1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.hadoop.hbase.security;
20
21 import org.apache.commons.codec.binary.Base64;
22 import org.apache.commons.logging.Log;
23 import org.apache.commons.logging.LogFactory;
24 import org.apache.hadoop.hbase.classification.InterfaceAudience;
25
26 import java.util.Map;
27 import java.util.TreeMap;
28
29 import javax.security.sasl.Sasl;
30
31 @InterfaceAudience.Private
32 public class SaslUtil {
33 private static final Log log = LogFactory.getLog(SaslUtil.class);
34 public static final String SASL_DEFAULT_REALM = "default";
35 public static final Map<String, String> SASL_PROPS =
36 new TreeMap<String, String>();
37 public static final int SWITCH_TO_SIMPLE_AUTH = -88;
38
39 public static enum QualityOfProtection {
40 AUTHENTICATION("auth"),
41 INTEGRITY("auth-int"),
42 PRIVACY("auth-conf");
43
44 public final String saslQop;
45
46 private QualityOfProtection(String saslQop) {
47 this.saslQop = saslQop;
48 }
49
50 public String getSaslQop() {
51 return saslQop;
52 }
53 }
54
55
56 public static String[] splitKerberosName(String fullName) {
57 return fullName.split("[/@]");
58 }
59
60 static String encodeIdentifier(byte[] identifier) {
61 return new String(Base64.encodeBase64(identifier));
62 }
63
64 static byte[] decodeIdentifier(String identifier) {
65 return Base64.decodeBase64(identifier.getBytes());
66 }
67
68 static char[] encodePassword(byte[] password) {
69 return new String(Base64.encodeBase64(password)).toCharArray();
70 }
71
72
73
74
75
76
77 public static QualityOfProtection getQop(String stringQop) {
78 QualityOfProtection qop = null;
79 if (QualityOfProtection.AUTHENTICATION.name().toLowerCase().equals(stringQop)
80 || QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)) {
81 qop = QualityOfProtection.AUTHENTICATION;
82 } else if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(stringQop)
83 || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)) {
84 qop = QualityOfProtection.INTEGRITY;
85 } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(stringQop)
86 || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
87 qop = QualityOfProtection.PRIVACY;
88 }
89 if (qop == null) {
90 throw new IllegalArgumentException("Invalid qop: " + stringQop
91 + ". It must be one of 'authentication', 'integrity', 'privacy'.");
92 }
93 if (QualityOfProtection.AUTHENTICATION.saslQop.equals(stringQop)
94 || QualityOfProtection.INTEGRITY.saslQop.equals(stringQop)
95 || QualityOfProtection.PRIVACY.saslQop.equals(stringQop)) {
96 log.warn("Use authentication/integrity/privacy as value for rpc protection "
97 + "configurations instead of auth/auth-int/auth-conf.");
98 }
99 return qop;
100 }
101
102 static void initSaslProperties(String rpcProtection) {
103 QualityOfProtection saslQOP = getQop(rpcProtection);
104 if (saslQOP == null) {
105 saslQOP = QualityOfProtection.AUTHENTICATION;
106 }
107 SaslUtil.SASL_PROPS.put(Sasl.QOP, saslQOP.getSaslQop());
108 SaslUtil.SASL_PROPS.put(Sasl.SERVER_AUTH, "true");
109 }
110 }