Java Code Examples for org.apache.hadoop.security.UserGroupInformation#createRemoteUser()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#createRemoteUser() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: hadoop   File: TestClientToAMTokens.java    License: Apache License 2.0 6 votes vote down vote up
private void verifyNewVersionToken(final Configuration conf, final CustomAM am,
    Token<ClientToAMTokenIdentifier> token, MockRM rm) throws IOException,
    InterruptedException {
  UserGroupInformation ugi;
  ugi = UserGroupInformation.createRemoteUser("me");
  
  Token<ClientToAMTokenIdentifier> newToken = 
      new Token<ClientToAMTokenIdentifier>(
          new ClientToAMTokenIdentifierForTest(token.decodeIdentifier(), "message"),
          am.getClientToAMTokenSecretManager());
  newToken.setService(token.getService());
  
  ugi.addToken(newToken);

  ugi.doAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      CustomProtocol client =
          (CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, am.address,
            conf);
      client.ping();
      Assert.assertTrue(am.pinged);
      return null;
    }
  });
}
 
Example 2
Source Project: hadoop   File: MockAM.java    License: Apache License 2.0 6 votes vote down vote up
public void unregisterAppAttempt(final FinishApplicationMasterRequest req,
    boolean waitForStateRunning) throws Exception {
  if (waitForStateRunning) {
    waitForState(RMAppAttemptState.RUNNING);
  }
  if (ugi == null) {
    ugi =  UserGroupInformation.createRemoteUser(attemptId.toString());
    Token<AMRMTokenIdentifier> token =
        context.getRMApps()
            .get(attemptId.getApplicationId())
            .getRMAppAttempt(attemptId).getAMRMToken();
    ugi.addTokenIdentifier(token.decodeIdentifier());
  }
  try {
    ugi.doAs(new PrivilegedExceptionAction<Object>() {
      @Override
      public Object run() throws Exception {
        amRMProtocol.finishApplicationMaster(req);
        return null;
      }
    });
  } catch (UndeclaredThrowableException e) {
    throw (Exception) e.getCause();
  }
}
 
Example 3
@Override
public UserGroupInformation getUser() {
  if (Strings.isNullOrEmpty(this.getOwnerId())) {
    return UserGroupInformation.createRemoteUser(blockId);
  }
  return UserGroupInformation.createRemoteUser(ownerId);
}
 
Example 4
Source Project: hadoop   File: TestFileSystem.java    License: Apache License 2.0 5 votes vote down vote up
public void testFsCache() throws Exception {
  {
    long now = System.currentTimeMillis();
    String[] users = new String[]{"foo","bar"};
    final Configuration conf = new Configuration();
    FileSystem[] fs = new FileSystem[users.length];

    for(int i = 0; i < users.length; i++) {
      UserGroupInformation ugi = UserGroupInformation.createRemoteUser(users[i]);
      fs[i] = ugi.doAs(new PrivilegedExceptionAction<FileSystem>() {
        public FileSystem run() throws IOException {
          return FileSystem.get(conf);
      }});
      for(int j = 0; j < i; j++) {
        assertFalse(fs[j] == fs[i]);
      }
    }
    FileSystem.closeAll();
  }
  
  {
    try {
      runTestCache(NameNode.DEFAULT_PORT);
    } catch(java.net.BindException be) {
      LOG.warn("Cannot test NameNode.DEFAULT_PORT (="
          + NameNode.DEFAULT_PORT + ")", be);
    }

    runTestCache(0);
  }
}
 
Example 5
Source Project: tez   File: JobTokenIdentifier.java    License: Apache License 2.0 5 votes vote down vote up
/** {@inheritDoc} */
@Override
public UserGroupInformation getUser() {
  if (jobid == null || "".equals(jobid.toString())) {
    return null;
  }
  return UserGroupInformation.createRemoteUser(jobid.toString());
}
 
Example 6
Source Project: big-c   File: QueueACLsTestBase.java    License: Apache License 2.0 5 votes vote down vote up
private ApplicationClientProtocol getRMClientForUser(String user)
    throws IOException, InterruptedException {
  UserGroupInformation userUGI = UserGroupInformation.createRemoteUser(user);
  ApplicationClientProtocol userClient =
      userUGI
        .doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() {
          @Override
          public ApplicationClientProtocol run() throws Exception {
            return (ApplicationClientProtocol) rpc.getProxy(
              ApplicationClientProtocol.class, rmAddress, conf);
          }
        });
  return userClient;
}
 
Example 7
protected ContainerManagementProtocol getContainerManagementProtocolProxy(
    final YarnRPC rpc, org.apache.hadoop.yarn.api.records.Token nmToken,
    NodeId nodeId, String user) {
  ContainerManagementProtocol proxy;
  UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user);
  final InetSocketAddress addr =
      NetUtils.createSocketAddr(nodeId.getHost(), nodeId.getPort());
  if (nmToken != null) {
    ugi.addToken(ConverterUtils.convertFromYarn(nmToken, addr));      
  }
  proxy =
      NMProxy.createNMProxy(conf, ContainerManagementProtocol.class, ugi,
        rpc, addr);
  return proxy;
}
 
Example 8
Source Project: big-c   File: TestProxyUsers.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testWildcardGroup() {
  Configuration conf = new Configuration();
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserGroupConfKey(REAL_USER_NAME),
    "*");
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserIpConfKey(REAL_USER_NAME),
    PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a different group (just to make sure we aren't getting spill over
  // from the other test case!)
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
  
  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 9
@Test
public void testCheckAccessWithNullACLS() {
  Configuration conf = new Configuration();
  conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE,
      true);
  conf.set(YarnConfiguration.YARN_ADMIN_ACL,
      ADMIN_USER);
  ApplicationACLsManager aclManager = new ApplicationACLsManager(conf);
  UserGroupInformation appOwner = UserGroupInformation
      .createRemoteUser(APP_OWNER);
  ApplicationId appId = ApplicationId.newInstance(1, 1);
  //Application ACL is not added

  //Application Owner should have all access even if Application ACL is not added
  assertTrue(aclManager.checkAccess(appOwner, ApplicationAccessType.MODIFY_APP, 
      APP_OWNER, appId));
  assertTrue(aclManager.checkAccess(appOwner, ApplicationAccessType.VIEW_APP, 
      APP_OWNER, appId));

  //Admin should have all access
  UserGroupInformation adminUser = UserGroupInformation
      .createRemoteUser(ADMIN_USER);
  assertTrue(aclManager.checkAccess(adminUser, ApplicationAccessType.VIEW_APP, 
      APP_OWNER, appId));
  assertTrue(aclManager.checkAccess(adminUser, ApplicationAccessType.MODIFY_APP, 
      APP_OWNER, appId));

  // A regular user should Not have access
  UserGroupInformation testUser1 = UserGroupInformation
      .createRemoteUser(TESTUSER1);
  assertFalse(aclManager.checkAccess(testUser1, ApplicationAccessType.VIEW_APP, 
      APP_OWNER, appId));
  assertFalse(aclManager.checkAccess(testUser1, ApplicationAccessType.MODIFY_APP, 
      APP_OWNER, appId));
}
 
Example 10
Source Project: big-c   File: TestCacheDirectives.java    License: Apache License 2.0 5 votes vote down vote up
@Test(timeout=60000)
public void testListCachePoolPermissions() throws Exception {
  final UserGroupInformation myUser = UserGroupInformation
      .createRemoteUser("myuser");
  final DistributedFileSystem myDfs = 
      (DistributedFileSystem)DFSTestUtil.getFileSystemAs(myUser, conf);
  final String poolName = "poolparty";
  dfs.addCachePool(new CachePoolInfo(poolName)
      .setMode(new FsPermission((short)0700)));
  // Should only see partial info
  RemoteIterator<CachePoolEntry> it = myDfs.listCachePools();
  CachePoolInfo info = it.next().getInfo();
  assertFalse(it.hasNext());
  assertEquals("Expected pool name", poolName, info.getPoolName());
  assertNull("Unexpected owner name", info.getOwnerName());
  assertNull("Unexpected group name", info.getGroupName());
  assertNull("Unexpected mode", info.getMode());
  assertNull("Unexpected limit", info.getLimit());
  // Modify the pool so myuser is now the owner
  final long limit = 99;
  dfs.modifyCachePool(new CachePoolInfo(poolName)
      .setOwnerName(myUser.getShortUserName())
      .setLimit(limit));
  // Should see full info
  it = myDfs.listCachePools();
  info = it.next().getInfo();
  assertFalse(it.hasNext());
  assertEquals("Expected pool name", poolName, info.getPoolName());
  assertEquals("Mismatched owner name", myUser.getShortUserName(),
      info.getOwnerName());
  assertNotNull("Expected group name", info.getGroupName());
  assertEquals("Mismatched mode", (short) 0700,
      info.getMode().toShort());
  assertEquals("Mismatched limit", limit, (long)info.getLimit());
}
 
Example 11
Source Project: hadoop   File: TestProxyUsers.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testWildcardGroup() {
  Configuration conf = new Configuration();
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserGroupConfKey(REAL_USER_NAME),
    "*");
  conf.set(
    DefaultImpersonationProvider.getTestProvider().
        getProxySuperuserIpConfKey(REAL_USER_NAME),
    PROXY_IP);
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);

  // First try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
      .createRemoteUser(REAL_USER_NAME);
  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, GROUP_NAMES);

  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");

  // Now try proxying a different group (just to make sure we aren't getting spill over
  // from the other test case!)
  realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME);
  proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES);
  
  // From good IP
  assertAuthorized(proxyUserUgi, "1.2.3.4");
  // From bad IP
  assertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
 
Example 12
Source Project: hadoop   File: MRAMSimulator.java    License: Apache License 2.0 5 votes vote down vote up
/**
 * send out request for AM container
 */
protected void requestAMContainer()
        throws YarnException, IOException, InterruptedException {
  List<ResourceRequest> ask = new ArrayList<ResourceRequest>();
  ResourceRequest amRequest = createResourceRequest(
          BuilderUtils.newResource(MR_AM_CONTAINER_RESOURCE_MEMORY_MB,
                  MR_AM_CONTAINER_RESOURCE_VCORES),
          ResourceRequest.ANY, 1, 1);
  ask.add(amRequest);
  LOG.debug(MessageFormat.format("Application {0} sends out allocate " +
          "request for its AM", appId));
  final AllocateRequest request = this.createAllocateRequest(ask);

  UserGroupInformation ugi =
          UserGroupInformation.createRemoteUser(appAttemptId.toString());
  Token<AMRMTokenIdentifier> token = rm.getRMContext().getRMApps()
          .get(appAttemptId.getApplicationId())
          .getRMAppAttempt(appAttemptId).getAMRMToken();
  ugi.addTokenIdentifier(token.decodeIdentifier());
  AllocateResponse response = ugi.doAs(
          new PrivilegedExceptionAction<AllocateResponse>() {
    @Override
    public AllocateResponse run() throws Exception {
      return rm.getApplicationMasterService().allocate(request);
    }
  });
  if (response != null) {
    responseQueue.put(response);
  }
}
 
Example 13
Source Project: big-c   File: TestBlockToken.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testBlockTokenRpc() throws Exception {
  Configuration conf = new Configuration();
  conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
  UserGroupInformation.setConfiguration(conf);
  
  BlockTokenSecretManager sm = new BlockTokenSecretManager(
      blockKeyUpdateInterval, blockTokenLifetime, 0, "fake-pool", null);
  Token<BlockTokenIdentifier> token = sm.generateToken(block3,
      EnumSet.allOf(BlockTokenSecretManager.AccessMode.class));

  final Server server = createMockDatanode(sm, token, conf);

  server.start();

  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  final UserGroupInformation ticket = UserGroupInformation
      .createRemoteUser(block3.toString());
  ticket.addToken(token);

  ClientDatanodeProtocol proxy = null;
  try {
    proxy = DFSUtil.createClientDatanodeProtocolProxy(addr, ticket, conf,
        NetUtils.getDefaultSocketFactory(conf));
    assertEquals(block3.getBlockId(), proxy.getReplicaVisibleLength(block3));
  } finally {
    server.stop();
    if (proxy != null) {
      RPC.stopProxy(proxy);
    }
  }
}
 
Example 14
Source Project: hadoop   File: DummyContainerManager.java    License: Apache License 2.0 5 votes vote down vote up
@Override
protected UserGroupInformation getRemoteUgi() throws YarnException {
  ApplicationId appId = ApplicationId.newInstance(0, 0);
  ApplicationAttemptId appAttemptId =
      ApplicationAttemptId.newInstance(appId, 1);
  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser(appAttemptId.toString());
  ugi.addTokenIdentifier(new NMTokenIdentifier(appAttemptId, getContext()
    .getNodeId(), "testuser", getContext().getNMTokenSecretManager().getCurrentKey()
    .getKeyId()));
  return ugi;
}
 
Example 15
@Override
public Long execute(IndexContext context) throws IOException {
  final Configuration configuration = context.getTableContext().getConfiguration();
  final IndexReader indexReader = context.getIndexReader();
  final Shard shard = context.getShard();
  UserGroupInformation remoteUser = UserGroupInformation.createRemoteUser(user);
  try {
    return remoteUser.doAs(new PrivilegedExceptionAction<Long>() {
      @Override
      public Long run() throws Exception {
        Path path = new Path(destUri);
        Directory srcDirectory = getDiretory(indexReader);
        HdfsDirectory destDirectory = new HdfsDirectory(configuration, new Path(path, shard.getShard()));
        long total = 0;
        for (String srcFile : srcDirectory.listAll()) {
          if (destDirectory.fileExists(srcFile)) {
            LOG.info("File [{0}] already exists in dest directory.");
            long srcFileLength = srcDirectory.fileLength(srcFile);
            long destFileLength = destDirectory.fileLength(srcFile);
            if (srcFileLength != destFileLength) {
              LOG.info("Deleting file [{0}] length of [{1}] is not same as source [{2}].", srcFile, srcFileLength,
                  destFileLength);
              destDirectory.deleteFile(srcFile);
            } else {
              continue;
            }
          }
          LOG.info("Copying file [{0}] to dest directory.", srcFile);
          total += copy(srcFile, srcDirectory, destDirectory);
        }
        return total;
      }
    });
  } catch (InterruptedException e) {
    throw new IOException(e);
  }
}
 
Example 16
Source Project: big-c   File: TestWebHdfsUrl.java    License: Apache License 2.0 4 votes vote down vote up
@Test(timeout=60000)
public void testSecureAuthParamsInUrl() throws IOException {
  Configuration conf = new Configuration();
  // fake turning on security so api thinks it should use tokens
  SecurityUtil.setAuthenticationMethod(KERBEROS, conf);
  UserGroupInformation.setConfiguration(conf);

  UserGroupInformation ugi =
      UserGroupInformation.createRemoteUser("test-user");
  ugi.setAuthenticationMethod(KERBEROS);
  UserGroupInformation.setLoginUser(ugi);

  WebHdfsFileSystem webhdfs = getWebHdfsFileSystem(ugi, conf);
  Path fsPath = new Path("/");
  String tokenString = webhdfs.getDelegationToken().encodeToUrlString();

  // send user
  URL getTokenUrl = webhdfs.toUrl(GetOpParam.Op.GETDELEGATIONTOKEN, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      getTokenUrl);

  // send user
  URL renewTokenUrl = webhdfs.toUrl(PutOpParam.Op.RENEWDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.RENEWDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      renewTokenUrl);

  // send token
  URL cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);
  
  // send token
  URL fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new DelegationParam(tokenString).toString()
      },
      fileStatusUrl);

  // wipe out internal token to simulate auth always required
  webhdfs.setDelegationToken(null);

  // send user
  cancelTokenUrl = webhdfs.toUrl(PutOpParam.Op.CANCELDELEGATIONTOKEN,
      fsPath, new TokenArgumentParam(tokenString));
  checkQueryParams(
      new String[]{
          PutOpParam.Op.CANCELDELEGATIONTOKEN.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString(),
          new TokenArgumentParam(tokenString).toString(),
      },
      cancelTokenUrl);

  // send user
  fileStatusUrl = webhdfs.toUrl(GetOpParam.Op.GETFILESTATUS, fsPath);
  checkQueryParams(
      new String[]{
          GetOpParam.Op.GETFILESTATUS.toQueryString(),
          new UserParam(ugi.getShortUserName()).toString()
      },
      fileStatusUrl);    
}
 
Example 17
Source Project: tez   File: DAGImpl.java    License: Apache License 2.0 4 votes vote down vote up
public DAGImpl(TezDAGID dagId,
    Configuration amConf,
    DAGPlan jobPlan,
    EventHandler eventHandler,
    TaskCommunicatorManagerInterface taskCommunicatorManagerInterface,
    Credentials dagCredentials,
    Clock clock,
    String appUserName,
    TaskHeartbeatHandler thh,
    AppContext appContext) {
  this.dagId = dagId;
  this.jobPlan = jobPlan;
  this.dagConf = new Configuration(amConf);
  this.dagOnlyConf = new Configuration(false);
  Iterator<PlanKeyValuePair> iter =
      jobPlan.getDagConf().getConfKeyValuesList().iterator();
  // override the amConf by using DAG level configuration
  while (iter.hasNext()) {
    PlanKeyValuePair keyValPair = iter.next();
    TezConfiguration.validateProperty(keyValPair.getKey(), Scope.DAG);
    this.dagConf.set(keyValPair.getKey(), keyValPair.getValue());
    this.dagOnlyConf.set(keyValPair.getKey(), keyValPair.getValue());
  }
  this.dagName = (jobPlan.getName() != null) ? jobPlan.getName() : "<missing app name>";
  this.userName = appUserName;
  this.clock = clock;
  this.appContext = appContext;

  this.taskCommunicatorManagerInterface = taskCommunicatorManagerInterface;
  this.taskHeartbeatHandler = thh;
  this.eventHandler = eventHandler;
  ReadWriteLock readWriteLock = new ReentrantReadWriteLock();
  this.readLock = readWriteLock.readLock();
  this.writeLock = readWriteLock.writeLock();

  this.localResources = DagTypeConverters.createLocalResourceMapFromDAGPlan(jobPlan
      .getLocalResourceList());

  this.credentials = dagCredentials;
  if (this.credentials == null) {
    try {
      dagUGI = UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
      throw new TezUncheckedException("Failed to set UGI for dag based on currentUser", e);
    }
  } else {
    dagUGI = UserGroupInformation.createRemoteUser(this.userName);
    dagUGI.addCredentials(this.credentials);
  }

  this.aclManager = new ACLManager(appContext.getAMACLManager(), dagUGI.getShortUserName(),
      this.jobPlan.getAclInfo());
  // this is only for recovery in case it does not call the init transition
  this.startDAGCpuTime = appContext.getCumulativeCPUTime();
  this.startDAGGCTime = appContext.getCumulativeGCTime();
  if (jobPlan.hasDefaultExecutionContext()) {
    defaultExecutionContext = DagTypeConverters.convertFromProto(jobPlan.getDefaultExecutionContext());
  } else {
    defaultExecutionContext = null;
  }
  
  this.taskSpecificLaunchCmdOption = new TaskSpecificLaunchCmdOption(dagConf);
  // This "this leak" is okay because the retained pointer is in an
  //  instance variable.
  stateMachine = new StateMachineTez<DAGState, DAGEventType, DAGEvent, DAGImpl>(
      stateMachineFactory.make(this), this);
  augmentStateMachine();
  this.entityUpdateTracker = new StateChangeNotifier(this);
}
 
Example 18
Source Project: big-c   File: TestApplicationACLs.java    License: Apache License 2.0 4 votes vote down vote up
@BeforeClass
public static void setup() throws InterruptedException, IOException {
  RMStateStore store = RMStateStoreFactory.getStore(conf);
  conf.setBoolean(YarnConfiguration.YARN_ACL_ENABLE, true);
  AccessControlList adminACL = new AccessControlList("");
  adminACL.addGroup(SUPER_GROUP);
  conf.set(YarnConfiguration.YARN_ADMIN_ACL, adminACL.getAclString());
  resourceManager = new MockRM(conf) {

    @Override
    protected QueueACLsManager createQueueACLsManager(
        ResourceScheduler scheduler,
        Configuration conf) {
      QueueACLsManager mockQueueACLsManager = mock(QueueACLsManager.class);
      when(mockQueueACLsManager.checkAccess(any(UserGroupInformation.class),
          any(QueueACL.class), anyString())).thenAnswer(new Answer() {
        public Object answer(InvocationOnMock invocation) {
          return isQueueUser;
        }
      });
      return mockQueueACLsManager;
    }

    protected ClientRMService createClientRMService() {
      return new ClientRMService(getRMContext(), this.scheduler,
          this.rmAppManager, this.applicationACLsManager,
          this.queueACLsManager, null);
    };
  };
  new Thread() {
    public void run() {
      UserGroupInformation.createUserForTesting(ENEMY, new String[] {});
      UserGroupInformation.createUserForTesting(FRIEND,
          new String[] { FRIENDLY_GROUP });
      UserGroupInformation.createUserForTesting(SUPER_USER,
          new String[] { SUPER_GROUP });
      resourceManager.start();
    };
  }.start();
  int waitCount = 0;
  while (resourceManager.getServiceState() == STATE.INITED
      && waitCount++ < 60) {
    LOG.info("Waiting for RM to start...");
    Thread.sleep(1500);
  }
  if (resourceManager.getServiceState() != STATE.STARTED) {
    // RM could have failed.
    throw new IOException(
        "ResourceManager failed to start. Final state is "
            + resourceManager.getServiceState());
  }

  UserGroupInformation owner = UserGroupInformation
      .createRemoteUser(APP_OWNER);
  rmClient = owner.doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() {
    @Override
    public ApplicationClientProtocol run() throws Exception {
      return (ApplicationClientProtocol) rpc.getProxy(ApplicationClientProtocol.class,
          rmAddress, conf);
    }
  });
}
 
Example 19
/**
 * Test if StandbyException can be thrown from StandbyNN, when it's requested for 
 * password. (HDFS-6475). With StandbyException, the client can failover to try
 * activeNN.
 */
@Test(timeout = 300000)
public void testDelegationTokenStandbyNNAppearFirst() throws Exception {
  // make nn0 the standby NN, and nn1 the active NN
  cluster.transitionToStandby(0);
  cluster.transitionToActive(1);

  final DelegationTokenSecretManager stSecretManager = 
      NameNodeAdapter.getDtSecretManager(
          nn1.getNamesystem());

  // create token
  final Token<DelegationTokenIdentifier> token =
      getDelegationToken(fs, "JobTracker");
  final DelegationTokenIdentifier identifier = new DelegationTokenIdentifier();
  byte[] tokenId = token.getIdentifier();
  identifier.readFields(new DataInputStream(
           new ByteArrayInputStream(tokenId)));

  assertTrue(null != stSecretManager.retrievePassword(identifier));

  final UserGroupInformation ugi = UserGroupInformation
      .createRemoteUser("JobTracker");
  ugi.addToken(token);
  
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() {
      try {
        try {
          byte[] tmppw = dtSecretManager.retrievePassword(identifier);
          fail("InvalidToken with cause StandbyException is expected"
              + " since nn0 is standby");
          return tmppw;
        } catch (IOException e) {
          // Mimic the UserProvider class logic (server side) by throwing
          // SecurityException here
          throw new SecurityException(
              SecurityUtil.FAILED_TO_GET_UGI_MSG_HEADER + " " + e, e);
        }
      } catch (Exception oe) {
        //
        // The exception oe caught here is
        //     java.lang.SecurityException: Failed to obtain user group
        //     information: org.apache.hadoop.security.token.
        //     SecretManager$InvalidToken: StandbyException
        //
        HttpServletResponse response = mock(HttpServletResponse.class);
        ExceptionHandler eh = new ExceptionHandler();
        eh.initResponse(response);
        
        // The Response (resp) below is what the server will send to client          
        //
        // BEFORE HDFS-6475 fix, the resp.entity is
        //     {"RemoteException":{"exception":"SecurityException",
        //      "javaClassName":"java.lang.SecurityException",
        //      "message":"Failed to obtain user group information: 
        //      org.apache.hadoop.security.token.SecretManager$InvalidToken:
        //        StandbyException"}}
        // AFTER the fix, the resp.entity is
        //     {"RemoteException":{"exception":"StandbyException",
        //      "javaClassName":"org.apache.hadoop.ipc.StandbyException",
        //      "message":"Operation category READ is not supported in
        //       state standby"}}
        //
        Response resp = eh.toResponse(oe);
        
        // Mimic the client side logic by parsing the response from server
        //
        Map<?, ?> m = (Map<?, ?>)JSON.parse(resp.getEntity().toString());
        RemoteException re = JsonUtil.toRemoteException(m);
        Exception unwrapped = ((RemoteException)re).unwrapRemoteException(
            StandbyException.class);
        assertTrue (unwrapped instanceof StandbyException);
        return null;
      }
    }
  });
}
 
Example 20
Source Project: big-c   File: HttpServer2.java    License: Apache License 2.0 3 votes vote down vote up
/**
 * Get the admin ACLs from the given ServletContext and check if the given
 * user is in the ACL.
 *
 * @param servletContext the context containing the admin ACL.
 * @param remoteUser the remote user to check for.
 * @return true if the user is present in the ACL, false if no ACL is set or
 *         the user is not present
 */
public static boolean userHasAdministratorAccess(ServletContext servletContext,
    String remoteUser) {
  AccessControlList adminsAcl = (AccessControlList) servletContext
      .getAttribute(ADMINS_ACL);
  UserGroupInformation remoteUserUGI =
      UserGroupInformation.createRemoteUser(remoteUser);
  return adminsAcl != null && adminsAcl.isUserAllowed(remoteUserUGI);
}