org.apache.hadoop.security.authentication.util.KerberosName Java Examples
The following examples show how to use
org.apache.hadoop.security.authentication.util.KerberosName.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: TestThriftSpnegoHttpFallbackServer.java From hbase with Apache License 2.0 | 6 votes |
|
private static void addSecurityConfigurations(Configuration conf) {
KerberosName.setRules("DEFAULT");
HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath());
conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true);
conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true);
conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal);
conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
HBaseKerberosUtils.setSecuredConfiguration(conf, spnegoServerPrincipal,
spnegoServerPrincipal);
conf.set("hadoop.proxyuser.HTTP.hosts", "*");
conf.set("hadoop.proxyuser.HTTP.groups", "*");
conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, spnegoServerPrincipal);
}
Example #2
| Source File: TestUserGroupInformation.java From big-c with Apache License 2.0 | 6 votes |
|
@Test (timeout = 30000)
public void testEnsureInitWithRules() throws IOException {
String rules = "RULE:[1:RULE1]";
// trigger implicit init, rules should init
UserGroupInformation.reset();
assertFalse(KerberosName.hasRulesBeenSet());
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertTrue(KerberosName.hasRulesBeenSet());
// set a rule, trigger implicit init, rule should not change
UserGroupInformation.reset();
KerberosName.setRules(rules);
assertTrue(KerberosName.hasRulesBeenSet());
assertEquals(rules, KerberosName.getRules());
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules, KerberosName.getRules());
}
Example #3
| Source File: KmsKeyMgr.java From ranger with Apache License 2.0 | 6 votes |
|
private Subject getSubjectForKerberos(String provider) throws Exception {
String userName = getKMSUserName(provider);
String password = getKMSPassword(provider);
String nameRules = PropertiesUtil.getProperty(NAME_RULES);
if (StringUtils.isEmpty(nameRules)) {
KerberosName.setRules("DEFAULT");
nameRules = "DEFAULT";
} else {
KerberosName.setRules(nameRules);
}
Subject sub = new Subject();
String rangerPrincipal = SecureClientLogin.getPrincipal(PropertiesUtil.getProperty(ADMIN_USER_PRINCIPAL), PropertiesUtil.getProperty(HOST_NAME));
if (checkKerberos()) {
if (SecureClientLogin.isKerberosCredentialExists(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB))) {
sub = SecureClientLogin.loginUserFromKeytab(rangerPrincipal, PropertiesUtil.getProperty(ADMIN_USER_KEYTAB), nameRules);
} else {
sub = SecureClientLogin.loginUserWithPassword(userName, password);
}
} else {
sub = SecureClientLogin.login(userName);
}
return sub;
}
Example #4
| Source File: StormRangerPlugin.java From ranger with Apache License 2.0 | 6 votes |
|
@Override
synchronized public void init() {
if (!initialized) {
// mandatory call to base plugin
super.init();
// One time call to register the audit hander with the policy engine.
super.setResultProcessor(new RangerDefaultAuditHandler(getConfig()));
// this needed to set things right in the nimbus process
if (KerberosName.getRules() == null) {
KerberosName.setRules("DEFAULT");
}
initialized = true;
LOG.info("StormRangerPlugin initialized!");
}
}
Example #5
| Source File: JspHelper.java From big-c with Apache License 2.0 | 6 votes |
|
/**
* Expected user name should be a short name.
*/
public static void checkUsername(final String expected, final String name
) throws IOException {
if (expected == null && name != null) {
throw new IOException("Usernames not matched: expecting null but name="
+ name);
}
if (name == null) { //name is optional, null is okay
return;
}
KerberosName u = new KerberosName(name);
String shortName = u.getShortName();
if (!shortName.equals(expected)) {
throw new IOException("Usernames not matched: name=" + shortName
+ " != expected=" + expected);
}
}
Example #6
| Source File: MiscUtil.java From ranger with Apache License 2.0 | 6 votes |
|
/** * * @param principal * This could be in the format abc/[email protected] * @return */ static public String getShortNameFromPrincipalName(String principal) { if (principal == null) { return null; } try { // Assuming it is kerberos name for now KerberosName kerbrosName = new KerberosName(principal); String userName = kerbrosName.getShortName(); userName = StringUtils.substringBefore(userName, "/"); userName = StringUtils.substringBefore(userName, "@"); return userName; } catch (Throwable t) { logger.error("Error converting kerberos name. principal=" + principal + ", KerberosName.rules=" + KerberosName.getRules()); } return principal; }
Example #7
| Source File: TestUserGroupInformation.java From hadoop with Apache License 2.0 | 6 votes |
|
@Test (timeout = 30000)
public void testEnsureInitWithRules() throws IOException {
String rules = "RULE:[1:RULE1]";
// trigger implicit init, rules should init
UserGroupInformation.reset();
assertFalse(KerberosName.hasRulesBeenSet());
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertTrue(KerberosName.hasRulesBeenSet());
// set a rule, trigger implicit init, rule should not change
UserGroupInformation.reset();
KerberosName.setRules(rules);
assertTrue(KerberosName.hasRulesBeenSet());
assertEquals(rules, KerberosName.getRules());
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules, KerberosName.getRules());
}
Example #8
| Source File: TestThriftSpnegoHttpServer.java From hbase with Apache License 2.0 | 6 votes |
|
private static void addSecurityConfigurations(Configuration conf) {
KerberosName.setRules("DEFAULT");
HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath());
conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true);
conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true);
conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal);
conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath());
HBaseKerberosUtils.setSecuredConfiguration(conf, serverPrincipal, spnegoServerPrincipal);
conf.set("hadoop.proxyuser.hbase.hosts", "*");
conf.set("hadoop.proxyuser.hbase.groups", "*");
conf.set(Constants.THRIFT_SPNEGO_PRINCIPAL_KEY, spnegoServerPrincipal);
conf.set(Constants.THRIFT_SPNEGO_KEYTAB_FILE_KEY, spnegoServerKeytab.getAbsolutePath());
}
Example #9
| Source File: JspHelper.java From hadoop with Apache License 2.0 | 6 votes |
|
/**
* Expected user name should be a short name.
*/
public static void checkUsername(final String expected, final String name
) throws IOException {
if (expected == null && name != null) {
throw new IOException("Usernames not matched: expecting null but name="
+ name);
}
if (name == null) { //name is optional, null is okay
return;
}
KerberosName u = new KerberosName(name);
String shortName = u.getShortName();
if (!shortName.equals(expected)) {
throw new IOException("Usernames not matched: name=" + shortName
+ " != expected=" + expected);
}
}
Example #10
| Source File: TestProxyUserSpnegoHttpServer.java From hbase with Apache License 2.0 | 6 votes |
|
protected static Configuration buildSpnegoConfiguration(Configuration conf,
String serverPrincipal, File serverKeytab) {
KerberosName.setRules("DEFAULT");
conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS);
// Enable Kerberos (pre-req)
conf.set("hbase.security.authentication", "kerberos");
conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos");
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal);
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath());
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_ADMIN_USERS_KEY, PRIVILEGED_PRINCIPAL);
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PROXYUSER_ENABLE_KEY, "true");
conf.set("hadoop.security.authorization", "true");
conf.set("hadoop.proxyuser.wheel.hosts", "*");
conf.set("hadoop.proxyuser.wheel.users", PRIVILEGED_PRINCIPAL + "," + UNPRIVILEGED_PRINCIPAL);
return conf;
}
Example #11
| Source File: KDCFixture.java From elasticsearch-hadoop with Apache License 2.0 | 6 votes |
|
@Override
protected void before() throws Throwable {
Properties conf = MiniKdc.createConf();
conf.setProperty(MiniKdc.ORG_NAME, "BUILD.ELASTIC");
conf.setProperty(MiniKdc.ORG_DOMAIN, "CO");
kdc = new MiniKdc(conf, temporaryFolder.newFolder());
kdc.start();
/*
* So, this test suite is run alongside other suites that are initializing static state
* all throughout the Hadoop code with the assumption that Kerberos doesn't exist, and
* no one in this JVM will ever care about it existing. KerberosName has a static field
* set once and left as-is at class loading time. That field contains the default realm
* as specified by the JVM's krb5 conf file. MiniKdc adds a test conf file to the JVM
* properties after it starts up. We need to smash the glass and update the defaultRealm
* field on the KerberosName class or else Hadoop will not be able to map a Kerberos
* Principal Name to a regular user name with the DEFAULT rule.
*/
Field defaultRealm = KerberosName.class.getDeclaredField("defaultRealm");
defaultRealm.setAccessible(true);
previousDefaultRealm = (String) defaultRealm.get(null);
defaultRealm.set(null, KerberosUtil.getDefaultRealm());
}
Example #12
| Source File: TestUserGroupInformation.java From big-c with Apache License 2.0 | 5 votes |
|
@Test (timeout = 30000)
public void testSetConfigWithRules() {
String[] rules = { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" };
// explicitly set a rule
UserGroupInformation.reset();
assertFalse(KerberosName.hasRulesBeenSet());
KerberosName.setRules(rules[0]);
assertTrue(KerberosName.hasRulesBeenSet());
assertEquals(rules[0], KerberosName.getRules());
// implicit init should honor rules already being set
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules[0], KerberosName.getRules());
// set conf, should override
conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[1]);
UserGroupInformation.setConfiguration(conf);
assertEquals(rules[1], KerberosName.getRules());
// set conf, should again override
conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[2]);
UserGroupInformation.setConfiguration(conf);
assertEquals(rules[2], KerberosName.getRules());
// implicit init should honor rules already being set
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules[2], KerberosName.getRules());
}
Example #13
| Source File: TestSecureRESTServer.java From hbase with Apache License 2.0 | 5 votes |
|
private static void updateKerberosConfiguration(Configuration conf,
String serverPrincipal, String spnegoPrincipal, File serverKeytab) {
KerberosName.setRules("DEFAULT");
// Enable Kerberos (pre-req)
conf.set("hbase.security.authentication", "kerberos");
conf.set(RESTServer.REST_AUTHENTICATION_TYPE, "kerberos");
// User to talk to HBase as
conf.set(RESTServer.REST_KERBEROS_PRINCIPAL, serverPrincipal);
// User to accept SPNEGO-auth'd http calls as
conf.set("hbase.rest.authentication.kerberos.principal", spnegoPrincipal);
// Keytab for both principals above
conf.set(RESTServer.REST_KEYTAB_FILE, serverKeytab.getAbsolutePath());
conf.set("hbase.rest.authentication.kerberos.keytab", serverKeytab.getAbsolutePath());
}
Example #14
| Source File: RangerBaseService.java From ranger with Apache License 2.0 | 5 votes |
|
protected String getLookupUser(String authType, String lookupPrincipal, String lookupKeytab) {
String lookupUser = null;
if(!StringUtils.isEmpty(authType) && authType.equalsIgnoreCase(KERBEROS_TYPE)){
if(SecureClientLogin.isKerberosCredentialExists(lookupPrincipal, lookupKeytab)){
KerberosName krbName = new KerberosName(lookupPrincipal);
try {
lookupUser = krbName.getShortName();
} catch (IOException e) {
LOG.error("Unknown lookup user", e);
}
}
}
return lookupUser;
}
Example #15
| Source File: SecureClientLogin.java From ranger with Apache License 2.0 | 5 votes |
|
public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
try {
Subject subject = new Subject();
SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
KerberosName.setRules(nameRules);
subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
login.login();
return login.getSubject();
} catch (LoginException le) {
throw new IOException("Login failure for " + user + " from keytab " + path, le);
}
}
Example #16
| Source File: TestSpnegoHttpServer.java From hbase with Apache License 2.0 | 5 votes |
|
private static Configuration buildSpnegoConfiguration(Configuration conf, String serverPrincipal,
File serverKeytab) {
KerberosName.setRules("DEFAULT");
conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS);
// Enable Kerberos (pre-req)
conf.set("hbase.security.authentication", "kerberos");
conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos");
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal);
conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath());
return conf;
}
Example #17
| Source File: SecureUserConnectionsIT.java From phoenix with Apache License 2.0 | 5 votes |
|
private static void updateDefaultRealm() throws Exception {
// (at least) one other phoenix test triggers the caching of this field before the KDC is up
// which causes principal parsing to fail.
Field f = KerberosName.class.getDeclaredField("defaultRealm");
f.setAccessible(true);
// Default realm for MiniKDC
f.set(null, "EXAMPLE.COM");
}
Example #18
| Source File: TestSecureLogins.java From big-c with Apache License 2.0 | 5 votes |
|
@Test
public void testKerberosRulesValid() throws Throwable {
assertTrue("!KerberosName.hasRulesBeenSet()",
KerberosName.hasRulesBeenSet());
String rules = KerberosName.getRules();
assertEquals(kerberosRule, rules);
LOG.info(rules);
}
Example #19
| Source File: TestUserGroupInformation.java From hadoop with Apache License 2.0 | 5 votes |
|
@Test (timeout = 30000)
public void testSetConfigWithRules() {
String[] rules = { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" };
// explicitly set a rule
UserGroupInformation.reset();
assertFalse(KerberosName.hasRulesBeenSet());
KerberosName.setRules(rules[0]);
assertTrue(KerberosName.hasRulesBeenSet());
assertEquals(rules[0], KerberosName.getRules());
// implicit init should honor rules already being set
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules[0], KerberosName.getRules());
// set conf, should override
conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[1]);
UserGroupInformation.setConfiguration(conf);
assertEquals(rules[1], KerberosName.getRules());
// set conf, should again override
conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[2]);
UserGroupInformation.setConfiguration(conf);
assertEquals(rules[2], KerberosName.getRules());
// implicit init should honor rules already being set
UserGroupInformation.createUserForTesting("someone", new String[0]);
assertEquals(rules[2], KerberosName.getRules());
}
Example #20
| Source File: TestSecureLogins.java From hadoop with Apache License 2.0 | 5 votes |
|
@Test
public void testKerberosRulesValid() throws Throwable {
assertTrue("!KerberosName.hasRulesBeenSet()",
KerberosName.hasRulesBeenSet());
String rules = KerberosName.getRules();
assertEquals(kerberosRule, rules);
LOG.info(rules);
}
Example #21
| Source File: TokenExtractor.java From NNAnalytics with Apache License 2.0 | 5 votes |
|
/**
* Extract the last seen DelegationTokens from FSNamesystem.
*
* @return map of user names to last timestamp of token seen
*/
public Map<String, Long> getTokenLastLogins() {
if (fsn == null || dtsm == null) {
return new HashMap<String, Long>() {
{
put("hdfs", System.currentTimeMillis());
put("n/a", -1L);
}
};
}
Map<String, Long> lastLogins = new HashMap<>();
fsn.writeLock();
try {
Set<Map.Entry<DelegationTokenIdentifier, DelegationTokenInformation>> entries =
dtsm.currentTokens.entrySet();
for (Map.Entry<DelegationTokenIdentifier, DelegationTokenInformation> entry : entries) {
Text owner = entry.getKey().getOwner();
Text realUser = entry.getKey().getRealUser();
String ownerStr = new KerberosName(owner.toString()).getServiceName();
long time = entry.getKey().getIssueDate();
lastLogins.put(ownerStr, time);
if ((realUser != null) && (!realUser.toString().isEmpty()) && !realUser.equals(owner)) {
String realUserStr = new KerberosName(realUser.toString()).getServiceName();
lastLogins.put(realUserStr, time);
}
}
return lastLogins;
} finally {
fsn.writeUnlock();
}
}
Example #22
| Source File: TestingTools.java From gcp-token-broker with Apache License 2.0 | 4 votes |
|
static void initHadoop() {
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);
KerberosName.setRules("DEFAULT");
}
Example #23
| Source File: TestGetImageServlet.java From big-c with Apache License 2.0 | 4 votes |
|
@Test
public void testIsValidRequestor() throws IOException {
Configuration conf = new HdfsConfiguration();
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
// Set up generic HA configs.
conf.set(DFSConfigKeys.DFS_NAMESERVICES, "ns1");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_HA_NAMENODES_KEY_PREFIX,
"ns1"), "nn1,nn2");
// Set up NN1 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY,
"ns1", "nn1"), "host1:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY,
"ns1", "nn1"), "hdfs/[email protected]");
// Set up NN2 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY,
"ns1", "nn2"), "host2:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY,
"ns1", "nn2"), "hdfs/[email protected]");
// Initialize this conf object as though we're running on NN1.
NameNode.initializeGenericKeys(conf, "ns1", "nn1");
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
// Make sure that NN2 is considered a valid fsimage/edits requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"hdfs/[email protected]", conf));
// Mark atm as an admin.
Mockito.when(acls.isUserAllowed(Mockito.argThat(new ArgumentMatcher<UserGroupInformation>() {
@Override
public boolean matches(Object argument) {
return ((UserGroupInformation) argument).getShortUserName().equals("atm");
}
}))).thenReturn(true);
// Make sure that NN2 is still considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"hdfs/[email protected]", conf));
// Make sure an admin is considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"[email protected]", conf));
// Make sure other users are *not* considered valid requestors.
assertFalse(ImageServlet.isValidRequestor(context,
"[email protected]", conf));
}
Example #24
| Source File: TestJHSDelegationTokenSecretManager.java From big-c with Apache License 2.0 | 4 votes |
|
@Test
public void testRecovery() throws IOException {
Configuration conf = new Configuration();
HistoryServerStateStoreService store =
new HistoryServerMemStateStoreService();
store.init(conf);
store.start();
JHSDelegationTokenSecretManagerForTest mgr =
new JHSDelegationTokenSecretManagerForTest(store);
mgr.startThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token1 =
new Token<MRDelegationTokenIdentifier>(tokenId1, mgr);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token2 =
new Token<MRDelegationTokenIdentifier>(tokenId2, mgr);
DelegationKey[] keys = mgr.getAllKeys();
long tokenRenewDate1 = mgr.getAllTokens().get(tokenId1).getRenewDate();
long tokenRenewDate2 = mgr.getAllTokens().get(tokenId2).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
List<DelegationKey> recoveredKeys = Arrays.asList(mgr.getAllKeys());
for (DelegationKey key : keys) {
assertTrue("key missing after recovery", recoveredKeys.contains(key));
}
assertTrue("token1 missing", mgr.getAllTokens().containsKey(tokenId1));
assertEquals("token1 renew date", tokenRenewDate1,
mgr.getAllTokens().get(tokenId1).getRenewDate());
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2,
mgr.getAllTokens().get(tokenId2).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId1, token1.getPassword());
mgr.verifyToken(tokenId2, token2.getPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token3 =
new Token<MRDelegationTokenIdentifier>(tokenId3, mgr);
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1,
tokenId3.getSequenceNumber());
mgr.cancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(
new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"),
new Text("tokenUser"));
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
Token<MRDelegationTokenIdentifier> tokenFull = new Token<MRDelegationTokenIdentifier>(
tokenIdFull, mgr);
// Negative test
try {
mgr.cancelToken(tokenFull, "tokenOwner");
} catch (AccessControlException ace) {
assertTrue(ace.getMessage().contains(
"is not authorized to cancel the token"));
}
// Succeed to cancel with full principal
mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString());
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
assertFalse("token1 should be missing",
mgr.getAllTokens().containsKey(tokenId1));
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2,
mgr.getAllTokens().get(tokenId2).getRenewDate());
assertTrue("token3 missing", mgr.getAllTokens().containsKey(tokenId3));
assertEquals("token3 renew date", tokenRenewDate3,
mgr.getAllTokens().get(tokenId3).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId2, token2.getPassword());
mgr.verifyToken(tokenId3, token3.getPassword());
mgr.stopThreads();
}
Example #25
| Source File: MiscUtil.java From ranger with Apache License 2.0 | 4 votes |
|
public static String getKerberosNamesRules() {
return KerberosName.getRules();
}
Example #26
| Source File: TestGetImageServlet.java From hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testIsValidRequestor() throws IOException {
Configuration conf = new HdfsConfiguration();
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
// Set up generic HA configs.
conf.set(DFSConfigKeys.DFS_NAMESERVICES, "ns1");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_HA_NAMENODES_KEY_PREFIX,
"ns1"), "nn1,nn2");
// Set up NN1 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY,
"ns1", "nn1"), "host1:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY,
"ns1", "nn1"), "hdfs/[email protected]");
// Set up NN2 HA configs.
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_RPC_ADDRESS_KEY,
"ns1", "nn2"), "host2:1234");
conf.set(DFSUtil.addKeySuffixes(DFSConfigKeys.DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY,
"ns1", "nn2"), "hdfs/[email protected]");
// Initialize this conf object as though we're running on NN1.
NameNode.initializeGenericKeys(conf, "ns1", "nn1");
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
// Make sure that NN2 is considered a valid fsimage/edits requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"hdfs/[email protected]", conf));
// Mark atm as an admin.
Mockito.when(acls.isUserAllowed(Mockito.argThat(new ArgumentMatcher<UserGroupInformation>() {
@Override
public boolean matches(Object argument) {
return ((UserGroupInformation) argument).getShortUserName().equals("atm");
}
}))).thenReturn(true);
// Make sure that NN2 is still considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"hdfs/[email protected]", conf));
// Make sure an admin is considered a valid requestor.
assertTrue(ImageServlet.isValidRequestor(context,
"[email protected]", conf));
// Make sure other users are *not* considered valid requestors.
assertFalse(ImageServlet.isValidRequestor(context,
"[email protected]", conf));
}
Example #27
| Source File: TestJHSDelegationTokenSecretManager.java From hadoop with Apache License 2.0 | 4 votes |
|
@Test
public void testRecovery() throws IOException {
Configuration conf = new Configuration();
HistoryServerStateStoreService store =
new HistoryServerMemStateStoreService();
store.init(conf);
store.start();
JHSDelegationTokenSecretManagerForTest mgr =
new JHSDelegationTokenSecretManagerForTest(store);
mgr.startThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token1 =
new Token<MRDelegationTokenIdentifier>(tokenId1, mgr);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token2 =
new Token<MRDelegationTokenIdentifier>(tokenId2, mgr);
DelegationKey[] keys = mgr.getAllKeys();
long tokenRenewDate1 = mgr.getAllTokens().get(tokenId1).getRenewDate();
long tokenRenewDate2 = mgr.getAllTokens().get(tokenId2).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
List<DelegationKey> recoveredKeys = Arrays.asList(mgr.getAllKeys());
for (DelegationKey key : keys) {
assertTrue("key missing after recovery", recoveredKeys.contains(key));
}
assertTrue("token1 missing", mgr.getAllTokens().containsKey(tokenId1));
assertEquals("token1 renew date", tokenRenewDate1,
mgr.getAllTokens().get(tokenId1).getRenewDate());
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2,
mgr.getAllTokens().get(tokenId2).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId1, token1.getPassword());
mgr.verifyToken(tokenId2, token2.getPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(
new Text("tokenOwner"), new Text("tokenRenewer"),
new Text("tokenUser"));
Token<MRDelegationTokenIdentifier> token3 =
new Token<MRDelegationTokenIdentifier>(tokenId3, mgr);
assertEquals("sequence number restore", tokenId2.getSequenceNumber() + 1,
tokenId3.getSequenceNumber());
mgr.cancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(
new Text("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"),
new Text("tokenUser"));
KerberosName.setRules("RULE:[1:$1]\nRULE:[2:$1]");
Token<MRDelegationTokenIdentifier> tokenFull = new Token<MRDelegationTokenIdentifier>(
tokenIdFull, mgr);
// Negative test
try {
mgr.cancelToken(tokenFull, "tokenOwner");
} catch (AccessControlException ace) {
assertTrue(ace.getMessage().contains(
"is not authorized to cancel the token"));
}
// Succeed to cancel with full principal
mgr.cancelToken(tokenFull, tokenIdFull.getOwner().toString());
long tokenRenewDate3 = mgr.getAllTokens().get(tokenId3).getRenewDate();
mgr.stopThreads();
mgr = new JHSDelegationTokenSecretManagerForTest(store);
mgr.recover(store.loadState());
assertFalse("token1 should be missing",
mgr.getAllTokens().containsKey(tokenId1));
assertTrue("token2 missing", mgr.getAllTokens().containsKey(tokenId2));
assertEquals("token2 renew date", tokenRenewDate2,
mgr.getAllTokens().get(tokenId2).getRenewDate());
assertTrue("token3 missing", mgr.getAllTokens().containsKey(tokenId3));
assertEquals("token3 renew date", tokenRenewDate3,
mgr.getAllTokens().get(tokenId3).getRenewDate());
mgr.startThreads();
mgr.verifyToken(tokenId2, token2.getPassword());
mgr.verifyToken(tokenId3, token3.getPassword());
mgr.stopThreads();
}
Example #28
| Source File: LogsearchKRBAuthenticationFilter.java From ambari-logsearch with Apache License 2.0 | 4 votes |
|
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
if (requestMatcher.matches(httpRequest)) {
logger.debug("LogsearchKRBAuthenticationFilter public filter path >>>>" + httpRequest.getPathInfo());
SecurityContextImpl securityContextImpl = (SecurityContextImpl) httpRequest.getSession(true).getAttribute("SPRING_SECURITY_CONTEXT");
Authentication existingAuth = null;
if (securityContextImpl != null) {
existingAuth = securityContextImpl.getAuthentication();
}
if (!isLoginRequest(httpRequest) && spnegoEnable
&& (existingAuth == null || !existingAuth.isAuthenticated())) {
KerberosName.setRules(logSearchSpnegoConfig.getNameRules());
String userName = getUsernameFromRequest(httpRequest);
if ((existingAuth == null || !existingAuth.isAuthenticated())
&& (StringUtils.isNotEmpty(userName))) {
// --------------------------- To Create Logsearch Session--------------------------------------
// if we get the userName from the token then log into logsearch using the same user
final List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority(DEFAULT_USER_ROLE));
final UserDetails principal = new User(userName, "", grantedAuths);
final Authentication finalAuthentication = new UsernamePasswordAuthenticationToken(
principal, "", grantedAuths);
WebAuthenticationDetails webDetails = new WebAuthenticationDetails(
httpRequest);
((AbstractAuthenticationToken) finalAuthentication)
.setDetails(webDetails);
Authentication authentication = this
.authenticate(finalAuthentication);
authentication = getGrantedAuthority(authentication);
SecurityContextHolder.getContext().setAuthentication(authentication);
request.setAttribute("spnegoEnabled", true);
logger.info("Logged into Logsearch as = " + userName);
} else {
try {
super.doFilter(request, response, filterChain);
} catch (Exception e) {
logger.error("Error LogsearchKRBAuthenticationFilter : " + e.getMessage());
}
}
} else {
filterChain.doFilter(request, response);
}
} else {
filterChain.doFilter(request, response);
}
}
Example #29
| Source File: AbstractSecureRegistryTest.java From big-c with Apache License 2.0 | 3 votes |
|
/**
* Init hadoop security by setting up the UGI config
*/
public static void initHadoopSecurity() {
UserGroupInformation.setConfiguration(CONF);
KerberosName.setRules(kerberosRule);
}
Example #30
| Source File: AbstractSecureRegistryTest.java From hadoop with Apache License 2.0 | 3 votes |
|
/**
* Init hadoop security by setting up the UGI config
*/
public static void initHadoopSecurity() {
UserGroupInformation.setConfiguration(CONF);
KerberosName.setRules(kerberosRule);
}
