001/*
002 * Licensed to the Apache Software Foundation (ASF) under one
003 * or more contributor license agreements.  See the NOTICE file
004 * distributed with this work for additional information
005 * regarding copyright ownership.  The ASF licenses this file
006 * to you under the Apache License, Version 2.0 (the
007 * "License"); you may not use this file except in compliance
008 * with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.apache.hadoop.hbase.security.provider;
019
020import java.io.IOException;
021import java.net.InetAddress;
022import java.util.Map;
023import javax.security.sasl.SaslClient;
024import org.apache.hadoop.conf.Configuration;
025import org.apache.hadoop.hbase.HBaseInterfaceAudience;
026import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.TokenIdentifier.Kind;
027import org.apache.hadoop.hbase.security.SecurityInfo;
028import org.apache.hadoop.hbase.security.User;
029import org.apache.hadoop.security.UserGroupInformation;
030import org.apache.hadoop.security.token.Token;
031import org.apache.hadoop.security.token.TokenIdentifier;
032import org.apache.yetus.audience.InterfaceAudience;
033import org.apache.yetus.audience.InterfaceStability;
034
035import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation;
036
037/**
038 * Encapsulation of client-side logic to authenticate to HBase via some means over SASL.
039 * Implementations should not directly implement this interface, but instead extend
040 * {@link AbstractSaslClientAuthenticationProvider}. Implementations of this interface must make an
041 * implementation of {@code hashCode()} which returns the same value across multiple instances of
042 * the provider implementation.
043 */
044@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
045@InterfaceStability.Evolving
046public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider {
047
048  /**
049   * Creates the SASL client instance for this authentication method.
050   * @deprecated Since 2.6.0. In our own code will not call this method any more, customized
051   *             authentication method should implement
052   *             {@link #createClient(Configuration, InetAddress, String, Token, boolean, Map)}
053   *             instead. Will be removed in 4.0.0.
054   */
055  @Deprecated
056  default SaslClient createClient(Configuration conf, InetAddress serverAddr,
057    SecurityInfo securityInfo, Token<? extends TokenIdentifier> token, boolean fallbackAllowed,
058    Map<String, String> saslProps) throws IOException {
059    throw new UnsupportedOperationException("should not be used any more");
060  }
061
062  /**
063   * Create the SASL client instance for this authentication method.
064   * <p>
065   * The default implementation is create a fake {@link SecurityInfo} and call the above method, for
066   * keeping compatible with old customized authentication method
067   */
068  default SaslClient createClient(Configuration conf, InetAddress serverAddr,
069    String serverPrincipal, Token<? extends TokenIdentifier> token, boolean fallbackAllowed,
070    Map<String, String> saslProps) throws IOException {
071    String principalKey = "hbase.fake.kerberos.principal";
072    conf.set(principalKey, serverPrincipal);
073    return createClient(conf, serverAddr, new SecurityInfo(principalKey, Kind.HBASE_AUTH_TOKEN),
074      token, fallbackAllowed, saslProps);
075  }
076
077  /**
078   * Constructs a {@link UserInformation} from the given {@link UserGroupInformation}
079   */
080  UserInformation getUserInfo(User user);
081
082  /**
083   * Returns the "real" user, the user who has the credentials being authenticated by the remote
084   * service, in the form of an {@link UserGroupInformation} object. It is common in the Hadoop
085   * "world" to have distinct notions of a "real" user and a "proxy" user. A "real" user is the user
086   * which actually has the credentials (often, a Kerberos ticket), but some code may be running as
087   * some other user who has no credentials. This method gives the authentication provider a chance
088   * to acknowledge this is happening and ensure that any RPCs are executed with the real user's
089   * credentials, because executing them as the proxy user would result in failure because no
090   * credentials exist to authenticate the RPC. Not all implementations will need to implement this
091   * method. By default, the provided User's UGI is returned directly.
092   */
093  default UserGroupInformation getRealUser(User ugi) {
094    return ugi.getUGI();
095  }
096
097  /**
098   * Returns true if the implementation is capable of performing some action which may allow a
099   * failed authentication to become a successful authentication. Otherwise, returns false
100   */
101  default boolean canRetry() {
102    return false;
103  }
104
105  /**
106   * Executes any necessary logic to re-login the client. Not all implementations will have any
107   * logic that needs to be executed.
108   */
109  default void relogin() throws IOException {
110  }
111}