org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod Java Examples

/** test constructor */
@Test (timeout = 30000)
public void testConstructorWithKerberos() throws Exception {
  // security on, default is remove default realm
  SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
  UserGroupInformation.setConfiguration(conf);

  testConstructorSuccess("user1", "user1");
  testConstructorSuccess("[email protected]", "user2");
  testConstructorSuccess("user3/[email protected]", "user3");    
  // failure test
  testConstructorFailures("[email protected]");
  testConstructorFailures("user5/[email protected]");
  testConstructorFailures(null);
  testConstructorFailures("");
}
 

private void tryLoginAuthenticationMethod(AuthenticationMethod method,
                                          boolean expectSuccess)
                                              throws IOException {
  SecurityUtil.setAuthenticationMethod(method, conf);
  UserGroupInformation.setConfiguration(conf); // pick up changed auth       

  UserGroupInformation ugi = null;
  Exception ex = null;
  try {
    ugi = UserGroupInformation.getLoginUser();
  } catch (Exception e) {
    ex = e;
  }
  if (expectSuccess) {
    assertNotNull(ugi);
    assertEquals(method, ugi.getAuthenticationMethod());
  } else {
    assertNotNull(ex);
    assertEquals(UnsupportedOperationException.class, ex.getClass());
    assertEquals(method + " login authentication is not supported",
                 ex.getMessage());
  }
}
 

/** test constructor */
@Test (timeout = 30000)
public void testConstructorWithKerberosRules() throws Exception {
  // security on, explicit rules
  SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
  conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL,
      "RULE:[2:$1@$0](.*@OTHER.REALM)s/(.*)@.*/other-$1/" +
      "RULE:[1:$1@$0](.*@OTHER.REALM)s/(.*)@.*/other-$1/" +
      "DEFAULT");
  UserGroupInformation.setConfiguration(conf);
  
  testConstructorSuccess("user1", "user1");
  testConstructorSuccess("[email protected]", "user2");
  testConstructorSuccess("user3/[email protected]", "user3");    
  testConstructorSuccess("[email protected]", "other-user4");
  testConstructorSuccess("user5/[email protected]", "other-user5");
  // failure test
  testConstructorFailures(null);
  testConstructorFailures("");
}
 

@Test
public void testGetUserWithOwnerAndReal() {
  Text owner = new Text("owner");
  Text realUser = new Text("realUser");
  TestDelegationTokenIdentifier ident =
      new TestDelegationTokenIdentifier(owner, null, realUser);
  UserGroupInformation ugi = ident.getUser();
  assertNotNull(ugi.getRealUser());
  assertNull(ugi.getRealUser().getRealUser());
  assertEquals("owner", ugi.getUserName());
  assertEquals("realUser", ugi.getRealUser().getUserName());
  assertEquals(AuthenticationMethod.PROXY,
               ugi.getAuthenticationMethod());
  assertEquals(AuthenticationMethod.TOKEN,
               ugi.getRealUser().getAuthenticationMethod());
}
 

@Test
public void testLogin() throws IOException {
  String userPrincipal = System.getProperty("user.principal");
  String userKeyTab = System.getProperty("user.keytab");
  Assert.assertNotNull("User principal was not specified", userPrincipal);
  Assert.assertNotNull("User keytab was not specified", userKeyTab);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  UserGroupInformation.setConfiguration(conf);

  UserGroupInformation ugi = UserGroupInformation
      .loginUserFromKeytabAndReturnUGI(userPrincipal, userKeyTab);

  Assert.assertEquals(AuthenticationMethod.KERBEROS,
      ugi.getAuthenticationMethod());
  
  try {
    UserGroupInformation
    .loginUserFromKeytabAndReturnUGI("[email protected]", userKeyTab);
    Assert.fail("Login should have failed");
  } catch (Exception ex) {
    ex.printStackTrace();
  }
}
 

private List<AuthMethod> getAuthMethods(SecretManager<?> secretManager,
                                           Configuration conf) {
  AuthenticationMethod confAuthenticationMethod =
      SecurityUtil.getAuthenticationMethod(conf);        
  List<AuthMethod> authMethods = new ArrayList<AuthMethod>();
  if (confAuthenticationMethod == AuthenticationMethod.TOKEN) {
    if (secretManager == null) {
      throw new IllegalArgumentException(AuthenticationMethod.TOKEN +
          " authentication requires a secret manager");
    } 
  } else if (secretManager != null) {
    LOG.debug(AuthenticationMethod.TOKEN +
        " authentication enabled for secret manager");
    // most preferred, go to the front of the line!
    authMethods.add(AuthenticationMethod.TOKEN.getAuthMethod());
  }
  authMethods.add(confAuthenticationMethod.getAuthMethod());        
  
  LOG.debug("Server accepts auth methods:" + authMethods);
  return authMethods;
}
 

/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 

@Test
public void testLogin() throws IOException {
  String userPrincipal = System.getProperty("user.principal");
  String userKeyTab = System.getProperty("user.keytab");
  Assert.assertNotNull("User principal was not specified", userPrincipal);
  Assert.assertNotNull("User keytab was not specified", userKeyTab);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
      "kerberos");
  UserGroupInformation.setConfiguration(conf);

  UserGroupInformation ugi = UserGroupInformation
      .loginUserFromKeytabAndReturnUGI(userPrincipal, userKeyTab);

  Assert.assertEquals(AuthenticationMethod.KERBEROS,
      ugi.getAuthenticationMethod());
  
  try {
    UserGroupInformation
    .loginUserFromKeytabAndReturnUGI("[email protected]", userKeyTab);
    Assert.fail("Login should have failed");
  } catch (Exception ex) {
    ex.printStackTrace();
  }
}
 

/**
 * Creates configuration for starting a secure cluster.
 *
 * @param dataTransferProtection supported QOPs
 * @return configuration for starting a secure cluster
 * @throws Exception if there is any failure
 */
protected HdfsConfiguration createSecureConfig(
    String dataTransferProtection) throws Exception {
  HdfsConfiguration conf = new HdfsConfiguration();
  SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, conf);
  conf.set(DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  conf.set(DFS_NAMENODE_KEYTAB_FILE_KEY, keytab);
  conf.set(DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  conf.set(DFS_DATANODE_KEYTAB_FILE_KEY, keytab);
  conf.set(DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoPrincipal);
  conf.setBoolean(DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
  conf.set(DFS_DATA_TRANSFER_PROTECTION_KEY, dataTransferProtection);
  conf.set(DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());
  conf.set(DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
  conf.set(DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
  conf.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_ON_SASL_KEY, 10);

  String keystoresDir = baseDir.getAbsolutePath();
  String sslConfDir = KeyStoreTestUtil.getClasspathDir(this.getClass());
  KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
  return conf;
}
 

/**
 * Get the username encoded in the token identifier
 * 
 * @return the username or owner
 */
@Override
public UserGroupInformation getUser() {
  if ( (owner == null) || (owner.toString().isEmpty())) {
    return null;
  }
  final UserGroupInformation realUgi;
  final UserGroupInformation ugi;
  if ((realUser == null) || (realUser.toString().isEmpty())
      || realUser.equals(owner)) {
    ugi = realUgi = UserGroupInformation.createRemoteUser(owner.toString());
  } else {
    realUgi = UserGroupInformation.createRemoteUser(realUser.toString());
    ugi = UserGroupInformation.createProxyUser(owner.toString(), realUgi);
  }
  realUgi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
  return ugi;
}
 

private void tryLoginAuthenticationMethod(AuthenticationMethod method,
                                          boolean expectSuccess)
                                              throws IOException {
  SecurityUtil.setAuthenticationMethod(method, conf);
  UserGroupInformation.setConfiguration(conf); // pick up changed auth       

  UserGroupInformation ugi = null;
  Exception ex = null;
  try {
    ugi = UserGroupInformation.getLoginUser();
  } catch (Exception e) {
    ex = e;
  }
  if (expectSuccess) {
    assertNotNull(ugi);
    assertEquals(method, ugi.getAuthenticationMethod());
  } else {
    assertNotNull(ex);
    assertEquals(UnsupportedOperationException.class, ex.getClass());
    assertEquals(method + " login authentication is not supported",
                 ex.getMessage());
  }
}
 

/**
 * Login OM service user if security and Kerberos are enabled.
 *
 * @param conf
 * @throws IOException, AuthenticationException
 */
private static void loginOMUser(OzoneConfiguration conf)
    throws IOException, AuthenticationException {

  if (SecurityUtil.getAuthenticationMethod(conf).equals(
      AuthenticationMethod.KERBEROS)) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Ozone security is enabled. Attempting login for OM user. "
              + "Principal: {}, keytab: {}", conf.get(
          OZONE_OM_KERBEROS_PRINCIPAL_KEY),
          conf.get(OZONE_OM_KERBEROS_KEYTAB_FILE_KEY));
    }

    UserGroupInformation.setConfiguration(conf);

    InetSocketAddress socAddr = OmUtils.getOmAddress(conf);
    SecurityUtil.login(conf, OZONE_OM_KERBEROS_KEYTAB_FILE_KEY,
        OZONE_OM_KERBEROS_PRINCIPAL_KEY, socAddr.getHostName());
  } else {
    throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
        conf) + " authentication method not supported. OM user login "
        + "failed.");
  }
  LOG.info("Ozone Manager login successful.");
}
 

@Test (timeout = 30000)
public void testGetRealAuthenticationMethod() {
  UserGroupInformation ugi = UserGroupInformation.createRemoteUser("user1");
  ugi.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
  assertEquals(AuthenticationMethod.SIMPLE, ugi.getAuthenticationMethod());
  assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod());
  ugi = UserGroupInformation.createProxyUser("user2", ugi);
  assertEquals(AuthenticationMethod.PROXY, ugi.getAuthenticationMethod());
  assertEquals(AuthenticationMethod.SIMPLE, ugi.getRealAuthenticationMethod());
}
 

@Test
public void testGetUserWithOwnerEqualsReal() {
  Text owner = new Text("owner");
  TestDelegationTokenIdentifier ident =
      new TestDelegationTokenIdentifier(owner, null, owner);
  UserGroupInformation ugi = ident.getUser();
  assertNull(ugi.getRealUser());
  assertEquals("owner", ugi.getUserName());
  assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod());
}
 

public static void setAuthenticationMethod(
    AuthenticationMethod authenticationMethod, Configuration conf) {
  if (authenticationMethod == null) {
    authenticationMethod = AuthenticationMethod.SIMPLE;
  }
  conf.set(HADOOP_SECURITY_AUTHENTICATION,
      StringUtils.toLowerCase(authenticationMethod.toString()));
}
 

@Test
public void testRpcCallWithEnabledKerberosSaslAuth() throws Exception {
  UserGroupInformation ugi2 = UserGroupInformation.getCurrentUser();

  // check that the login user is okay:
  assertSame(ugi2, ugi);
  assertEquals(AuthenticationMethod.KERBEROS, ugi.getAuthenticationMethod());
  assertEquals(krbPrincipal, ugi.getUserName());

  callRpcService(User.create(ugi2));
}
 

@Test (timeout = 30000)
public void testTestAuthMethod() throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  // verify the reverse mappings works
  for (AuthenticationMethod am : AuthenticationMethod.values()) {
    if (am.getAuthMethod() != null) {
      ugi.setAuthenticationMethod(am.getAuthMethod());
      assertEquals(am, ugi.getAuthenticationMethod());
    }
  }
}
 

@Test
public void testGetUserWithOwner() {
  TestDelegationTokenIdentifier ident =
      new TestDelegationTokenIdentifier(new Text("owner"), null, null);
  UserGroupInformation ugi = ident.getUser();
  assertNull(ugi.getRealUser());
  assertEquals("owner", ugi.getUserName());
  assertEquals(AuthenticationMethod.TOKEN, ugi.getAuthenticationMethod());
}
 

/**
 * @param ugi A user group information.
 * @return true if delegation token operation is allowed
 */
private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
  AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
  if (authMethod == AuthenticationMethod.PROXY) {
    authMethod = ugi.getRealUser().getAuthenticationMethod();
  }
  if (authMethod != AuthenticationMethod.KERBEROS
      && authMethod != AuthenticationMethod.KERBEROS_SSL
      && authMethod != AuthenticationMethod.CERTIFICATE) {
    return false;
  }
  return true;
}
 

@Test
public void testShouldCheckIfTheUserHasHDFSDelegationToken() {
	UserGroupInformation userWithToken = createTestUser(AuthenticationMethod.KERBEROS);
	userWithToken.addToken(getHDFSDelegationToken());

	boolean result = HadoopUtils.hasHDFSDelegationToken(userWithToken);

	assertTrue(result);
}
 

@Override
public UserGroupInformation getValue(final HttpContext context) {
  final Configuration conf = (Configuration) servletcontext
      .getAttribute(JspHelper.CURRENT_CONF);
  try {
    return JspHelper.getUGI(servletcontext, request, conf,
        AuthenticationMethod.KERBEROS, false);
  } catch (IOException e) {
    throw new SecurityException(
        SecurityUtil.FAILED_TO_GET_UGI_MSG_HEADER + " " + e, e);
  }
}
 

private boolean isAllowedDelegationTokenOp() throws IOException {
  if (UserGroupInformation.isSecurityEnabled()) {
    return EnumSet.of(AuthenticationMethod.KERBEROS,
                      AuthenticationMethod.KERBEROS_SSL,
                      AuthenticationMethod.CERTIFICATE)
        .contains(UserGroupInformation.getCurrentUser()
                .getRealAuthenticationMethod());
  } else {
    return true;
  }
}
 

@Override
public void whoAmI(RpcController controller, AuthenticationProtos.WhoAmIRequest request,
    RpcCallback<AuthenticationProtos.WhoAmIResponse> done) {
  AuthenticationProtos.WhoAmIResponse.Builder response =
      AuthenticationProtos.WhoAmIResponse.newBuilder();
  RpcServer.getRequestUser().ifPresent(requestUser -> {
    response.setUsername(requestUser.getShortName());
    AuthenticationMethod method = requestUser.getUGI().getAuthenticationMethod();
    if (method != null) {
      response.setAuthMethod(method.name());
    }
  });
  done.run(response.build());
}
 

@Test (timeout = 30000)
public void testUGIAuthMethodInRealUser() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
      "proxy", ugi);
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  Assert.assertEquals(AuthenticationMethod.PROXY,
                      proxyUgi.getAuthenticationMethod());
  Assert.assertEquals(am, UserGroupInformation
      .getRealAuthenticationMethod(proxyUgi));
  proxyUgi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(AuthenticationMethod.PROXY, UserGroupInformation
          .getCurrentUser().getAuthenticationMethod());
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getRealUser().getAuthenticationMethod());
      return null;
    }
  });
  UserGroupInformation proxyUgi2 = 
    new UserGroupInformation(proxyUgi.getSubject());
  proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
  Assert.assertEquals(proxyUgi, proxyUgi2);
  // Equality should work if authMethod is null
  UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser(
      "proxyAnother", realugi);
  UserGroupInformation proxyUgi4 = 
    new UserGroupInformation(proxyUgi3.getSubject());
  Assert.assertEquals(proxyUgi3, proxyUgi4);
}
 

@Test (timeout = 30000)
public void testUGIAuthMethod() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getAuthenticationMethod());
      return null;
    }
  });
}
 

/**
 * Login as the configured user for SCM.
 *
 * @param conf
 */
private void loginAsSCMUser(ConfigurationSource conf)
    throws IOException, AuthenticationException {
  if (LOG.isDebugEnabled()) {
    ScmConfig scmConfig = configuration.getObject(ScmConfig.class);
    LOG.debug("Ozone security is enabled. Attempting login for SCM user. "
            + "Principal: {}, keytab: {}",
        scmConfig.getKerberosPrincipal(),
        scmConfig.getKerberosKeytab());
  }

  Configuration hadoopConf =
      LegacyHadoopConfigurationSource.asHadoopConfiguration(conf);
  if (SecurityUtil.getAuthenticationMethod(hadoopConf).equals(
      AuthenticationMethod.KERBEROS)) {
    UserGroupInformation.setConfiguration(hadoopConf);
    InetSocketAddress socAddr = HddsServerUtil
        .getScmBlockClientBindAddress(conf);
    SecurityUtil.login(hadoopConf,
          ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_KEYTAB_FILE_KEY,
          ScmConfig.ConfigStrings.HDDS_SCM_KERBEROS_PRINCIPAL_KEY,
          socAddr.getHostName());
  } else {
    throw new AuthenticationException(SecurityUtil.getAuthenticationMethod(
        hadoopConf) + " authentication method not support. "
        + "SCM user login failed.");
  }
  LOG.info("SCM login successful.");
}
 

@Test (timeout = 30000)
public void testTestAuthMethod() throws Exception {
  UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  // verify the reverse mappings works
  for (AuthenticationMethod am : AuthenticationMethod.values()) {
    if (am.getAuthMethod() != null) {
      ugi.setAuthenticationMethod(am.getAuthMethod());
      assertEquals(am, ugi.getAuthenticationMethod());
    }
  }
}
 

@Test
public void testShouldReturnTrueWhenDelegationTokenIsPresent() {
	UserGroupInformation.setConfiguration(getHadoopConfigWithAuthMethod(AuthenticationMethod.KERBEROS));
	UserGroupInformation userWithoutCredentialsButHavingToken = createTestUser(AuthenticationMethod.KERBEROS);
	userWithoutCredentialsButHavingToken.addToken(getHDFSDelegationToken());
	assumeFalse(userWithoutCredentialsButHavingToken.hasKerberosCredentials());

	boolean result = HadoopUtils.areKerberosCredentialsValid(userWithoutCredentialsButHavingToken, true);

	assertTrue(result);
}
 

public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
	try {
		Subject subject = new Subject();
		SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
		LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
		KerberosName.setRules(nameRules);
		subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
		login.login();
		return login.getSubject();
	} catch (LoginException le) {
		throw new IOException("Login failure for " + user + " from keytab " + path, le);
	}
}
 

@Test (timeout = 30000)
public void testUGIAuthMethodInRealUser() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
      "proxy", ugi);
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  Assert.assertEquals(AuthenticationMethod.PROXY,
                      proxyUgi.getAuthenticationMethod());
  Assert.assertEquals(am, UserGroupInformation
      .getRealAuthenticationMethod(proxyUgi));
  proxyUgi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(AuthenticationMethod.PROXY, UserGroupInformation
          .getCurrentUser().getAuthenticationMethod());
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getRealUser().getAuthenticationMethod());
      return null;
    }
  });
  UserGroupInformation proxyUgi2 = 
    new UserGroupInformation(proxyUgi.getSubject());
  proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
  Assert.assertEquals(proxyUgi, proxyUgi2);
  // Equality should work if authMethod is null
  UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser(
      "proxyAnother", realugi);
  UserGroupInformation proxyUgi4 = 
    new UserGroupInformation(proxyUgi3.getSubject());
  Assert.assertEquals(proxyUgi3, proxyUgi4);
}