Get the hbase-example working

Author: joshelser

hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/RpcConnection.java

@@ -122,7 +122,7 @@ protected RpcConnection(Configuration conf, HashedWheelTimer timeoutTimer, Conne
     this.provider = pair.getFirst();
     this.token = pair.getSecond();
 
-    LOG.debug("Using {} authentication for service{}, sasl={}",
+    LOG.debug("Using {} authentication for service={}, sasl={}",
         provider.getSaslAuthMethod().getName(), remoteId.serviceName, useSasl);
     reloginMaxBackoff = conf.getInt("hbase.security.relogin.maxbackoff", 5000);
     this.remoteId = remoteId;

hbase-examples/pom.xml

@@ -185,6 +185,17 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.hbase</groupId>
+      <artifactId>hbase-http</artifactId>
+      <scope>test</scope>
+      <type>test-jar</type>
+    </dependency>
   </dependencies>
   <profiles>
     <!-- Skip the tests in this module -->

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/SaslPlainServer.java

@@ -29,7 +29,7 @@
 import javax.security.sasl.SaslServer;
 import javax.security.sasl.SaslServerFactory;
 
-import org.apache.hadoop.classification.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceAudience;
 
 /**
  * This class was copied from Hadoop Common (3.1.2) and subsequently modified.

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeClientTokenUtil.java

@@ -24,10 +24,12 @@
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.yetus.audience.InterfaceAudience;
 
 /**
  * Used to acquire tokens for the ShadeSaslAuthenticationProvider.
  */
+@InterfaceAudience.Private
 public class ShadeClientTokenUtil {
 
   private ShadeClientTokenUtil() {}

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeProviderSelector.java

@@ -1,3 +1,20 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hbase.security.provider.example;
 
 import java.util.Collection;
@@ -11,7 +28,9 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.yetus.audience.InterfaceAudience;
 
+@InterfaceAudience.Private
 public class ShadeProviderSelector extends BuiltInProviderSelector {
 
   private ShadeSaslClientAuthenticationProvider shade;

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeSaslAuthenticationProvider.java

@@ -21,11 +21,13 @@
 import org.apache.hadoop.hbase.security.provider.SaslAuthenticationProvider;
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.yetus.audience.InterfaceAudience;
 
+@InterfaceAudience.Private
 public abstract class ShadeSaslAuthenticationProvider implements SaslAuthenticationProvider {
   public static final SaslAuthMethod METHOD = new SaslAuthMethod(
       "SHADE", (byte) 15, "PLAIN", AuthenticationMethod.TOKEN);
-  public static final Text TOKEN_KIND = new Text("SHADE_TOKEN");
+  public static final Text TOKEN_KIND = new Text("HBASE_EXAMPLE_SHADE_TOKEN");
 
   @Override public SaslAuthMethod getSaslAuthMethod() {
     return METHOD;

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeSaslClientAuthenticationProvider.java

@@ -40,7 +40,9 @@
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.yetus.audience.InterfaceAudience;
 
+@InterfaceAudience.Private
 public class ShadeSaslClientAuthenticationProvider extends ShadeSaslAuthenticationProvider
     implements SaslClientAuthenticationProvider {
 
@@ -54,15 +56,23 @@ public SaslClient createClient(Configuration conf, InetAddress serverAddr,
 
   @Override
   public UserInformation getUserInfo(UserGroupInformation user) {
-    return null;
+    UserInformation.Builder userInfoPB = UserInformation.newBuilder();
+    userInfoPB.setEffectiveUser(user.getUserName());
+    return userInfoPB.build();
   }
 
   static class ShadeSaslClientCallbackHandler implements CallbackHandler {
     private final String username;
     private final char[] password;
     public ShadeSaslClientCallbackHandler(
         Token<? extends TokenIdentifier> token) throws IOException {
-      this.username = token.decodeIdentifier().getUser().getUserName();
+      TokenIdentifier id = token.decodeIdentifier();
+      if (id == null) {
+        // Something is wrong with the environment if we can't get our Identifier back out.
+        throw new IllegalStateException("Could not extract Identifier from Token");
+      }
+      UserGroupInformation ugi = id.getUser();
+      this.username = ugi.getUserName();
       this.password = Bytes.toString(token.getPassword()).toCharArray();
     }
 

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeSaslServerAuthenticationProvider.java

@@ -20,6 +20,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicReference;
@@ -40,11 +41,14 @@
 import org.apache.hadoop.hbase.security.provider.SaslServerAuthenticationProvider;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.SecretManager;
+import org.apache.hadoop.security.token.SecretManager.InvalidToken;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.hadoop.util.StringUtils;
+import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+@InterfaceAudience.Private
 public class ShadeSaslServerAuthenticationProvider extends ShadeSaslAuthenticationProvider
     implements SaslServerAuthenticationProvider {
   private static final Logger LOG = LoggerFactory.getLogger(
@@ -131,7 +135,9 @@ public ShadeSaslServerCallbackHandler(AtomicReference<UserGroupInformation> atte
       this.passwordDatabase = passwordDatabase;
     }
 
-    @Override public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
+    @Override public void handle(Callback[] callbacks)
+        throws InvalidToken, UnsupportedCallbackException {
+      LOG.info("SaslServerCallbackHandler called", new Exception());
       NameCallback nc = null;
       PasswordCallback pc = null;
       AuthorizeCallback ac = null;
@@ -155,13 +161,11 @@ public ShadeSaslServerCallbackHandler(AtomicReference<UserGroupInformation> atte
         UserGroupInformation ugi = createUgiForRemoteUser(username);
         attemptingUser.set(ugi);
 
+        char[] clientPassword = pc.getPassword();
         char[] actualPassword = passwordDatabase.get(username);
-        if (actualPassword == null) {
-          // How should we gracefully fail the authentication?
-          throw new RuntimeException("Could not obtain password for user");
+        if (!Arrays.equals(clientPassword, actualPassword)) {
+          throw new InvalidToken("Authentication failed for " + username);
         }
-
-        pc.setPassword(actualPassword);
       }
 
       if (ac != null) {

hbase-examples/src/main/java/org/apache/hadoop/hbase/security/provider/example/ShadeTokenIdentifier.java

@@ -1,18 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hbase.security.provider.example;
 
+import static java.util.Objects.requireNonNull;
+
 import java.io.DataInput;
 import java.io.DataOutput;
 import java.io.IOException;
 
 import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.TokenIdentifier;
+import org.apache.yetus.audience.InterfaceAudience;
 
+@InterfaceAudience.Private
 public class ShadeTokenIdentifier extends TokenIdentifier {
   private String username;
 
+  public ShadeTokenIdentifier() {
+    // for ServiceLoader
+  }
+
   public ShadeTokenIdentifier(String username) {
-    this.username = username;
+    this.username = requireNonNull(username);
   }
 
   @Override

hbase-examples/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenIdentifier

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+org.apache.hadoop.hbase.security.provider.example.ShadeTokenIdentifier

hbase-examples/src/test/java/org/apache/hadoop/hbase/security/provider/example/TestShadeSaslAuthenticationProvider.java

@@ -1,3 +1,20 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.apache.hadoop.hbase.security.provider.example;
 
 import static org.junit.Assert.assertFalse;
@@ -20,6 +37,7 @@
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hbase.Cell;
 import org.apache.hadoop.hbase.CellUtil;
+import org.apache.hadoop.hbase.DoNotRetryIOException;
 import org.apache.hadoop.hbase.HBaseClassTestRule;
 import org.apache.hadoop.hbase.HBaseTestingUtility;
 import org.apache.hadoop.hbase.HConstants;
@@ -32,19 +50,16 @@
 import org.apache.hadoop.hbase.client.Get;
 import org.apache.hadoop.hbase.client.Put;
 import org.apache.hadoop.hbase.client.Result;
-import org.apache.hadoop.hbase.client.RetriesExhaustedException;
 import org.apache.hadoop.hbase.client.Table;
 import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
 import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
-import org.apache.hadoop.hbase.ipc.BlockingRpcClient;
-import org.apache.hadoop.hbase.ipc.RpcClientFactory;
-import org.apache.hadoop.hbase.ipc.RpcServerFactory;
-import org.apache.hadoop.hbase.ipc.SimpleRpcServer;
 import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
 import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProviders;
 import org.apache.hadoop.hbase.security.provider.SaslServerAuthenticationProviders;
 import org.apache.hadoop.hbase.security.token.SecureTestCluster;
 import org.apache.hadoop.hbase.security.token.TokenProvider;
+import org.apache.hadoop.hbase.testclassification.MediumTests;
+import org.apache.hadoop.hbase.testclassification.SecurityTests;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.FSUtils;
 import org.apache.hadoop.minikdc.MiniKdc;
@@ -55,10 +70,10 @@
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.experimental.categories.Category;
 import org.junit.rules.TestName;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
+@Category({MediumTests.class, SecurityTests.class})
 public class TestShadeSaslAuthenticationProvider {
 
   @ClassRule
@@ -123,10 +138,6 @@ public static void setupCluster() throws Exception {
         UTIL.getDataTestDir("keytab").toUri().getPath());
     final MiniKdc kdc = UTIL.setupMiniKdc(KEYTAB_FILE);
 
-    // Switch back to NIO for now.
-    CONF.set(RpcClientFactory.CUSTOM_RPC_CLIENT_IMPL_CONF_KEY, BlockingRpcClient.class.getName());
-    CONF.set(RpcServerFactory.CUSTOM_RPC_SERVER_IMPL_CONF_KEY, SimpleRpcServer.class.getName());
-
     // Adds our test impls instead of creating service loader entries which
     // might inadvertently get them loaded on a real cluster.
     CONF.setStrings(SaslClientAuthenticationProviders.EXTRA_PROVIDERS_KEY,
@@ -210,7 +221,7 @@ public void testPositiveAuthentication() throws Exception {
     }
   }
 
-  @Test(expected = RetriesExhaustedException.class)
+  @Test(expected = DoNotRetryIOException.class)
   public void testNegativeAuthentication() throws Exception {
     // Validate that we can read that record back out as the user with our custom auth'n
     final Configuration clientConf = new Configuration(CONF);

hbase-examples/src/test/resources/log4j.properties

@@ -66,3 +66,4 @@ log4j.logger.org.apache.hadoop.metrics2.impl.MetricsSystemImpl=WARN
 log4j.logger.org.apache.hadoop.metrics2.util.MBeans=WARN
 # Enable this to get detailed connection error/retry logging.
 # log4j.logger.org.apache.hadoop.hbase.client.ConnectionImplementation=TRACE
+log4j.logger.org.apache.directory=WARN