001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software 013 * distributed under the License is distributed on an "AS IS" BASIS, 014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 015 * See the License for the specific language governing permissions and 016 * limitations under the License. 017 */ 018package org.apache.hadoop.hbase.ipc; 019 020import org.apache.hadoop.hbase.security.HBaseSaslRpcServer; 021import org.apache.hadoop.hbase.security.SaslStatus; 022import org.apache.hadoop.hbase.security.SaslUnwrapHandler; 023import org.apache.hadoop.hbase.security.SaslWrapHandler; 024import org.apache.hadoop.hbase.util.NettyFutureUtils; 025import org.apache.hadoop.io.BytesWritable; 026import org.slf4j.Logger; 027import org.slf4j.LoggerFactory; 028 029import org.apache.hbase.thirdparty.io.netty.buffer.ByteBuf; 030import org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerContext; 031import org.apache.hbase.thirdparty.io.netty.channel.ChannelPipeline; 032import org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler; 033import org.apache.hbase.thirdparty.io.netty.handler.codec.LengthFieldBasedFrameDecoder; 034 035/** 036 * Implement SASL negotiation logic for rpc server. 037 */ 038class NettyHBaseSaslRpcServerHandler extends SimpleChannelInboundHandler<ByteBuf> { 039 040 private static final Logger LOG = LoggerFactory.getLogger(NettyHBaseSaslRpcServerHandler.class); 041 042 static final String DECODER_NAME = "SaslNegotiationDecoder"; 043 044 private final NettyRpcServer rpcServer; 045 046 private final NettyServerRpcConnection conn; 047 048 NettyHBaseSaslRpcServerHandler(NettyRpcServer rpcServer, NettyServerRpcConnection conn) { 049 this.rpcServer = rpcServer; 050 this.conn = conn; 051 } 052 053 @Override 054 protected void channelRead0(ChannelHandlerContext ctx, ByteBuf msg) throws Exception { 055 LOG.debug("Read input token of size={} for processing by saslServer.evaluateResponse()", 056 msg.readableBytes()); 057 HBaseSaslRpcServer saslServer = conn.getOrCreateSaslServer(); 058 byte[] saslToken = new byte[msg.readableBytes()]; 059 msg.readBytes(saslToken, 0, saslToken.length); 060 byte[] replyToken = saslServer.evaluateResponse(saslToken); 061 if (replyToken != null) { 062 LOG.debug("Will send token of size {} from saslServer.", replyToken.length); 063 conn.doRawSaslReply(SaslStatus.SUCCESS, new BytesWritable(replyToken), null, null); 064 } 065 if (saslServer.isComplete()) { 066 conn.finishSaslNegotiation(); 067 String qop = saslServer.getNegotiatedQop(); 068 boolean useWrap = qop != null && !"auth".equalsIgnoreCase(qop); 069 ChannelPipeline p = ctx.pipeline(); 070 if (useWrap) { 071 p.addBefore(DECODER_NAME, null, new SaslWrapHandler(saslServer::wrap)) 072 .addBefore(NettyRpcServerResponseEncoder.NAME, null, 073 new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4, 0, 4)) 074 .addBefore(NettyRpcServerResponseEncoder.NAME, null, 075 new SaslUnwrapHandler(saslServer::unwrap)); 076 } 077 conn.setupHandler(); 078 p.remove(this); 079 p.remove(DECODER_NAME); 080 } 081 } 082 083 @Override 084 public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) throws Exception { 085 LOG.error("Error when doing SASL handshade, provider={}", conn.provider, cause); 086 Throwable sendToClient = HBaseSaslRpcServer.unwrap(cause); 087 conn.doRawSaslReply(SaslStatus.ERROR, null, sendToClient.getClass().getName(), 088 sendToClient.getLocalizedMessage()); 089 rpcServer.metrics.authenticationFailure(); 090 String clientIP = this.toString(); 091 // attempting user could be null 092 RpcServer.AUDITLOG.warn("{}{}: {}", RpcServer.AUTH_FAILED_FOR, clientIP, 093 conn.saslServer != null ? conn.saslServer.getAttemptingUser() : "Unknown"); 094 NettyFutureUtils.safeClose(ctx); 095 } 096}