Break apart the client/server authP interfaces from each other

Common SaslAuthenticationProvider interface encapsulates generic logic
that applies to both client and server, with separate SaslClientAP
and SaslServerAP interfaces to prevent client from polluting server,
and vice versa.

Author: joshelser

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/AuthenticationProviderSelector.java

@@ -1,4 +1,4 @@
-/**
+/*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/BuiltInSaslAuthenticationProvider.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.provider;
+
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.io.Text;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceStability;
+
+/**
+ * Base class for all Apache HBase, built-in {@link SaslAuthenticationProvider}'s to extend.
+ */
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
+@InterfaceStability.Evolving
+public abstract class BuiltInSaslAuthenticationProvider implements SaslAuthenticationProvider {
+
+  public static final Text AUTH_TOKEN_TYPE = new Text("HBASE_AUTH_TOKEN");
+
+  @Override
+  public Text getTokenKind() {
+    return AUTH_TOKEN_TYPE;
+  }
+}

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslAuthenticationProvider.java

@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.provider;
+
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceStability;
+
+/**
+ * Base client for client/server implementations for the HBase delegation token auth'n method.
+ */
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
+@InterfaceStability.Evolving
+public class DigestSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider {
+
+  static final String MECHANISM = "DIGEST-MD5";
+  static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
+      "DIGEST", (byte)82, MECHANISM, AuthenticationMethod.TOKEN);
+
+  @Override
+  public SaslAuthMethod getSaslAuthMethod() {
+    return SASL_AUTH_METHOD;
+  }
+}

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/DigestSaslClientAuthenticationProvider.java

@@ -36,7 +36,6 @@
 import org.apache.hadoop.hbase.security.SaslUtil;
 import org.apache.hadoop.hbase.security.SecurityInfo;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.yetus.audience.InterfaceAudience;
@@ -48,16 +47,10 @@
 
 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
 @InterfaceStability.Evolving
-public class DigestSaslClientAuthenticationProvider extends
-    AbstractSaslClientAuthenticationProvider {
+public class DigestSaslClientAuthenticationProvider extends DigestSaslAuthenticationProvider
+    implements SaslClientAuthenticationProvider {
 
   private static final String MECHANISM = "DIGEST-MD5";
-  private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
-      "DIGEST", (byte)82, MECHANISM, AuthenticationMethod.TOKEN);
-
-  public static String getMechanism() {
-    return MECHANISM;
-  }
 
   @Override
   public SaslClient createClient(Configuration conf, InetAddress serverAddr,
@@ -67,11 +60,6 @@ public SaslClient createClient(Configuration conf, InetAddress serverAddr,
         SaslUtil.SASL_DEFAULT_REALM, saslProps, new DigestSaslClientCallbackHandler(token));
   }
 
-  @Override
-  public SaslAuthMethod getSaslAuthMethod() {
-    return SASL_AUTH_METHOD;
-  }
-
   public static class DigestSaslClientCallbackHandler implements CallbackHandler {
     private static final Logger LOG =
         LoggerFactory.getLogger(DigestSaslClientCallbackHandler.class);

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslAuthenticationProvider.java

@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.provider;
+
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceStability;
+
+/**
+ * Base client for client/server implementations for the "KERBEROS" HBase auth'n method.
+ */
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
+@InterfaceStability.Evolving
+public class GssSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider {
+
+  static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
+      "KERBEROS", (byte)81, "GSSAPI", AuthenticationMethod.KERBEROS);
+
+  @Override
+  public SaslAuthMethod getSaslAuthMethod() {
+    return SASL_AUTH_METHOD;
+  }
+}

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/GssSaslClientAuthenticationProvider.java

@@ -30,7 +30,6 @@
 import org.apache.hadoop.hbase.security.SecurityInfo;
 import org.apache.hadoop.security.SecurityUtil;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.yetus.audience.InterfaceAudience;
@@ -42,12 +41,10 @@
 
 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
 @InterfaceStability.Evolving
-public class GssSaslClientAuthenticationProvider extends AbstractSaslClientAuthenticationProvider {
+public class GssSaslClientAuthenticationProvider extends GssSaslAuthenticationProvider
+    implements SaslClientAuthenticationProvider {
   private static final Logger LOG = LoggerFactory.getLogger(
       GssSaslClientAuthenticationProvider.class);
-  private static final String MECHANISM = "GSSAPI";
-  private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
-      "KERBEROS", (byte)81, MECHANISM, AuthenticationMethod.KERBEROS);
 
   String getServerPrincipal(Configuration conf, SecurityInfo securityInfo, InetAddress server)
       throws IOException {
@@ -70,13 +67,8 @@ public SaslClient createClient(Configuration conf, InetAddress serverAddr,
       throw new IOException("Kerberos principal '" + serverPrincipal
           + "' does not have the expected format");
     }
-    return Sasl.createSaslClient(new String[] { MECHANISM }, null, names[0], names[1], saslProps,
-        null);
-  }
-
-  @Override
-  public SaslAuthMethod getSaslAuthMethod() {
-    return SASL_AUTH_METHOD;
+    return Sasl.createSaslClient(new String[] { getSaslAuthMethod().getSaslMechanism() }, null,
+        names[0], names[1], saslProps, null);
   }
 
   @Override

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslAuthenticationProvider.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.provider;
+
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.io.Text;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceStability;
+
+/**
+ * Encapsulation of client-side logic to authenticate to HBase via some means over SASL.
+ * Implementations should not directly implement this interface, but instead extend
+ * {@link AbstractSaslClientAuthenticationProvider}.
+ *
+ * Implementations of this interface must make an implementation of {@code hashCode()}
+ * which returns the same value across multiple instances of the provider implementation.
+ */
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
+@InterfaceStability.Evolving
+public interface SaslAuthenticationProvider {
+
+  /**
+   * Returns the attributes which identify how this provider authenticates.
+   */
+  SaslAuthMethod getSaslAuthMethod();
+
+  /**
+   * Returns the name of the type used by the TokenIdentifier.
+   */
+  Text getTokenKind();
+}

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SaslClientAuthenticationProvider.java

@@ -26,14 +26,14 @@
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.HBaseInterfaceAudience;
 import org.apache.hadoop.hbase.security.SecurityInfo;
-import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation;
-import org.apache.hadoop.io.Text;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.yetus.audience.InterfaceStability;
 
+import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos.UserInformation;
+
 /**
  * Encapsulation of client-side logic to authenticate to HBase via some means over SASL.
  * Implementations should not directly implement this interface, but instead extend
@@ -44,7 +44,7 @@
  */
 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
 @InterfaceStability.Evolving
-public interface SaslClientAuthenticationProvider {
+public interface SaslClientAuthenticationProvider extends SaslAuthenticationProvider {
 
   /**
    * Creates the SASL client instance for this auth'n method.
@@ -53,16 +53,6 @@ SaslClient createClient(Configuration conf, InetAddress serverAddr, SecurityInfo
       Token<? extends TokenIdentifier> token, boolean fallbackAllowed,
       Map<String, String> saslProps) throws IOException;
 
-  /**
-   * Returns the attributes which identify how this provider authenticates.
-   */
-  SaslAuthMethod getSaslAuthMethod();
-
-  /**
-   * Returns the name of the type used by the TokenIdentifier.
-   */
-  Text getTokenKind();
-
   /**
    * Constructs a {@link UserInformation} from the given {@link UserGroupInformation}
    */

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslAuthenticationProvider.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.hbase.security.provider;
+
+import org.apache.hadoop.hbase.HBaseInterfaceAudience;
+import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
+import org.apache.yetus.audience.InterfaceAudience;
+import org.apache.yetus.audience.InterfaceStability;
+
+/**
+ * Base client for client/server implementations for the "SIMPLE" HBase auth'n method.
+ */
+@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
+@InterfaceStability.Evolving
+public class SimpleSaslAuthenticationProvider extends BuiltInSaslAuthenticationProvider {
+  private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
+      "SIMPLE", (byte)80, "", AuthenticationMethod.SIMPLE);
+
+  @Override
+  public SaslAuthMethod getSaslAuthMethod() {
+    return SASL_AUTH_METHOD;
+  }
+}

hbase-client/src/main/java/org/apache/hadoop/hbase/security/provider/SimpleSaslClientAuthenticationProvider.java

@@ -27,7 +27,6 @@
 import org.apache.hadoop.hbase.HBaseInterfaceAudience;
 import org.apache.hadoop.hbase.security.SecurityInfo;
 import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod;
 import org.apache.hadoop.security.token.Token;
 import org.apache.hadoop.security.token.TokenIdentifier;
 import org.apache.yetus.audience.InterfaceAudience;
@@ -38,9 +37,7 @@
 @InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.AUTHENTICATION)
 @InterfaceStability.Evolving
 public class SimpleSaslClientAuthenticationProvider extends
-    AbstractSaslClientAuthenticationProvider {
-  private static final SaslAuthMethod SASL_AUTH_METHOD = new SaslAuthMethod(
-      "SIMPLE", (byte)80, "", AuthenticationMethod.SIMPLE);
+    SimpleSaslAuthenticationProvider implements SaslClientAuthenticationProvider {
 
   @Override
   public SaslClient createClient(Configuration conf, InetAddress serverAddress,
@@ -59,9 +56,4 @@ public UserInformation getUserInfo(UserGroupInformation user) {
     }
     return userInfoPB.build();
   }
-
-  @Override
-  public SaslAuthMethod getSaslAuthMethod() {
-    return SASL_AUTH_METHOD;
-  }
 }