HubSpot Backport: HBASE-28317 Expose client TLS certificate on RpcCallContext (apache#67)

Co-authored-by: Charles Connell <[email protected]>

Author: charlesconnell

hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/NettyRpcServer.java

@@ -25,8 +25,11 @@
 
 import java.io.IOException;
 import java.io.InterruptedIOException;
+import java.lang.reflect.Method;
 import java.net.InetSocketAddress;
 import java.net.SocketAddress;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicReference;
@@ -46,6 +49,7 @@
 import org.apache.hadoop.hbase.util.Pair;
 import org.apache.hadoop.hbase.util.ReflectionUtils;
 import org.apache.hadoop.security.authorize.ServiceAuthorizationManager;
+import org.apache.hbase.thirdparty.io.netty.handler.ssl.util.LazyX509Certificate;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -172,10 +176,10 @@ protected void initChannel(Channel ch) throws Exception {
           ChannelPipeline pipeline = ch.pipeline();
           FixedLengthFrameDecoder preambleDecoder = new FixedLengthFrameDecoder(6);
           preambleDecoder.setSingleDecode(true);
+          NettyServerRpcConnection conn = createNettyServerRpcConnection(ch);
           if (conf.getBoolean(HBASE_SERVER_NETTY_TLS_ENABLED, false)) {
-            initSSL(pipeline, conf.getBoolean(HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, true));
+            initSSL(pipeline, conn, conf.getBoolean(HBASE_SERVER_NETTY_TLS_SUPPORTPLAINTEXT, true));
           }
-          NettyServerRpcConnection conn = createNettyServerRpcConnection(ch);
           pipeline.addLast(NettyRpcServerPreambleHandler.DECODER_NAME, preambleDecoder)
             .addLast(new NettyRpcServerPreambleHandler(NettyRpcServer.this, conn))
             // We need NettyRpcServerResponseEncoder here because NettyRpcServerPreambleHandler may
@@ -401,7 +405,7 @@ public Pair<Message, CellScanner> call(BlockingService service, MethodDescriptor
     return call(fakeCall, status);
   }
 
-  private void initSSL(ChannelPipeline p, boolean supportPlaintext)
+  private void initSSL(ChannelPipeline p, NettyServerRpcConnection conn, boolean supportPlaintext)
     throws X509Exception, IOException {
     SslContext nettySslContext = getSslContext();
 
@@ -436,6 +440,26 @@ private void initSSL(ChannelPipeline p, boolean supportPlaintext)
       sslHandler.setWrapDataSize(
         conf.getInt(HBASE_SERVER_NETTY_TLS_WRAP_SIZE, DEFAULT_HBASE_SERVER_NETTY_TLS_WRAP_SIZE));
 
+      sslHandler.handshakeFuture().addListener(future -> {
+        try {
+          Certificate[] certificates = sslHandler.engine().getSession().getPeerCertificates();
+          if (certificates.length > 0) {
+            X509Certificate certificate = (X509Certificate) certificates[0];
+            // Hack to work around https://github.com/netty/netty/issues/13796, remove once HBase uses Netty 4.1.107.Final or later
+            if (certificate instanceof LazyX509Certificate) {
+              Method method = certificate.getClass().getDeclaredMethod("unwrap");
+              method.setAccessible(true);
+              certificate = (X509Certificate) method.invoke(certificate);
+            }
+            conn.clientCertificate = certificate;
+          } else {
+            LOG.debug("No client certificate found for peer {}", remoteAddress);
+          }
+        } catch (Exception e) {
+          LOG.debug("Failure getting peer certificate for {}", remoteAddress, e);
+        }
+      });
+
       p.addLast("ssl", sslHandler);
       LOG.debug("SSL handler added for channel: {}", p.channel());
     }

hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/RpcCallContext.java

@@ -18,6 +18,7 @@
 package org.apache.hadoop.hbase.ipc;
 
 import java.net.InetAddress;
+import java.security.cert.X509Certificate;
 import java.util.Optional;
 import org.apache.hadoop.hbase.security.User;
 import org.apache.yetus.audience.InterfaceAudience;
@@ -60,6 +61,13 @@ default Optional<String> getRequestUserName() {
     return getRequestUser().map(User::getShortName);
   }
 
+  /**
+   * Returns the TLS certificate that the client presented to this HBase server when making its
+   * connection. TLS is orthogonal to Kerberos, so this is unrelated to
+   * {@link this#getRequestUser()}. Both, one, or neither, may be present.
+   */
+  Optional<X509Certificate> getClientCertificate();
+
   /** Returns Address of remote client in this call */
   InetAddress getRemoteAddress();
 

hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerCall.java

@@ -24,6 +24,7 @@
 import java.io.IOException;
 import java.net.InetAddress;
 import java.nio.ByteBuffer;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -96,6 +97,7 @@ public abstract class ServerCall<T extends ServerRpcConnection> implements RpcCa
 
   protected final User user;
   protected final InetAddress remoteAddress;
+  protected final X509Certificate clientCertificate;
   protected RpcCallback rpcCallback;
 
   private long responseCellSize = 0;
@@ -136,9 +138,11 @@ public abstract class ServerCall<T extends ServerRpcConnection> implements RpcCa
     if (connection != null) {
       this.user = connection.user;
       this.retryImmediatelySupported = connection.retryImmediatelySupported;
+      this.clientCertificate = connection.clientCertificate;
     } else {
       this.user = null;
       this.retryImmediatelySupported = false;
+      this.clientCertificate = null;
     }
     this.remoteAddress = remoteAddress;
     this.timeout = timeout;
@@ -499,6 +503,11 @@ public Optional<User> getRequestUser() {
     return Optional.ofNullable(user);
   }
 
+  @Override
+  public Optional<X509Certificate> getClientCertificate() {
+    return Optional.ofNullable(clientCertificate);
+  }
+
   @Override
   public InetAddress getRemoteAddress() {
     return remoteAddress;

hbase-server/src/main/java/org/apache/hadoop/hbase/ipc/ServerRpcConnection.java

@@ -31,6 +31,7 @@
 import java.net.InetSocketAddress;
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
@@ -133,6 +134,8 @@ abstract class ServerRpcConnection implements Closeable {
   protected User user = null;
   protected UserGroupInformation ugi = null;
   protected SaslServerAuthenticationProviders saslProviders = null;
+  // volatile because this gets set after this object is constructed, when TLS handshake finishes
+  protected volatile X509Certificate clientCertificate = null;
 
   public ServerRpcConnection(RpcServer rpcServer) {
     this.rpcServer = rpcServer;

hbase-server/src/test/java/org/apache/hadoop/hbase/namequeues/TestNamedQueueRecorder.java

@@ -22,6 +22,7 @@
 import java.net.InetAddress;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
 import java.util.Map;
@@ -814,6 +815,11 @@ public Optional<User> getRequestUser() {
         return getUser(userName);
       }
 
+      @Override
+      public Optional<X509Certificate> getClientCertificate() {
+        return Optional.empty();
+      }
+
       @Override
       public InetAddress getRemoteAddress() {
         return null;

hbase-server/src/test/java/org/apache/hadoop/hbase/namequeues/TestRpcLogDetails.java

@@ -24,6 +24,7 @@
 import java.io.IOException;
 import java.net.InetAddress;
 import java.nio.ByteBuffer;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Map;
@@ -213,6 +214,11 @@ public Optional<User> getRequestUser() {
         return null;
       }
 
+      @Override
+      public Optional<X509Certificate> getClientCertificate() {
+        return Optional.empty();
+      }
+
       @Override
       public InetAddress getRemoteAddress() {
         return null;

hbase-server/src/test/java/org/apache/hadoop/hbase/procedure2/store/region/TestRegionProcedureStore.java

@@ -23,6 +23,7 @@
 
 import java.io.IOException;
 import java.net.InetAddress;
+import java.security.cert.X509Certificate;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Optional;
@@ -275,6 +276,11 @@ public Optional<User> getRequestUser() {
         return Optional.empty();
       }
 
+      @Override
+      public Optional<X509Certificate> getClientCertificate() {
+        return Optional.empty();
+      }
+
       @Override
       public InetAddress getRemoteAddress() {
         return null;