org.apache.hadoop.security.Groups Java Examples

@Test
public void testCacheEntriesExpire() throws Exception {
  conf.setLong(
    CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 1);
  FakeTimer timer = new FakeTimer();
  final Groups groups = new Groups(conf, timer);
  groups.cacheGroupsAdd(Arrays.asList(myGroups));
  groups.refresh();
  FakeGroupMapping.clearBlackList();

  // We make an entry
  groups.getGroups("me");
  int startingRequestCount = FakeGroupMapping.getRequestCount();

  timer.advance(20 * 1000);

  // Cache entry has expired so it results in a new fetch
  groups.getGroups("me");
  assertEquals(startingRequestCount + 1, FakeGroupMapping.getRequestCount());
}
 

@Override
public RefreshUserToGroupsMappingsResponse refreshUserToGroupsMappings(
    RefreshUserToGroupsMappingsRequest request)
    throws YarnException, IOException {
  String argName = "refreshUserToGroupsMappings";
  UserGroupInformation user = checkAcls(argName);

  checkRMStatus(user.getShortUserName(), argName, "refresh user-groups.");

  Groups.getUserToGroupsMappingService(
      getConfiguration(new Configuration(false),
          YarnConfiguration.CORE_SITE_CONFIGURATION_FILE)).refresh();

  RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService");

  return recordFactory.newRecordInstance(
      RefreshUserToGroupsMappingsResponse.class);
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues)
    throws IOException {
  // Apply the nested rule
  String queueName = nestedRule.assignAppToQueue(requestedQueue, user,
      groups, configuredQueues);
  
  if (queueName != null && queueName.length() != 0) {
    if (!queueName.startsWith("root.")) {
      queueName = "root." + queueName;
    }
    
    // Verify if the queue returned by the nested rule is an configured leaf queue,
    // if yes then skip to next rule in the queue placement policy
    if (configuredQueues.get(FSQueueType.LEAF).contains(queueName)) {
      return "";
    }
    return queueName + "." + cleanName(user);
  }
  return queueName;
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues)
    throws IOException {
  List<String> groupNames = groups.getGroups(user);
  for (int i = 1; i < groupNames.size(); i++) {
    String group = cleanName(groupNames.get(i));
    if (configuredQueues.get(FSQueueType.LEAF).contains("root." + group)
        || configuredQueues.get(FSQueueType.PARENT).contains(
            "root." + group)) {
      return "root." + group;
    }
  }
  
  return "";
}
 

public QueuePlacementPolicy(List<QueuePlacementRule> rules,
    Map<FSQueueType, Set<String>> configuredQueues, Configuration conf)
    throws AllocationConfigurationException {
  for (int i = 0; i < rules.size()-1; i++) {
    if (rules.get(i).isTerminal()) {
      throw new AllocationConfigurationException("Rules after rule "
          + i + " in queue placement policy can never be reached");
    }
  }
  if (!rules.get(rules.size()-1).isTerminal()) {
    throw new AllocationConfigurationException(
        "Could get past last queue placement rule without assigning");
  }
  this.rules = rules;
  this.configuredQueues = configuredQueues;
  groups = new Groups(conf);
}
 

@Before
public void setup() throws IOException {
  this.conf = new JobConf();
  this.conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      NullGroupsProvider.class.getName());
  this.conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  Groups.getUserToGroupsMappingService(conf);
  this.ctx = buildHistoryContext(this.conf);
  WebApp webApp = mock(HsWebApp.class);
  when(webApp.name()).thenReturn("hsmockwebapp");
  this.hsWebServices= new HsWebServices(ctx, conf, webApp);
  this.hsWebServices.setResponse(mock(HttpServletResponse.class));

  Job job = ctx.getAllJobs().values().iterator().next();
  this.jobIdStr = job.getID().toString();
  Task task = job.getTasks().values().iterator().next();
  this.taskIdStr = task.getID().toString();
  this.taskAttemptIdStr =
      task.getAttempts().keySet().iterator().next().toString();
}
 

@Test
public void testCachePreventsImplRequest() throws Exception {
  // Disable negative cache.
  conf.setLong(
    CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0);
  Groups groups = new Groups(conf);
  groups.cacheGroupsAdd(Arrays.asList(myGroups));
  groups.refresh();
  FakeGroupMapping.clearBlackList();

  assertEquals(0, FakeGroupMapping.getRequestCount());

  // First call hits the wire
  assertTrue(groups.getGroups("me").size() == 2);
  assertEquals(1, FakeGroupMapping.getRequestCount());

  // Second count hits cache
  assertTrue(groups.getGroups("me").size() == 2);
  assertEquals(1, FakeGroupMapping.getRequestCount());
}
 

/**
 * Validate the netgroups, both group membership and ACL
 * functionality
 *
 * Note: assumes a specific acl setup done by testNetgroups
 *
 * @param groups group to user mapping service
 * @param acl ACL set up in a specific way, see testNetgroups
 */
private void validateNetgroups(Groups groups,
  AccessControlList acl) throws Exception {

  // check that the netgroups are working
  List<String> elvisGroups = groups.getGroups("elvis");
  assertTrue(elvisGroups.contains("@lasVegas"));
  assertTrue(elvisGroups.contains("@memphis"));
  List<String> jerryLeeLewisGroups = groups.getGroups("jerryLeeLewis");
  assertTrue(jerryLeeLewisGroups.contains("@memphis"));

  // allowed becuase his netgroup is in ACL
  UserGroupInformation elvis = 
    UserGroupInformation.createRemoteUser("elvis");
  assertUserAllowed(elvis, acl);

  // allowed because he's in ACL
  UserGroupInformation carlPerkins = 
    UserGroupInformation.createRemoteUser("carlPerkins");
  assertUserAllowed(carlPerkins, acl);

  // not allowed because he's not in ACL and has no netgroups
  UserGroupInformation littleRichard = 
    UserGroupInformation.createRemoteUser("littleRichard");
  assertUserNotAllowed(littleRichard, acl);
}
 

public QueuePlacementPolicy(List<QueuePlacementRule> rules,
    Map<FSQueueType, Set<String>> configuredQueues, Configuration conf)
    throws AllocationConfigurationException {
  for (int i = 0; i < rules.size()-1; i++) {
    if (rules.get(i).isTerminal()) {
      throw new AllocationConfigurationException("Rules after rule "
          + i + " in queue placement policy can never be reached");
    }
  }
  if (!rules.get(rules.size()-1).isTerminal()) {
    throw new AllocationConfigurationException(
        "Could get past last queue placement rule without assigning");
  }
  this.rules = rules;
  this.configuredQueues = configuredQueues;
  groups = new Groups(conf);
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues)
    throws IOException {
  List<String> groupNames = groups.getGroups(user);
  for (int i = 1; i < groupNames.size(); i++) {
    String group = cleanName(groupNames.get(i));
    if (configuredQueues.get(FSQueueType.LEAF).contains("root." + group)
        || configuredQueues.get(FSQueueType.PARENT).contains(
            "root." + group)) {
      return "root." + group;
    }
  }
  
  return "";
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues)
    throws IOException {
  // Apply the nested rule
  String queueName = nestedRule.assignAppToQueue(requestedQueue, user,
      groups, configuredQueues);
  
  if (queueName != null && queueName.length() != 0) {
    if (!queueName.startsWith("root.")) {
      queueName = "root." + queueName;
    }
    
    // Verify if the queue returned by the nested rule is an configured leaf queue,
    // if yes then skip to next rule in the queue placement policy
    if (configuredQueues.get(FSQueueType.LEAF).contains(queueName)) {
      return "";
    }
    return queueName + "." + cleanName(user);
  }
  return queueName;
}
 

@Override
public RefreshUserToGroupsMappingsResponse refreshUserToGroupsMappings(
    RefreshUserToGroupsMappingsRequest request)
    throws YarnException, IOException {
  String argName = "refreshUserToGroupsMappings";
  UserGroupInformation user = checkAcls(argName);

  checkRMStatus(user.getShortUserName(), argName, "refresh user-groups.");

  Groups.getUserToGroupsMappingService(
      getConfiguration(new Configuration(false),
          YarnConfiguration.CORE_SITE_CONFIGURATION_FILE)).refresh();

  RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService");

  return recordFactory.newRecordInstance(
      RefreshUserToGroupsMappingsResponse.class);
}
 

@Before
public void setup() throws IOException {
  this.conf = new JobConf();
  this.conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      NullGroupsProvider.class.getName());
  this.conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  Groups.getUserToGroupsMappingService(conf);
  this.ctx = buildHistoryContext(this.conf);
  WebApp webApp = mock(HsWebApp.class);
  when(webApp.name()).thenReturn("hsmockwebapp");
  this.hsWebServices= new HsWebServices(ctx, conf, webApp);
  this.hsWebServices.setResponse(mock(HttpServletResponse.class));

  Job job = ctx.getAllJobs().values().iterator().next();
  this.jobIdStr = job.getID().toString();
  Task task = job.getTasks().values().iterator().next();
  this.taskIdStr = task.getID().toString();
  this.taskAttemptIdStr =
      task.getAttempts().keySet().iterator().next().toString();
}
 

@Test
public void testCachePreventsImplRequest() throws Exception {
  // Disable negative cache.
  conf.setLong(
    CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0);
  Groups groups = new Groups(conf);
  groups.cacheGroupsAdd(Arrays.asList(myGroups));
  groups.refresh();
  FakeGroupMapping.clearBlackList();

  assertEquals(0, FakeGroupMapping.getRequestCount());

  // First call hits the wire
  assertTrue(groups.getGroups("me").size() == 2);
  assertEquals(1, FakeGroupMapping.getRequestCount());

  // Second count hits cache
  assertTrue(groups.getGroups("me").size() == 2);
  assertEquals(1, FakeGroupMapping.getRequestCount());
}
 

@Test
public void testCacheEntriesExpire() throws Exception {
  conf.setLong(
    CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_CACHE_SECS, 1);
  FakeTimer timer = new FakeTimer();
  final Groups groups = new Groups(conf, timer);
  groups.cacheGroupsAdd(Arrays.asList(myGroups));
  groups.refresh();
  FakeGroupMapping.clearBlackList();

  // We make an entry
  groups.getGroups("me");
  int startingRequestCount = FakeGroupMapping.getRequestCount();

  timer.advance(20 * 1000);

  // Cache entry has expired so it results in a new fetch
  groups.getGroups("me");
  assertEquals(startingRequestCount + 1, FakeGroupMapping.getRequestCount());
}
 

/**
 * Validate the netgroups, both group membership and ACL
 * functionality
 *
 * Note: assumes a specific acl setup done by testNetgroups
 *
 * @param groups group to user mapping service
 * @param acl ACL set up in a specific way, see testNetgroups
 */
private void validateNetgroups(Groups groups,
  AccessControlList acl) throws Exception {

  // check that the netgroups are working
  List<String> elvisGroups = groups.getGroups("elvis");
  assertTrue(elvisGroups.contains("@lasVegas"));
  assertTrue(elvisGroups.contains("@memphis"));
  List<String> jerryLeeLewisGroups = groups.getGroups("jerryLeeLewis");
  assertTrue(jerryLeeLewisGroups.contains("@memphis"));

  // allowed becuase his netgroup is in ACL
  UserGroupInformation elvis = 
    UserGroupInformation.createRemoteUser("elvis");
  assertUserAllowed(elvis, acl);

  // allowed because he's in ACL
  UserGroupInformation carlPerkins = 
    UserGroupInformation.createRemoteUser("carlPerkins");
  assertUserAllowed(carlPerkins, acl);

  // not allowed because he's not in ACL and has no netgroups
  UserGroupInformation littleRichard = 
    UserGroupInformation.createRemoteUser("littleRichard");
  assertUserNotAllowed(littleRichard, acl);
}
 

MiniDFS(File baseDir, String serverType) throws Exception {
  Configuration conf = new Configuration();
  if (HiveServer2Type.InternalMetastore.name().equalsIgnoreCase(serverType)) {
    // set the test group mapping that maps user to a group of same name
    conf.set("hadoop.security.group.mapping",
        "org.apache.sentry.tests.e2e.hive.fs.MiniDFS$PseudoGroupMappingService");
    // set umask for metastore test client can create tables in the warehouse dir
    conf.set("fs.permissions.umask-mode", "000");
    Groups.getUserToGroupsMappingServiceWithLoadedConfiguration(conf);
  }
  File dfsDir = assertCreateDir(new File(baseDir, "dfs"));
  conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
  conf.set("hadoop.security.group.mapping",
      MiniDFS.PseudoGroupMappingService.class.getName());
  Configuration.addDefaultResource("test.xml");
  dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
  fileSystem = dfsCluster.getFileSystem();
  String policyDir = System.getProperty("sentry.e2etest.hive.policy.location", "/user/hive/sentry");
  sentryDir = super.assertCreateDfsDir(new Path(fileSystem.getUri() + policyDir));
  dfsBaseDir = assertCreateDfsDir(new Path(new Path(fileSystem.getUri()), "/base"));
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 * 
 * @throws Exception
 */
@Test
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));
  MyGroupsProvider.mapping.put("userC", Arrays.asList("groupC"));
  MyGroupsProvider.mapping.put("userD", Arrays.asList("groupD"));
  MyGroupsProvider.mapping.put("userE", Arrays.asList("groupE"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 */
@Test
@Ignore
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Collections.singletonList("groupA"));
  MyGroupsProvider.mapping.put("userB", Collections.singletonList("groupB"));
  MyGroupsProvider.mapping.put("userC", Collections.singletonList("groupC"));
  MyGroupsProvider.mapping.put("userD", Collections.singletonList("groupD"));
  MyGroupsProvider.mapping.put("userE", Collections.singletonList("groupE"));

  HttpServer myServer = new HttpServer.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

private void initGroupService(Configuration conf) {
  if (groupService == null) {
    if (conf.getBoolean(User.TestingGroups.TEST_CONF, false)) {
      UserProvider.setGroups(new User.TestingGroups(UserProvider.getGroups()));
      groupService = UserProvider.getGroups();
    } else {
      groupService = Groups.getUserToGroupsMappingService(conf);
    }
  }
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 * 
 * @throws Exception
 */
@Test
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));
  MyGroupsProvider.mapping.put("userC", Arrays.asList("groupC"));
  MyGroupsProvider.mapping.put("userD", Arrays.asList("groupD"));
  MyGroupsProvider.mapping.put("userE", Arrays.asList("groupE"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

/**
 * Verify the access for /logs, /stacks, /conf, /logLevel and /metrics
 * servlets, when authentication filters are set, but authorization is not
 * enabled.
 * @throws Exception 
 */
@Test
public void testDisabledAuthorizationOfDefaultServlets() throws Exception {

  Configuration conf = new Configuration();

  // Authorization is disabled by default
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();
  String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
  }
  myServer.stop();
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues) {
  if (requestedQueue.equals(YarnConfiguration.DEFAULT_QUEUE_NAME)) {
    return "";
  } else {
    if (!requestedQueue.startsWith("root.")) {
      requestedQueue = "root." + requestedQueue;
    }
    return requestedQueue;
  }
}
 

@Override
protected String getQueueForApp(String requestedQueue, String user,
    Groups groups, Map<FSQueueType, Set<String>> configuredQueues) {
  if (requestedQueue.equals(YarnConfiguration.DEFAULT_QUEUE_NAME)) {
    return "";
  } else {
    if (!requestedQueue.startsWith("root.")) {
      requestedQueue = "root." + requestedQueue;
    }
    return requestedQueue;
  }
}
 

@Test
public void testGroupLookupForStaticUsers() throws Exception {
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      FakeunPrivilegedGroupMapping.class, ShellBasedUnixGroupsMapping.class);
  conf.set(CommonConfigurationKeys.HADOOP_USER_GROUP_STATIC_OVERRIDES, "me=;user1=group1;user2=group1,group2");
  Groups groups = new Groups(conf);
  List<String> userGroups = groups.getGroups("me");
  assertTrue("non-empty groups for static user", userGroups.isEmpty());
  assertFalse("group lookup done for static user",
      FakeunPrivilegedGroupMapping.invoked);
  
  List<String> expected = new ArrayList<String>();
  expected.add("group1");

  FakeunPrivilegedGroupMapping.invoked = false;
  userGroups = groups.getGroups("user1");
  assertTrue("groups not correct", expected.equals(userGroups));
  assertFalse("group lookup done for unprivileged user",
      FakeunPrivilegedGroupMapping.invoked);

  expected.add("group2");
  FakeunPrivilegedGroupMapping.invoked = false;
  userGroups = groups.getGroups("user2");
  assertTrue("groups not correct", expected.equals(userGroups));
  assertFalse("group lookup done for unprivileged user",
      FakeunPrivilegedGroupMapping.invoked);

}
 

@Test
public void testGroupsCaching() throws Exception {
  // Disable negative cache.
  conf.setLong(
      CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 0);
  Groups groups = new Groups(conf);
  groups.cacheGroupsAdd(Arrays.asList(myGroups));
  groups.refresh();
  FakeGroupMapping.clearBlackList();
  FakeGroupMapping.addToBlackList("user1");

  // regular entry
  assertTrue(groups.getGroups("me").size() == 2);

  // this must be cached. blacklisting should have no effect.
  FakeGroupMapping.addToBlackList("me");
  assertTrue(groups.getGroups("me").size() == 2);

  // ask for a negative entry
  try {
    LOG.error("We are not supposed to get here." + groups.getGroups("user1").toString());
    fail();
  } catch (IOException ioe) {
    if(!ioe.getMessage().startsWith("No groups found")) {
      LOG.error("Got unexpected exception: " + ioe.getMessage());
      fail();
    }
  }

  // this shouldn't be cached. remove from the black list and retry.
  FakeGroupMapping.clearBlackList();
  assertTrue(groups.getGroups("user1").size() == 2);
}
 

static void setNameNodeLoggingLevel(Level logLevel) {
  LOG.fatal("Log level = " + logLevel.toString());
  // change log level to NameNode logs
  DFSTestUtil.setNameNodeLogLevel(logLevel);
  GenericTestUtils.setLogLevel(LogManager.getLogger(
          NetworkTopology.class.getName()), logLevel);
  GenericTestUtils.setLogLevel(LogManager.getLogger(
          Groups.class.getName()), logLevel);
}
 

@Before
public void init() throws HadoopIllegalArgumentException, IOException {
  conf = new JobConf();
  conf.set(JHAdminConfig.JHS_ADMIN_ADDRESS, "0.0.0.0:0");
  conf.setClass("hadoop.security.group.mapping", MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  conf.setLong("hadoop.security.groups.cache.secs", groupRefreshTimeoutSec);
  conf.setBoolean(
        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
        securityEnabled);
  Groups.getUserToGroupsMappingService(conf);
  jobHistoryService = mock(JobHistory.class);
  alds = mock(AggregatedLogDeletionService.class);

  hsAdminServer = new HSAdminServer(alds, jobHistoryService) {

    @Override
    protected Configuration createConf() {
      return conf;
    }
  };
  hsAdminServer.init(conf);
  hsAdminServer.start();
  conf.setSocketAddr(JHAdminConfig.JHS_ADMIN_ADDRESS,
      hsAdminServer.clientRpcServer.getListenerAddress());
  hsAdminClient = new HSAdmin(conf);
}
 

@Test
public void testRefreshUserToGroupsMappings() throws Exception {

  String[] args = new String[] { "-refreshUserToGroupsMappings" };
  Groups groups = Groups.getUserToGroupsMappingService(conf);
  String user = UserGroupInformation.getCurrentUser().getUserName();
  System.out.println("first attempt:");
  List<String> g1 = groups.getGroups(user);
  String[] str_groups = new String[g1.size()];
  g1.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));

  // Now groups of this user has changed but getGroups returns from the
  // cache,so we would see same groups as before
  System.out.println("second attempt, should be same:");
  List<String> g2 = groups.getGroups(user);
  g2.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g2.size(); i++) {
    assertEquals("Should be same group ", g1.get(i), g2.get(i));
  }
  // run the command,which clears the cache
  hsAdminClient.run(args);
  System.out
      .println("third attempt(after refresh command), should be different:");
  // Now get groups should return new groups
  List<String> g3 = groups.getGroups(user);
  g3.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g3.size(); i++) {
    assertFalse(
        "Should be different group: " + g1.get(i) + " and " + g3.get(i), g1
            .get(i).equals(g3.get(i)));
  }
}
 

/**
 * Verify the access for /logs, /stacks, /conf, /logLevel and /metrics
 * servlets, when authentication filters are set, but authorization is not
 * enabled.
 */
@Test
@Ignore
public void testDisabledAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();

  // Authorization is disabled by default
  conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
      DummyFilterInitializer.class.getName());
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Collections.singletonList("groupA"));
  MyGroupsProvider.mapping.put("userB", Collections.singletonList("groupB"));

  HttpServer myServer = new HttpServer.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).build();
  myServer.setAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();
  String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
  }
  myServer.stop();
}