Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: SMHiveRecordWriter.java From spliceengine with GNU Affero General Public License v3.0 | 6 votes |
|
public SMHiveRecordWriter (Configuration conf) throws IOException {
this.conf = conf;
String principal = conf.get("hive.server2.authentication.kerberos.principal");
String keytab = conf.get("hive.server2.authentication.kerberos.keytab");
if (principal != null && keytab != null) {
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
ugi.doAs(new PrivilegedAction<Void>(){
public Void run() {
init();
return null;
}
});
}
else {
init();
}
}
Example 2
| Source File: AbstractSpnegoNegotiatorTest.java From elasticsearch-hadoop with Apache License 2.0 | 6 votes |
|
@Test(expected = UndeclaredThrowableException.class)
public void testWrongServicePrincipal() throws IOException, InterruptedException {
// Configure logins
Configuration configuration = new Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
// Login as Client and Create negotiator
UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
@Override
public SpnegoNegotiator run() throws Exception {
return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, "omgWrongServerName");
}
});
client.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
return spnegoNegotiator.send();
}
});
fail("Should not be able to find non existent server credentials");
}
Example 3
| Source File: SecureUserConnectionsIT.java From phoenix with Apache License 2.0 | 6 votes |
|
@Test
public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception {
final HashSet<ConnectionInfo> connections = new HashSet<>();
final String princ1 = getUserPrincipal(1);
final File keytab1 = getUserKeytabFile(1);
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());
PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
return null;
}
};
// Using the same UGI should result in two equivalent ConnectionInfo objects
ugi.doAs(callable);
assertEquals(1, connections.size());
verifyAllConnectionsAreKerberosBased(connections);
ugi.doAs(callable);
assertEquals(1, connections.size());
verifyAllConnectionsAreKerberosBased(connections);
}
Example 4
| Source File: HadoopKerberosFileSystemFactoryDelegate.java From ignite with Apache License 2.0 | 6 votes |
|
@Override public void start() throws IgniteException {
super.start();
KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory)proxy;
A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty.");
A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty.");
A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative.");
reloginInterval = proxy0.getReloginInterval();
try {
UserGroupInformation.setConfiguration(cfg);
user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxy0.getKeyTabPrincipal(),
proxy0.getKeyTab());
}
catch (IOException ioe) {
throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() +
", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe);
}
}
Example 5
| Source File: KerberosFactory.java From Bats with Apache License 2.0 | 5 votes |
|
@Override
public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException {
final Configuration conf = new SecurityConfiguration();
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
UserGroupInformation.setConfiguration(conf);
final String keytab = (String) properties.get(DrillProperties.KEYTAB);
final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) &&
Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT));
try {
final UserGroupInformation ugi;
if (assumeSubject) {
ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
logger.debug("Assuming subject for {}.", ugi.getShortUserName());
} else {
if (keytab != null) {
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
(String) properties.get(DrillProperties.USER), keytab);
logger.debug("Logged in {} using keytab.", ugi.getShortUserName());
} else {
// includes Kerberos ticket login
ugi = UserGroupInformation.getCurrentUser();
logger.debug("Logged in {} using ticket.", ugi.getShortUserName());
}
}
return ugi;
} catch (final IOException e) {
logger.debug("Login failed.", e);
final Throwable cause = e.getCause();
if (cause instanceof LoginException) {
throw new SaslException("Failed to login.", cause);
}
throw new SaslException("Unexpected failure trying to login.", cause);
}
}
Example 6
| Source File: SpliceTestClusterParticipant.java From spliceengine with GNU Affero General Public License v3.0 | 5 votes |
|
private void start() throws Exception {
int regionServerPort = REGION_SERVER_PORT + memberNumber;
int regionServerInfoPort = REGION_SERVER_WEB_PORT + memberNumber;
int derbyPort = SQLConfiguration.DEFAULT_NETWORK_BIND_PORT + memberNumber;
Configuration config = SpliceTestPlatformConfig.create(
hbaseTargetDirectory,
0,
0,
0, //regionServerPort,
0, //regionServerInfoPort,
derbyPort,
false,
null,
secure
);
String keytab = hbaseTargetDirectory+"/splice.keytab";
UserGroupInformation ugi;
if (secure) {
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("hbase/[email protected]", keytab);
UserGroupInformation.setLoginUser(ugi);
} else {
ugi = UserGroupInformation.getCurrentUser();
}
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
MiniHBaseCluster miniHBaseCluster = new MiniHBaseCluster(config, 0, 1);
miniHBaseCluster.startRegionServer();
return null;
}
});
}
Example 7
| Source File: SecureUserConnectionsIT.java From phoenix with Apache License 2.0 | 5 votes |
|
@Test
public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception {
final HashSet<ConnectionInfo> connections = new HashSet<>();
final String princ1 = getUserPrincipal(1);
final File keytab1 = getUserKeytabFile(1);
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());
PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
return null;
}
};
ugi.doAs(callable);
assertEquals(1, connections.size());
verifyAllConnectionsAreKerberosBased(connections);
// A second, but equivalent, call from the same "real" user but a different UGI instance
// is expected functionality (programmer error).
UserGroupInformation ugiCopy = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());
ugiCopy.doAs(callable);
assertEquals(2, connections.size());
verifyAllConnectionsAreKerberosBased(connections);
}
Example 8
| Source File: TestShadeSaslAuthenticationProvider.java From hbase with Apache License 2.0 | 5 votes |
|
@Before
public void createTable() throws Exception {
tableName = TableName.valueOf(name.getMethodName());
// Create a table and write a record as the service user (hbase)
UserGroupInformation serviceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
"hbase/localhost", KEYTAB_FILE.getAbsolutePath());
clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
@Override public String run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(CONF);
Admin admin = conn.getAdmin();) {
admin.createTable(TableDescriptorBuilder
.newBuilder(tableName)
.setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
.build());
UTIL.waitTableAvailable(tableName);
try (Table t = conn.getTable(tableName)) {
Put p = new Put(Bytes.toBytes("r1"));
p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
t.put(p);
}
return admin.getClusterMetrics().getClusterId();
}
}
});
assertNotNull(clusterId);
}
Example 9
| Source File: AbstractSpnegoNegotiatorTest.java From elasticsearch-hadoop with Apache License 2.0 | 5 votes |
|
@Test(expected = UndeclaredThrowableException.class)
public void testFalseResponseFromServerFails() throws IOException, InterruptedException {
// Configure logins
Configuration configuration = new Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
// Login as Client and Create negotiator
UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
@Override
public SpnegoNegotiator run() throws Exception {
return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, KerberosSuite.PRINCIPAL_SERVER);
}
});
String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
return spnegoNegotiator.send();
}
});
final byte[] token = Base64.decodeBase64(baseToken);
spnegoNegotiator.setTokenData(Base64.encodeBase64String(new byte[]{1,2,3,4,5}));
client.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
return spnegoNegotiator.send();
}
});
fail("Defective token given to Negotiator and accepted.");
}
Example 10
| Source File: TestInfoServersACL.java From hbase with Apache License 2.0 | 5 votes |
|
@Test
public void testUnauthorizedUser() throws Exception {
UserGroupInformation nonAdmin = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
USER_NONE_STR, KEYTAB_FILE.getAbsolutePath());
nonAdmin.doAs(new PrivilegedExceptionAction<Void>() {
@Override public Void run() throws Exception {
Pair<Integer,String> pair = getLogLevelPage();
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, pair.getFirst().intValue());
return null;
}
});
}
Example 11
| Source File: CustomSaslAuthenticationProviderTestBase.java From hbase with Apache License 2.0 | 5 votes |
|
private void createTable() throws Exception {
tableName = name.getTableName();
// Create a table and write a record as the service user (hbase)
UserGroupInformation serviceUgi = UserGroupInformation
.loginUserFromKeytabAndReturnUGI("hbase/localhost", KEYTAB_FILE.getAbsolutePath());
clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(CONF);
Admin admin = conn.getAdmin();) {
admin.createTable(TableDescriptorBuilder.newBuilder(tableName)
.setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build());
UTIL.waitTableAvailable(tableName);
try (Table t = conn.getTable(tableName)) {
Put p = new Put(Bytes.toBytes("r1"));
p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
t.put(p);
}
return admin.getClusterMetrics().getClusterId();
}
}
});
assertNotNull(clusterId);
}
Example 12
| Source File: SpnegoConfig.java From Bats with Apache License 2.0 | 5 votes |
|
private UserGroupInformation loginAndReturnUgi() throws DrillException {
validateSpnegoConfig();
UserGroupInformation ugi;
try {
// Check if security is not enabled and try to set the security parameter to login the principal.
// After the login is performed reset the static UGI state.
if (!UserGroupInformation.isSecurityEnabled()) {
final Configuration newConfig = new Configuration();
newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
if (clientNameMapping != null) {
newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL, clientNameMapping);
}
UserGroupInformation.setConfiguration(newConfig);
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
// Reset the original configuration for static UGI
UserGroupInformation.setConfiguration(new Configuration());
} else {
// Let's not overwrite the rules here since it might be possible that CUSTOM security is configured for
// JDBC/ODBC with default rules. If Kerberos was enabled then the correct rules must already be set
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
}
} catch (Exception e) {
throw new DrillException(String.format("Login failed for %s with given keytab", principal), e);
}
return ugi;
}
Example 13
| Source File: AbstractSpnegoNegotiatorTest.java From elasticsearch-hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testSuccessfulNegotiateWithRealmName() throws IOException, GSSException, InterruptedException {
// Mechanisms
final GSSManager gssManager = GSSManager.getInstance();
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// Configure logins
Configuration configuration = new Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
// Login as Server
UserGroupInformation server = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_SERVER), KEYTAB_FILE.getAbsolutePath());
final GSSName gssServicePrincipalName = gssManager.createName(withRealm(KerberosSuite.PRINCIPAL_SERVER), GSSName.NT_USER_NAME);
final GSSCredential gssServiceCredential = server.doAs(new PrivilegedExceptionAction<GSSCredential>() {
@Override
public GSSCredential run() throws Exception {
return gssManager.createCredential(
gssServicePrincipalName,
GSSCredential.DEFAULT_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY
);
}
});
final GSSContext serverCtx = gssManager.createContext(gssServiceCredential);
// Login as Client and Create negotiator
UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_CLIENT), KEYTAB_FILE.getAbsolutePath());
final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
@Override
public SpnegoNegotiator run() throws Exception {
return new SpnegoNegotiator(withRealm(KerberosSuite.PRINCIPAL_CLIENT), withRealm(KerberosSuite.PRINCIPAL_SERVER));
}
});
byte[] token = new byte[0];
boolean authenticated = false;
for (int idx = 0; idx < 100; idx++) {
if (!spnegoNegotiator.established()) {
final byte[] sendToken = token;
String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
if (sendToken.length > 0) {
return spnegoNegotiator.send(Base64.encodeBase64String(sendToken));
} else {
return spnegoNegotiator.send();
}
}
});
token = Base64.decodeBase64(baseToken);
}
if (!spnegoNegotiator.established() && serverCtx.isEstablished()) {
fail("Server is established, but client is not.");
}
if (!serverCtx.isEstablished()) {
final byte[] currentToken = token;
token = server.doAs(new PrivilegedExceptionAction<byte[]>() {
@Override
public byte[] run() throws Exception {
return serverCtx.acceptSecContext(currentToken, 0, currentToken.length);
}
});
}
if (serverCtx.isEstablished() && spnegoNegotiator.established()) {
authenticated = true;
break;
}
}
assertThat(authenticated, is(true));
assertThat(serverCtx.isEstablished(), is(true));
assertThat(spnegoNegotiator.established(), is(true));
spnegoNegotiator.close();
assertThat(spnegoNegotiator.established(), is(false));
}
Example 14
| Source File: AbstractSpnegoAuthSchemeTest.java From elasticsearch-hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testAuthWithReverseLookupServicePrincipal() throws Exception {
// Configure logins
Configuration configuration = new Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
// Login as Client and Execute Test
UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
client.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
HttpParams params = new HttpClientParams();
// Order auth schemes
EsHadoopAuthPolicies.registerAuthSchemes();
List<String> authPreferences = new ArrayList<String>();
authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);
AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);
Map<String, String> dnsMappings = new HashMap<String, String>();
dnsMappings.put("es.build.elastic.co", "127.0.0.1");
TestMethod method = new TestMethod();
method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});
method.setURI(new org.apache.commons.httpclient.URI("http", null, "127.0.0.1", 9200));
Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), "HTTP/[email protected]");
// Parse Challenge
Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
assertThat(challenges.isEmpty(), not(true));
assertThat(challenges.containsKey("negotiate"), is(true));
assertThat(challenges.get("negotiate"), is("Negotiate"));
AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);
assertNotNull(scheme);
assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
method.getHostAuthState().setAuthAttempted(true);
// Execute Auth
Header[] authHeaders = method.getRequestHeaders("Authorization");
for (Header authHeader : authHeaders) {
if (authHeader.isAutogenerated()) {
method.removeRequestHeader(authHeader);
}
}
AuthState authState = method.getHostAuthState();
AuthScheme authScheme = authState.getAuthScheme();
assertNotNull(authScheme);
assertThat(authScheme.isConnectionBased(), is(not(true)));
// Replace scheme with test harness scheme
authScheme = new TestScheme(dnsMappings);
String authString = authScheme.authenticate(credentials, method);
assertNotNull(authString);
assertThat(authString, startsWith("Negotiate "));
method.addRequestHeader(new Header("Authorization", authString, true));
return null;
}
});
}
Example 15
| Source File: HdfsRepository.java From crate with Apache License 2.0 | 4 votes |
|
private UserGroupInformation login(Configuration hadoopConfiguration, Settings repositorySettings) {
// Validate the authentication method:
AuthenticationMethod authMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
if (authMethod.equals(AuthenticationMethod.SIMPLE) == false
&& authMethod.equals(AuthenticationMethod.KERBEROS) == false) {
throw new RuntimeException("Unsupported authorization mode [" + authMethod + "]");
}
// Check if the user added a principal to use, and that there is a keytab file provided
String kerberosPrincipal = repositorySettings.get(CONF_SECURITY_PRINCIPAL);
// Check to see if the authentication method is compatible
if (kerberosPrincipal != null && authMethod.equals(AuthenticationMethod.SIMPLE)) {
LOGGER.warn("Hadoop authentication method is set to [SIMPLE], but a Kerberos principal is " +
"specified. Continuing with [KERBEROS] authentication.");
SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, hadoopConfiguration);
} else if (kerberosPrincipal == null && authMethod.equals(AuthenticationMethod.KERBEROS)) {
throw new RuntimeException("HDFS Repository does not support [KERBEROS] authentication without " +
"a valid Kerberos principal and keytab. Please specify a principal in the repository settings with [" +
CONF_SECURITY_PRINCIPAL + "].");
}
// Now we can initialize the UGI with the configuration.
UserGroupInformation.setConfiguration(hadoopConfiguration);
// Debugging
LOGGER.debug("Hadoop security enabled: [{}]", UserGroupInformation.isSecurityEnabled());
LOGGER.debug("Using Hadoop authentication method: [{}]", SecurityUtil.getAuthenticationMethod(hadoopConfiguration));
// UserGroupInformation (UGI) instance is just a Hadoop specific wrapper around a Java Subject
try {
if (UserGroupInformation.isSecurityEnabled()) {
String principal = preparePrincipal(kerberosPrincipal);
String keytab = HdfsSecurityContext.locateKeytabFile(environment).toString();
LOGGER.debug("Using kerberos principal [{}] and keytab located at [{}]", principal, keytab);
return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
}
return UserGroupInformation.getCurrentUser();
} catch (IOException e) {
throw new UncheckedIOException("Could not retrieve the current user information", e);
}
}
Example 16
| Source File: TestSecureRESTServer.java From hbase with Apache License 2.0 | 4 votes |
|
@Test
public void testPositiveAuthorization() throws Exception {
// Create a table, write a row to it, grant read perms to the client
UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
final TableName table = TableName.valueOf("publicTable");
superuser.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
TableDescriptor desc = TableDescriptorBuilder.newBuilder(table)
.setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
.build();
conn.getAdmin().createTable(desc);
try (Table t = conn.getTable(table)) {
Put p = new Put(Bytes.toBytes("a"));
p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
t.put(p);
}
AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ);
} catch (Throwable e) {
if (e instanceof Exception) {
throw (Exception) e;
} else {
throw new Exception(e);
}
}
return null;
}
});
// Read that row as the client
Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
CloseableHttpClient client = pair.getFirst();
HttpClientContext context = pair.getSecond();
HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI()
+ "/" + table + "/a");
get.addHeader("Accept", "application/json");
UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath());
String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() {
@Override
public String run() throws Exception {
try (CloseableHttpResponse response = client.execute(get, context)) {
final int statusCode = response.getStatusLine().getStatusCode();
assertEquals(response.getStatusLine().toString(), HttpURLConnection.HTTP_OK, statusCode);
HttpEntity entity = response.getEntity();
return EntityUtils.toString(entity);
}
}
});
ObjectMapper mapper = new JacksonJaxbJsonProvider()
.locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE);
CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class);
assertEquals(1, model.getRows().size());
RowModel row = model.getRows().get(0);
assertEquals("a", Bytes.toString(row.getKey()));
assertEquals(1, row.getCells().size());
CellModel cell = row.getCells().get(0);
assertEquals("1", Bytes.toString(cell.getValue()));
}
Example 17
| Source File: TestLogLevel.java From hbase with Apache License 2.0 | 4 votes |
|
/**
* Run both client and server using the given protocol.
*
* @param bindProtocol specify either http or https for server
* @param connectProtocol specify either http or https for client
* @param isSpnego true if SPNEGO is enabled
* @throws Exception if client can't accesss server.
*/
private void testDynamicLogLevel(final String bindProtocol, final String connectProtocol,
final boolean isSpnego, final String newLevel)
throws Exception {
if (!LogLevel.isValidProtocol(bindProtocol)) {
throw new Exception("Invalid server protocol " + bindProtocol);
}
if (!LogLevel.isValidProtocol(connectProtocol)) {
throw new Exception("Invalid client protocol " + connectProtocol);
}
Level oldLevel = log.getEffectiveLevel();
assertNotEquals("Get default Log Level which shouldn't be ERROR.",
Level.ERROR, oldLevel);
// configs needed for SPNEGO at server side
if (isSpnego) {
serverConf.set(PRINCIPAL, HTTP_PRINCIPAL);
serverConf.set(KEYTAB, keyTabFile.getAbsolutePath());
serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
UserGroupInformation.setConfiguration(serverConf);
} else {
serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "simple");
serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
UserGroupInformation.setConfiguration(serverConf);
}
final HttpServer server = createServer(bindProtocol, isSpnego);
// get server port
final String authority = NetUtils.getHostPortString(server.getConnectorAddress(0));
String keytabFilePath = keyTabFile.getAbsolutePath();
UserGroupInformation clientUGI = UserGroupInformation.
loginUserFromKeytabAndReturnUGI(clientPrincipal, keytabFilePath);
try {
clientUGI.doAs((PrivilegedExceptionAction<Void>) () -> {
// client command line
getLevel(connectProtocol, authority);
setLevel(connectProtocol, authority, newLevel);
return null;
});
} finally {
clientUGI.logoutUserFromKeytab();
server.stop();
}
// restore log level
GenericTestUtils.setLogLevel(log, oldLevel);
}
Example 18
| Source File: AbstractSpnegoAuthSchemeTest.java From elasticsearch-hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testAuth() throws Exception {
// Configure logins
Configuration configuration = new Configuration();
SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
UserGroupInformation.setConfiguration(configuration);
// Login as Client and Execute Test
UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
client.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
HttpParams params = new HttpClientParams();
// Order auth schemes
EsHadoopAuthPolicies.registerAuthSchemes();
List<String> authPreferences = new ArrayList<String>();
authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);
AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);
TestMethod method = new TestMethod();
method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});
Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), KerberosSuite.PRINCIPAL_SERVER);
// Parse Challenge
Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
assertThat(challenges.isEmpty(), not(true));
assertThat(challenges.containsKey("negotiate"), is(true));
assertThat(challenges.get("negotiate"), is("Negotiate"));
AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);
assertNotNull(scheme);
assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
method.getHostAuthState().setAuthAttempted(true);
// Execute Auth
Header[] authHeaders = method.getRequestHeaders("Authorization");
for (Header authHeader : authHeaders) {
if (authHeader.isAutogenerated()) {
method.removeRequestHeader(authHeader);
}
}
AuthState authState = method.getHostAuthState();
AuthScheme authScheme = authState.getAuthScheme();
assertNotNull(authScheme);
assertThat(authScheme.isConnectionBased(), is(not(true)));
String authString = authScheme.authenticate(credentials, method);
assertNotNull(authString);
assertThat(authString, startsWith("Negotiate "));
method.addRequestHeader(new Header("Authorization", authString, true));
return null;
}
});
}
Example 19
| Source File: RegistryTestHelper.java From big-c with Apache License 2.0 | 3 votes |
|
/**
* Login via a UGI. Requres UGI to have been set up
* @param user username
* @param keytab keytab to list
* @return the UGI
* @throws IOException
*/
public static UserGroupInformation loginUGI(String user, File keytab) throws
IOException {
LOG.info("Logging in as {} from {}", user, keytab);
return UserGroupInformation.loginUserFromKeytabAndReturnUGI(user,
keytab.getAbsolutePath());
}
Example 20
| Source File: SecurityUtil.java From localization_nifi with Apache License 2.0 | 3 votes |
|
/**
* Initializes UserGroupInformation with the given Configuration and performs the login for the given principal
* and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying
* UserGroupInformation.
*
* @param config the configuration instance
* @param principal the principal to authenticate as
* @param keyTab the keytab to authenticate with
*
* @return the UGI for the given principal
*
* @throws IOException if login failed
*/
public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab)
throws IOException {
Validate.notNull(config);
Validate.notNull(principal);
Validate.notNull(keyTab);
UserGroupInformation.setConfiguration(config);
return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(), keyTab.trim());
}
