add security & related configurations

configuration/jaas.conf

@@ -0,0 +1,10 @@
+client {
+	com.sun.security.auth.module.Krb5LoginModule required
+	debug=true
+	useTicketCache=true
+	useKeyTab=true
+	keyTab="/etc/xxx.keytab"
+	renewTGT=true
+	principal="[email protected]"
+	storeKey=true;
+};

configuration/pegasus.properties

@@ -4,3 +4,9 @@ async_workers = 4
 enable_perf_counter = false
 perf_counter_tags = cluster=onebox,app=unit_test
 push_counter_interval_secs = 10
+open_auth = true
+jaas_conf = configuration/jaas.conf
+#要访问的server的用户名
+service_name = xxx
+#要访问的server的fqdn
+service_fqdn = xxx

idl/recompile_thrift.sh

@@ -23,7 +23,8 @@ rm -rf $TMP_DIR
 
 mkdir -p $TMP_DIR
 $thrift --gen java rrdb.thrift
-$thrift --gen java replication.thrift 
+$thrift --gen java replication.thrift
+$thrift --gen java security.thrift
 
 # as we pack the thrift source in our project, so we need to replace the package name
 find $TMP_DIR -name "*.java" | xargs sed -i -e "s/org.apache.thrift/com.xiaomi.infra.pegasus.thrift/g"

idl/security.thrift

@@ -0,0 +1,55 @@
+include "base.thrift"
+
+namespace cpp dsn.apps
+namespace java com.xiaomi.infra.pegasus.apps
+namespace py pypegasus.rrdb
+
+// negotiation process:
+//
+//                       client               server
+//                          | --- SASL_MECH --> |
+//                          | <-- SASL_MECH --- |
+//                          | - SASL_SEL_MECH ->|
+//                          | <- SASL_SEL_OK ---|
+//                          |                   |
+//                          | --- SASL_INIT --> |
+//                          |                   |
+//                          | <-- SASL_CHAL --- |
+//                          | --- SASL_RESP --> |
+//                          |                   |
+//                          |      .....        |
+//                          |                   |
+//                          | <-- SASL_CHAL --- |
+//                          | --- SASL_RESP --> |
+//                          |                   | (authentication will succeed
+//                          |                   |  if all chanllenges passed)
+//                          | <-- SASL_SUCC --- |
+// (client won't response   |                   |
+// if servers says ok)      |                   |
+//                          | --- RPC_CALL ---> |
+//                          | <-- RPC_RESP ---- |
+
+enum negotiation_status
+{
+    INVALID = 0,
+    SASL_LIST_MECHANISMS,
+    SASL_LIST_MECHANISMS_RESP,
+    SASL_SELECT_MECHANISMS,
+    SASL_SELECT_MECHANISMS_OK,
+    SASL_INITIATE,
+    SASL_CHALLENGE,
+    SASL_RESPONSE,
+    SASL_SUCC,
+    SASL_AUTH_FAIL
+}
+
+struct negotiation_message
+{
+    1: negotiation_status status;
+    2: base.blob msg;
+}
+
+service security
+{
+    negotiation_message negotiate(1:negotiation_message nego_msg);
+}