Java Code Examples for org.apache.hadoop.security.UserGroupInformation#createProxyUserForTesting()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#createProxyUserForTesting() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestDelegationTokenForProxyUser.java    From big-c with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setUp() throws Exception {
  config = new HdfsConfiguration();
  config.setBoolean(DFSConfigKeys.DFS_WEBHDFS_ENABLED_KEY, true);
  config.setLong(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000);
  config.setLong(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000);
  config.setStrings(DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER),
      "group1");
  config.setBoolean(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
  configureSuperUserIPAddresses(config, REAL_USER);
  FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0");
  cluster = new MiniDFSCluster.Builder(config).build();
  cluster.waitActive();
  ProxyUsers.refreshSuperUserGroupsConfiguration(config);
  ugi = UserGroupInformation.createRemoteUser(REAL_USER);
  proxyUgi = UserGroupInformation.createProxyUserForTesting(PROXY_USER, ugi,
      GROUP_NAMES);
}
 
Example 2
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@Test
public void testIPRange() {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      "*");
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP_RANGE);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "10.222.0.0");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "10.221.0.0");
}
 
Example 3
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 6 votes vote down vote up
@Test
public void testIPRange() {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      "*");
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP_RANGE);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "10.222.0.0");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "10.221.0.0");
}
 
Example 4
Source File: TestDelegationTokenForProxyUser.java    From hadoop with Apache License 2.0 6 votes vote down vote up
@BeforeClass
public static void setUp() throws Exception {
  config = new HdfsConfiguration();
  config.setBoolean(DFSConfigKeys.DFS_WEBHDFS_ENABLED_KEY, true);
  config.setLong(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000);
  config.setLong(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000);
  config.setStrings(DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER),
      "group1");
  config.setBoolean(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true);
  configureSuperUserIPAddresses(config, REAL_USER);
  FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0");
  cluster = new MiniDFSCluster.Builder(config).build();
  cluster.waitActive();
  ProxyUsers.refreshSuperUserGroupsConfiguration(config);
  ugi = UserGroupInformation.createRemoteUser(REAL_USER);
  proxyUgi = UserGroupInformation.createProxyUserForTesting(PROXY_USER, ugi,
      GROUP_NAMES);
}
 
Example 5
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testNoHostsForUsers() throws Exception {
  Configuration conf = new Configuration(false);
  conf.set("y." + REAL_USER_NAME + ".users",
    StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y");

  UserGroupInformation realUserUgi = UserGroupInformation
    .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
    AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // IP doesn't matter
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
}
 
Example 6
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
public static void loadTest(String ipString, int testRange) {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(GROUP_NAMES)));

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      ipString
      );
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);


  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  long startTime = System.nanoTime();
  SecureRandom sr = new SecureRandom();
  for (int i=1; i < 1000000; i++){
    try {
      ProxyUsers.authorize(proxyUserUgi,  "1.2.3."+ sr.nextInt(testRange));
     } catch (AuthorizationException e) {
    }
  }
  long stopTime = System.nanoTime();
  long elapsedTime = stopTime - startTime;
  System.out.println(elapsedTime/1000000 + " ms");
}
 
Example 7
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testWildcardUser() {
  Configuration conf = new Configuration();
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserUserConfKey(REAL_USER_NAME),
    "*");
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserIpConfKey(REAL_USER_NAME),
    PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a user that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a different user (just to make sure we aren't getting spill over
  // from the other test case!)
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
  
  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 8
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testNoHostsForUsers() throws Exception {
  Configuration conf = new Configuration(false);
  conf.set("y." + REAL_USER_NAME + ".users",
    StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y");

  UserGroupInformation realUserUgi = UserGroupInformation
    .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
    AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // IP doesn't matter
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
}
 
Example 9
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsersWithUserConf() throws Exception {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserUserConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);


  // First try proxying a user that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a user that's not allowed
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
  
  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 10
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsers() throws Exception {
  Configuration conf = new Configuration();
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserGroupConfKey(REAL_USER_NAME),
    StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserIpConfKey(REAL_USER_NAME),
    PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a group that's not allowed
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
  
  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 11
Source File: MiniRPCBenchmark.java    From hadoop with Apache License 2.0 5 votes vote down vote up
void connectToServerAndGetDelegationToken(
    final Configuration conf, final InetSocketAddress addr) throws IOException {
  MiniProtocol client = null;
  try {
    UserGroupInformation current = UserGroupInformation.getCurrentUser();
    UserGroupInformation proxyUserUgi = 
      UserGroupInformation.createProxyUserForTesting(
          MINI_USER, current, GROUP_NAMES);
    
    try {
      client =  proxyUserUgi.doAs(new PrivilegedExceptionAction<MiniProtocol>() {
        @Override
        public MiniProtocol run() throws IOException {
          MiniProtocol p = RPC.getProxy(MiniProtocol.class,
              MiniProtocol.versionID, addr, conf);
          Token<TestDelegationTokenIdentifier> token;
          token = p.getDelegationToken(new Text(RENEWER));
          currentUgi = UserGroupInformation.createUserForTesting(MINI_USER, 
              GROUP_NAMES);
          SecurityUtil.setTokenService(token, addr);
          currentUgi.addToken(token);
          return p;
        }
      });
    } catch (InterruptedException e) {
      Assert.fail(Arrays.toString(e.getStackTrace()));
    }
  } finally {
    RPC.stopProxy(client);
  }
}
 
Example 12
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 5 votes vote down vote up
public static void loadTest(String ipString, int testRange) {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(GROUP_NAMES)));

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      ipString
      );
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);


  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  long startTime = System.nanoTime();
  SecureRandom sr = new SecureRandom();
  for (int i=1; i < 1000000; i++){
    try {
      ProxyUsers.authorize(proxyUserUgi,  "1.2.3."+ sr.nextInt(testRange));
     } catch (AuthorizationException e) {
    }
  }
  long stopTime = System.nanoTime();
  long elapsedTime = stopTime - startTime;
  System.out.println(elapsedTime/1000000 + " ms");
}
 
Example 13
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsersWithProviderOverride() throws Exception {
  Configuration conf = new Configuration();
  conf.set(
      CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
      "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider");
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
 
  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
 
  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertAuthorized(proxyUserUgi, "1.2.3.5");
 
  // Now try proxying a group that's not allowed
  realUserUgi = UserGroupInformation
  .createUserForTesting(REAL_USER_NAME, GROUP_NAMES);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
 
  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 14
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testWildcardIP() {
  Configuration conf = new Configuration();
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserGroupConfKey(REAL_USER_NAME),
    StringUtils.join(",", Arrays.asList(GROUP_NAMES)));
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserIpConfKey(REAL_USER_NAME),
    "*");
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From either IP should be fine
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  assertAuthorized(proxyUserUgi, "1.2.3.5");

  // Now set up an unallowed group
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
  
  // Neither IP should be OK
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 15
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsersWithCustomPrefix() throws Exception {
  Configuration conf = new Configuration(false);
  conf.set("x." + REAL_USER_NAME + ".users",
      StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
  conf.set("x." + REAL_USER_NAME+ ".hosts", PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "x");


  // First try proxying a user that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a user that's not allowed
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 16
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsersWithProviderOverride() throws Exception {
  Configuration conf = new Configuration();
  conf.set(
      CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS,
      "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider");
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
 
  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
 
  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertAuthorized(proxyUserUgi, "1.2.3.5");
 
  // Now try proxying a group that's not allowed
  realUserUgi = UserGroupInformation
  .createUserForTesting(REAL_USER_NAME, GROUP_NAMES);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
 
  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 17
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testProxyUsersWithUserConf() throws Exception {
  Configuration conf = new Configuration();
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserUserConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);


  // First try proxying a user that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a user that's not allowed
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);
  
  // From good IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 18
Source File: MiniRPCBenchmark.java    From big-c with Apache License 2.0 5 votes vote down vote up
void connectToServerAndGetDelegationToken(
    final Configuration conf, final InetSocketAddress addr) throws IOException {
  MiniProtocol client = null;
  try {
    UserGroupInformation current = UserGroupInformation.getCurrentUser();
    UserGroupInformation proxyUserUgi = 
      UserGroupInformation.createProxyUserForTesting(
          MINI_USER, current, GROUP_NAMES);
    
    try {
      client =  proxyUserUgi.doAs(new PrivilegedExceptionAction<MiniProtocol>() {
        @Override
        public MiniProtocol run() throws IOException {
          MiniProtocol p = RPC.getProxy(MiniProtocol.class,
              MiniProtocol.versionID, addr, conf);
          Token<TestDelegationTokenIdentifier> token;
          token = p.getDelegationToken(new Text(RENEWER));
          currentUgi = UserGroupInformation.createUserForTesting(MINI_USER, 
              GROUP_NAMES);
          SecurityUtil.setTokenService(token, addr);
          currentUgi.addToken(token);
          return p;
        }
      });
    } catch (InterruptedException e) {
      Assert.fail(Arrays.toString(e.getStackTrace()));
    }
  } finally {
    RPC.stopProxy(client);
  }
}
 
Example 19
Source File: TestProxyUsers.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * foo_group (,proxied_user,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * mvn test \
 *   -Dtest=TestProxyUsers \
 *   -DTestProxyUsersGroupMapping=$className \
 *   
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */

@Test
public void testNetgroups () throws IOException{

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestProxyUsersGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestProxyUsersGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
  Groups groups = Groups.getUserToGroupsMappingService(conf);

  // try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createRemoteUser(REAL_USER_NAME);

  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray(
          new String[groups.getGroups(PROXY_USER_NAME).size()]));

  assertAuthorized(proxyUserUgi, PROXY_IP);
}
 
Example 20
Source File: TestProxyUsers.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * foo_group (,proxied_user,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * mvn test \
 *   -Dtest=TestProxyUsers \
 *   -DTestProxyUsersGroupMapping=$className \
 *   
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */

@Test
public void testNetgroups () throws IOException{

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestProxyUsersGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestProxyUsersGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
  Groups groups = Groups.getUserToGroupsMappingService(conf);

  // try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createRemoteUser(REAL_USER_NAME);

  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray(
          new String[groups.getGroups(PROXY_USER_NAME).size()]));

  assertAuthorized(proxyUserUgi, PROXY_IP);
}