org.hbase.async

Class SecureRpcHelper

java.lang.Object

org.hbase.async.SecureRpcHelper

public abstract class SecureRpcHelper
extends Object

This base class provides the logic needed to interface with SASL supported RPC versions. It is used by RegionClient to perform RPC handshaking as well as wrapping/unwrapping the rpc payload depending on the selected QOP level.
For Kerberos the following configurations need to be set as system properties.

• hbase.security.authentication=<MECHANISM>
• hbase.kerberos.regionserver.principal=<REGIONSERVER PRINCIPAL>
• hbase.rpc.protection=[authentication|integrity|privacy]
• hbase.sasl.clientconfig=<JAAS Profile Name>
• java.security.auth.login.config=<Path to JAAS conf>

i.e.

• hbase.security.authentication=kerberos
• hbase.kerberos.regionserver.principal=hbase/_HOST@MYREALM.COM
• hbase.rpc.protection=authentication
• hbase.sasl.clientconfig=Client
• java.security.auth.login.config=/path/to/jaas.conf

Since:

1.7

Field Summary

Fields

Modifier and Type	Field and Description
protected ClientAuthProvider	client_auth_provider The authentication provider, e.g.
protected Config	config The HBaseClient config to pull values from
protected String	host_ip The IP of the region client
protected org.hbase.async.RegionClient	region_client The region client this helper will be working with
static String	RPC_QOP_KEY
protected SaslClient	sasl_client The Sasl client if used
static String	SECURITY_AUTHENTICATION_KEY
protected boolean	use_wrap Whether or not to encrypt/decrypt the payload on the socket

Constructor Summary

Constructors

Constructor and Description
SecureRpcHelper(HBaseClient hbase_client, org.hbase.async.RegionClient region_client, SocketAddress remote_endpoint) Ctor that instantiates the authentication provider and attempts to authenticate at the same time.

Method Summary

Modifier and Type	Method and Description
abstract org.jboss.netty.buffer.ChannelBuffer	handleResponse(org.jboss.netty.buffer.ChannelBuffer buf, org.jboss.netty.channel.Channel chan) Handles a buffer received from the region server.
protected byte[]	processChallenge(byte[] b) Handles passing a buffer off to the sasl client for challenge evaluation
abstract void	sendHello(org.jboss.netty.channel.Channel channel) Sends the initial handshake and/or SASL challenge to the region server
org.jboss.netty.buffer.ChannelBuffer	unwrap(org.jboss.netty.buffer.ChannelBuffer payload) When QOP of auth-int or auth-conf is selected This is used to unwrap the contents from the passed buffer payload.
org.jboss.netty.buffer.ChannelBuffer	wrap(org.jboss.netty.buffer.ChannelBuffer content) When QOP of auth-int or auth-conf is selected This is used to wrap the contents into the proper payload (ie encryption, signature, etc) and should be called just before sending the buffer to Netty.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SECURITY_AUTHENTICATION_KEY

public static final String SECURITY_AUTHENTICATION_KEY

See Also:

Constant Field Values

RPC_QOP_KEY

public static final String RPC_QOP_KEY

See Also:

Constant Field Values

config

protected final Config config

The HBaseClient config to pull values from

region_client

protected final org.hbase.async.RegionClient region_client

The region client this helper will be working with

host_ip

protected final String host_ip

The IP of the region client

client_auth_provider

protected ClientAuthProvider client_auth_provider

The authentication provider, e.g. Simple or Kerberos

sasl_client

protected SaslClient sasl_client

The Sasl client if used

use_wrap

protected boolean use_wrap

Whether or not to encrypt/decrypt the payload on the socket

Constructor Detail

SecureRpcHelper

public SecureRpcHelper(HBaseClient hbase_client,
                       org.hbase.async.RegionClient region_client,
                       SocketAddress remote_endpoint)

Ctor that instantiates the authentication provider and attempts to authenticate at the same time.

Parameters:

hbase_client - The Hbase client we belong to

region_client - The region client we're dealing with

remote_endpoint - The remote endpoint of the HBase Region server.

Method Detail

unwrap

public org.jboss.netty.buffer.ChannelBuffer unwrap(org.jboss.netty.buffer.ChannelBuffer payload)

When QOP of auth-int or auth-conf is selected This is used to unwrap the contents from the passed buffer payload. It should be called as soon as it comes off the Netty channel. Note that the ReplayingBufferDecoder may throw an error if we are unable to read the full buffer and replay the data.

Parameters:

payload - A wrapper around content.

Returns:

The content extracted from the payload.

Throws:

IllegalStateException - if the sasl client was unable to unwrap the payload

wrap

public org.jboss.netty.buffer.ChannelBuffer wrap(org.jboss.netty.buffer.ChannelBuffer content)

When QOP of auth-int or auth-conf is selected This is used to wrap the contents into the proper payload (ie encryption, signature, etc) and should be called just before sending the buffer to Netty.

Parameters:

content - The content to be wrapped.

Returns:

The wrapped payload.

Throws:

IllegalStateException - if the sasl client was unable to wrap the payload

sendHello

public abstract void sendHello(org.jboss.netty.channel.Channel channel)

Sends the initial handshake and/or SASL challenge to the region server

Parameters:

channel - The channel to write to

handleResponse

public abstract org.jboss.netty.buffer.ChannelBuffer handleResponse(org.jboss.netty.buffer.ChannelBuffer buf,
                                                                    org.jboss.netty.channel.Channel chan)

Handles a buffer received from the region server. It may be security related or it may be a wrapped packet if security has been negotiated. If wrapping is disabled, the original buffer is returned. If the data is security related, a null should be returned. NOTE: If the buffer IS security related, make sure to drain the entire buffer or Netty will replay it until you're done consuming.

Parameters:

buf - The buffer off the channel

chan - The channel that we received the buffer from

Returns:

The possibly unwrapped channel buffer for further decoding. If null then the response was security related.

processChallenge

protected byte[] processChallenge(byte[] b)

Handles passing a buffer off to the sasl client for challenge evaluation

Parameters:

b - The buffer to process

Returns:

The results of the challenge if successful, or null if there was a SaslException.

Throws:

IllegalStateException - when processing of the action failed due to a PrivilegedActionException