HBASE-29244 Support admin users acl setting with LDAP (Web UI only)

hbase-http/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java

@@ -148,6 +148,11 @@ public class HttpServer implements FilterContainer {
     HTTP_SPNEGO_AUTHENTICATION_PREFIX + "admin.users";
   public static final String HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY =
     HTTP_SPNEGO_AUTHENTICATION_PREFIX + "admin.groups";
+
+  static final String HTTP_LDAP_AUTHENTICATION_PREFIX = HTTP_AUTHENTICATION_PREFIX + "ldap.";
+  public static final String HTTP_LDAP_AUTHENTICATION_ADMIN_USERS_KEY =
+    HTTP_LDAP_AUTHENTICATION_PREFIX + "admin.users";
+
   public static final String HTTP_PRIVILEGED_CONF_KEY =
     "hbase.security.authentication.ui.config.protected";
   public static final String HTTP_UI_NO_CACHE_ENABLE_KEY = "hbase.http.filter.no-store.enable";

hbase-http/src/main/java/org/apache/hadoop/hbase/http/InfoServer.java

@@ -77,34 +77,51 @@ public InfoServer(String name, String bindAddress, int port, boolean findPort,
           c.get("ssl.server.truststore.type", "jks"));
       builder.excludeCiphers(c.get("ssl.server.exclude.cipher.list"));
     }
+
+    final String httpAuthType = c.get(HttpServer.HTTP_UI_AUTHENTICATION, "").toLowerCase();
     // Enable SPNEGO authentication
-    if ("kerberos".equalsIgnoreCase(c.get(HttpServer.HTTP_UI_AUTHENTICATION, null))) {
+    if ("kerberos".equals(httpAuthType)) {
       builder.setUsernameConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY)
         .setKeytabConfKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY)
         .setKerberosNameRulesKey(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KRB_NAME_KEY)
         .setSignatureSecretFileKey(HttpServer.HTTP_AUTHENTICATION_SIGNATURE_SECRET_FILE_KEY)
         .setSecurityEnabled(true);
+    }
 
-      // Set an admin ACL on sensitive webUI endpoints
+    // Set an admin ACL on sensitive webUI endpoints (works only if SPNEGO or LDAP is enabled)
+    if ("ldap".equals(httpAuthType) || "kerberos".equals(httpAuthType)) {
       AccessControlList acl = buildAdminAcl(c);
       builder.setACL(acl);
     }
+
     this.httpServer = builder.build();
   }
 
   /**
    * Builds an ACL that will restrict the users who can issue commands to endpoints on the UI which
    * are meant only for administrators.
    */
-  AccessControlList buildAdminAcl(Configuration conf) {
-    final String userGroups = conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
+  static AccessControlList buildAdminAcl(Configuration conf) {
+    // Initialize admin users based on whether http ui auth is set to ldap or kerberos
+    String httpAuthType = conf.get(HttpServer.HTTP_UI_AUTHENTICATION, "").toLowerCase();
+    final String adminUsers = getAdminUsers(conf, httpAuthType);
     final String adminGroups =
       conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_GROUPS_KEY, null);
-    if (userGroups == null && adminGroups == null) {
+    if (adminUsers == null && adminGroups == null) {
       // Backwards compatibility - if the user doesn't have anything set, allow all users in.
       return new AccessControlList("*", null);
     }
-    return new AccessControlList(userGroups, adminGroups);
+    return new AccessControlList(adminUsers, adminGroups);
+  }
+
+  private static String getAdminUsers(Configuration conf, String httpAuthType) {
+    if ("kerberos".equals(httpAuthType)) {
+      return conf.get(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, null);
+    } else if ("ldap".equals(httpAuthType)) {
+      return conf.get(HttpServer.HTTP_LDAP_AUTHENTICATION_ADMIN_USERS_KEY, null);
+    }
+    // If the auth type is not kerberos or ldap, return null
+    return null;
   }
 
   /**

hbase-http/src/test/java/org/apache/hadoop/hbase/http/LdapServerTestBase.java

@@ -0,0 +1,124 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.http;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.directory.server.core.integ.CreateLdapServerRule;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hbase.http.resource.JerseyResource;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Base class for setting up and testing an HTTP server with LDAP authentication.
+ */
+public class LdapServerTestBase extends HttpServerFunctionalTest {
+  private static final Logger LOG = LoggerFactory.getLogger(LdapServerTestBase.class);
+
+  @ClassRule
+  public static CreateLdapServerRule ldapRule = new CreateLdapServerRule();
+
+  protected static HttpServer server;
+  protected static URL baseUrl;
+
+  private static final String AUTH_TYPE = "Basic ";
+
+  /**
+   * Sets up the HTTP server with LDAP authentication before any tests are run.
+   * @throws Exception if an error occurs during server setup
+   */
+  @BeforeClass
+  public static void setupServer() throws Exception {
+    Configuration conf = new Configuration();
+    setLdapConfigurations(conf);
+
+    server = createTestServer(conf);
+    server.addUnprivilegedServlet("echo", "/echo", TestHttpServer.EchoServlet.class);
+    server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");
+    server.start();
+
+    baseUrl = getServerURL(server);
+    LOG.info("HTTP server started: " + baseUrl);
+  }
+
+  /**
+   * Stops the HTTP server after all tests are completed.
+   * @throws Exception if an error occurs during server shutdown
+   */
+  @AfterClass
+  public static void stopServer() throws Exception {
+    try {
+      if (null != server) {
+        server.stop();
+      }
+    } catch (Exception e) {
+      LOG.info("Failed to stop info server", e);
+    }
+  }
+
+  /**
+   * Configures the provided Configuration object for LDAP authentication.
+   * @param conf the Configuration object to set LDAP properties on
+   * @return the configured Configuration object
+   */
+  protected static void setLdapConfigurations(Configuration conf) {
+    conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS);
+
+    // Enable LDAP (pre-req)
+    conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "ldap");
+    conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
+      "org.apache.hadoop.hbase.http.lib.AuthenticationFilterInitializer");
+    conf.set("hadoop.http.authentication.type", "ldap");
+    conf.set("hadoop.http.authentication.ldap.providerurl", String.format("ldap://%s:%s",
+      LdapConstants.LDAP_SERVER_ADDR, ldapRule.getLdapServer().getPort()));
+    conf.set("hadoop.http.authentication.ldap.enablestarttls", "false");
+    conf.set("hadoop.http.authentication.ldap.basedn", LdapConstants.LDAP_BASE_DN);
+  }
+
+  /**
+   * Generates a Basic Authentication header from the provided credentials.
+   * @param credentials the credentials to encode
+   * @return the Basic Authentication header
+   */
+  private String getBasicAuthHeader(String credentials) {
+    return AUTH_TYPE + new Base64(0).encodeToString(credentials.getBytes());
+  }
+
+  /**
+   * Opens an HTTP connection to the specified endpoint with optional Basic Authentication.
+   * @param endpoint    the endpoint to connect to
+   * @param credentials the credentials for Basic Authentication (optional)
+   * @return the opened HttpURLConnection
+   * @throws IOException if an error occurs while opening the connection
+   */
+  protected HttpURLConnection openConnection(String endpoint, String credentials)
+    throws IOException {
+    URL url = new URL(getServerURL(server) + endpoint);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    if (credentials != null) {
+      conn.setRequestProperty("Authorization", getBasicAuthHeader(credentials));
+    }
+    return conn;
+  }
+}

hbase-http/src/test/java/org/apache/hadoop/hbase/http/TestLdapAdminACL.java

@@ -0,0 +1,128 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.http;
+
+import static org.junit.Assert.assertEquals;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.annotations.ContextEntry;
+import org.apache.directory.server.core.annotations.CreateDS;
+import org.apache.directory.server.core.annotations.CreatePartition;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.CommonConfigurationKeys;
+import org.apache.hadoop.hbase.HBaseClassTestRule;
+import org.apache.hadoop.hbase.http.resource.JerseyResource;
+import org.apache.hadoop.hbase.testclassification.MiscTests;
+import org.apache.hadoop.hbase.testclassification.SmallTests;
+import org.junit.BeforeClass;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Test class for admin ACLs with LDAP authentication on the HttpServer.
+ */
+@Category({ MiscTests.class, SmallTests.class })
+@CreateLdapServer(
+    transports = { @CreateTransport(protocol = "LDAP", address = LdapConstants.LDAP_SERVER_ADDR), })
+@CreateDS(name = "TestLdapAdminACL", allowAnonAccess = true,
+    partitions = { @CreatePartition(name = "Test_Partition", suffix = LdapConstants.LDAP_BASE_DN,
+        contextEntry = @ContextEntry(entryLdif = "dn: " + LdapConstants.LDAP_BASE_DN + " \n"
+          + "dc: example\n" + "objectClass: top\n" + "objectClass: domain\n\n")) })
+@ApplyLdifs({ "dn: uid=bjones," + LdapConstants.LDAP_BASE_DN, "cn: Bob Jones", "sn: Jones",
+  "objectClass: inetOrgPerson", "uid: bjones", "userPassword: p@ssw0rd",
+
+  "dn: uid=jdoe," + LdapConstants.LDAP_BASE_DN, "cn: John Doe", "sn: Doe",
+  "objectClass: inetOrgPerson", "uid: jdoe", "userPassword: secure123" })
+public class TestLdapAdminACL extends LdapServerTestBase {
+
+  @ClassRule
+  public static final HBaseClassTestRule CLASS_RULE =
+    HBaseClassTestRule.forClass(TestLdapAdminACL.class);
+  private static final Logger LOG = LoggerFactory.getLogger(TestLdapAdminACL.class);
+
+  private static final String ADMIN_CREDENTIALS = "bjones:p@ssw0rd";
+  private static final String NON_ADMIN_CREDENTIALS = "jdoe:secure123";
+  private static final String WRONG_CREDENTIALS = "bjones:password";
+
+  @BeforeClass
+  public static void setupServer() throws Exception {
+    Configuration conf = new Configuration();
+    setLdapConfigurationWithACLs(conf);
+
+    server = createTestServer(conf, InfoServer.buildAdminAcl(conf));
+    server.addUnprivilegedServlet("echo", "/echo", TestHttpServer.EchoServlet.class);
+    // we will reuse /jmx which is a privileged servlet
+    server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");
+    server.start();
+
+    baseUrl = getServerURL(server);
+    LOG.info("HTTP server started: " + baseUrl);
+  }
+
+  private static void setLdapConfigurationWithACLs(Configuration conf) {
+    setLdapConfigurations(conf);
+
+    // Enable LDAP admin ACL
+    conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
+    conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, true);
+    conf.set(HttpServer.HTTP_LDAP_AUTHENTICATION_ADMIN_USERS_KEY, "bjones");
+  }
+
+  @Test
+  public void testAdminAllowedUnprivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/echo?a=b", ADMIN_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+  }
+
+  @Test
+  public void testAdminAllowedPrivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/jmx", ADMIN_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+  }
+
+  @Test
+  public void testNonAdminAllowedUnprivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/echo?a=b", NON_ADMIN_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+  }
+
+  @Test
+  public void testNonAdminDisallowedPrivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/jmx", NON_ADMIN_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
+
+  @Test
+  public void testWrongAuthDisallowedUnprivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/echo?a=b", WRONG_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
+
+  @Test
+  public void testWrongAuthDisallowedPrivilegedServletAccess() throws IOException {
+    HttpURLConnection conn = openConnection("/jmx", WRONG_CREDENTIALS);
+    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
+}