        buffer.writeInt(challengeBytes.length);
        buffer.writeBytes(challengeBytes);

        //if (LOG.isDebugEnabled()) {
        //  LOG.debug("Sending initial SASL Challenge: "+Bytes.pretty(buf));
        //}
        Channels.write(channel, buffer);
      }
    } else {
      sendRPCHeader(channel);
      region_client.sendVersion(channel);
    }
  }

  @Override
  public ChannelBuffer handleResponse(ChannelBuffer buf, Channel chan) {
    if (sasl_client == null) {
      return buf;
    }

    if (!sasl_client.isComplete()) {
      final int readIdx = buf.readerIndex();
      //RPCID is always -33 during SASL handshake
      final int rpcid = buf.readInt();
      if (rpcid != -33) {
        LOG.warn("Expected a value of -33 during SASL handshake, recieved " + rpcid);
      }

      //read rpc state
      final int state = buf.readInt();

      //0 is success
      //If unsuccessful let common exception handling do the work
      if (state != 0) {
        buf.readerIndex(readIdx);
        return buf;
      }

      //Get length
      //check for special case in length, for request to fallback simple auth
      //let's not support this if we don't have to; seems like a security loophole
      final int len = buf.readInt();
      if (len == SWITCH_TO_SIMPLE_AUTH) {
        throw new IllegalStateException("Server is requesting to fallback "
            + "to simple authentication");
      }

      final byte[] b = new byte[len];
      buf.readBytes(b);
      //if (LOG.isDebugEnabled()) {
      //  LOG.debug("Got SASL challenge: " + Bytes.pretty(b));
      //}

      final byte[] challengeBytes = processChallenge(b);

      if (challengeBytes != null) {
        final byte[] outBytes = new byte[4 + challengeBytes.length];
        //if (LOG.isDebugEnabled()) {
        //  LOG.debug("Sending SASL response: " + Bytes.pretty(outBytes));
        //}
        ChannelBuffer outBuffer = ChannelBuffers.wrappedBuffer(outBytes);
        outBuffer.clear();
        outBuffer.writeInt(challengeBytes.length);
        outBuffer.writeBytes(challengeBytes);
        Channels.write(chan, outBuffer);
      }

      if (sasl_client.isComplete()) {
        final String qop = (String) sasl_client.getNegotiatedProperty(Sasl.QOP);
        LOG.info("SASL client context established. Negotiated QoP: " + qop + 
            " on for: " + region_client);
        sendRPCHeader(chan);
        region_client.sendVersion(chan);
      }
      return null;
    }

    return unwrap(buf);
  }

  private void sendRPCHeader(final Channel channel) {
    final byte[] user_bytes = Bytes.UTF8(client_auth_provider.getClientUsername());
    final String klass = "org.apache.hadoop.hbase.ipc.HRegionInterface";
    final byte[] class_bytes = Bytes.UTF8(klass);
    final byte[] buf = new byte[
               4 + 1 + class_bytes.length + 1 + 2 + user_bytes.length + 1];

    ChannelBuffer out_buffer = ChannelBuffers.wrappedBuffer(buf);
    out_buffer.clear();
    out_buffer.writerIndex(out_buffer.writerIndex() + 4);
    out_buffer.writeByte(class_bytes.length);              // 1
    out_buffer.writeBytes(class_bytes);      // 44
    //This is part of protocol header
    //true if a user field exists
    //1 is true in boolean
    out_buffer.writeByte(1);
    out_buffer.writeShort(user_bytes.length);
    out_buffer.writeBytes(user_bytes);
    //true if a realUser field exists
    out_buffer.writeByte(0);
    //write length
    out_buffer.setInt(0, out_buffer.writerIndex() - 4);
    out_buffer = wrap(out_buffer);
    //if(LOG.isDebugEnabled()) {
    //  LOG.debug("Sending RPC Header: " + Bytes.pretty(out_buffer));
    //}
    Channels.write(channel, out_buffer);
  }

}