Java Code Examples for org.apache.hadoop.security.UserGroupInformation#getUserName()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#getUserName() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: big-c   File: TestClientRMService.java    License: Apache License 2.0 6 votes vote down vote up
private void checkTokenCancellation(ClientRMService rmService,
    UserGroupInformation owner, UserGroupInformation renewer)
    throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(new Text(owner.getUserName()),
        new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken =
      BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind()
        .toString(), token.getPassword(), token.getService().toString());
  CancelDelegationTokenRequest request =
      Records.newRecord(CancelDelegationTokenRequest.class);
  request.setDelegationToken(dToken);
  rmService.cancelDelegationToken(request);
}
 
Example 2
Source Project: big-c   File: TestStagingCleanup.java    License: Apache License 2.0 6 votes vote down vote up
@Override
protected Job createJob(Configuration conf, JobStateInternal forcedState, 
    String diagnostic) {
  UserGroupInformation currentUser = null;
  try {
    currentUser = UserGroupInformation.getCurrentUser();
  } catch (IOException e) {
    throw new YarnRuntimeException(e);
  }
  Job newJob = new TestJob(getJobId(), getAttemptID(), conf,
      getDispatcher().getEventHandler(),
      getTaskAttemptListener(), getContext().getClock(),
      getCommitter(), isNewApiCommitter(),
      currentUser.getUserName(), getContext(),
      forcedState, diagnostic);
  ((AppContext) getContext()).getAllJobs().put(newJob.getID(), newJob);

  getDispatcher().register(JobFinishEvent.Type.class,
      createJobFinishEventHandler());

  return newJob;
}
 
Example 3
Source Project: hadoop   File: TestWebHdfsUrl.java    License: Apache License 2.0 6 votes vote down vote up
private WebHdfsFileSystem getWebHdfsFileSystem(UserGroupInformation ugi,
    Configuration conf) throws IOException {
  if (UserGroupInformation.isSecurityEnabled()) {
    DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(new Text(
        ugi.getUserName()), null, null);
    FSNamesystem namesystem = mock(FSNamesystem.class);
    DelegationTokenSecretManager dtSecretManager = new DelegationTokenSecretManager(
        86400000, 86400000, 86400000, 86400000, namesystem);
    dtSecretManager.startThreads();
    Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
        dtId, dtSecretManager);
    SecurityUtil.setTokenService(
        token, NetUtils.createSocketAddr(uri.getAuthority()));
    token.setKind(WebHdfsFileSystem.TOKEN_KIND);
    ugi.addToken(token);
  }
  return (WebHdfsFileSystem) FileSystem.get(uri, conf);
}
 
Example 4
Source Project: RDFS   File: PermissionChecker.java    License: Apache License 2.0 6 votes vote down vote up
PermissionChecker(String fsOwner, String supergroup
    ) throws AccessControlException{
  UserGroupInformation ugi = UserGroupInformation.getCurrentUGI();
  if (LOG.isDebugEnabled()) {
    LOG.debug("ugi=" + ugi);
  }

  if (ugi != null) {
    user = ugi.getUserName();
    groups.addAll(Arrays.asList(ugi.getGroupNames()));
    isSuper = user.equals(fsOwner) || groups.contains(supergroup);
  }
  else {
    throw new AccessControlException("ugi = null");
  }
}
 
Example 5
Source Project: gcp-token-broker   File: PingServer.java    License: Apache License 2.0 6 votes vote down vote up
private static String checkGetSessionToken(Configuration config) {
    try {
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        Text username = new Text(loginUser.getUserName());
        BrokerTokenIdentifier identifier = new BrokerTokenIdentifier(config, username, username, username, SERVICE);
        String sessionToken = identifier.getSessionToken();
        assert (sessionToken.length() > 0);
        System.out.println(CHECK_SUCCESS);
        return sessionToken;
    } catch (Exception e) {
        System.out.println(CHECK_FAIL);
        e.printStackTrace(System.out);
        System.out.println();
        return null;
    }
}
 
Example 6
Source Project: hadoop   File: RMWebServices.java    License: Apache License 2.0 6 votes vote down vote up
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
 
Example 7
@Override
public AttemptingUserProvidingSaslServer createServer(
    SecretManager<TokenIdentifier> secretManager,
    Map<String, String> saslProps) throws IOException {
  UserGroupInformation current = UserGroupInformation.getCurrentUser();
  String fullName = current.getUserName();
  LOG.debug("Server's Kerberos principal name is {}", fullName);
  String[] names = SaslUtil.splitKerberosName(fullName);
  if (names.length != 3) {
    throw new AccessDeniedException(
        "Kerberos principal does NOT contain an instance (hostname): " + fullName);
  }
  try {
    return current.doAs(new PrivilegedExceptionAction<AttemptingUserProvidingSaslServer>() {
      @Override
      public AttemptingUserProvidingSaslServer run() throws SaslException {
        return new AttemptingUserProvidingSaslServer(Sasl.createSaslServer(
            getSaslAuthMethod().getSaslMechanism(), names[0], names[1], saslProps,
            new SaslGssCallbackHandler()), () -> null);
      }
    });
  } catch (InterruptedException e) {
    Thread.currentThread().interrupt();
    throw new RuntimeException("Failed to construct GSS SASL server");
  }
}
 
Example 8
Source Project: hadoop   File: RMWebServices.java    License: Apache License 2.0 6 votes vote down vote up
@GET
@Path("/apps/{appid}/queue")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppQueue getAppQueue(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "UNKNOWN-USER";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());

  return ret;
}
 
Example 9
Source Project: big-c   File: RMWebServices.java    License: Apache License 2.0 6 votes vote down vote up
@GET
@Path("/apps/{appid}/state")
@Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
public AppState getAppState(@Context HttpServletRequest hsr,
    @PathParam("appid") String appId) throws AuthorizationException {
  init();
  UserGroupInformation callerUGI = getCallerUserGroupInformation(hsr, true);
  String userName = "";
  if (callerUGI != null) {
    userName = callerUGI.getUserName();
  }
  RMApp app = null;
  try {
    app = getRMAppForAppId(appId);
  } catch (NotFoundException e) {
    RMAuditLogger.logFailure(userName, AuditConstants.KILL_APP_REQUEST,
      "UNKNOWN", "RMWebService",
      "Trying to get state of an absent application " + appId);
    throw e;
  }

  AppState ret = new AppState();
  ret.setState(app.getState().toString());

  return ret;
}
 
Example 10
@Override
protected Job createJob(Configuration conf, JobStateInternal forcedState,
    String diagnostic) {
  UserGroupInformation currentUser = null;
  try {
    currentUser = UserGroupInformation.getCurrentUser();
  } catch (IOException e) {
    throw new YarnRuntimeException(e);
  }
  Job newJob =
      new TestJob(getJobId(), getAttemptID(), conf, getDispatcher()
        .getEventHandler(), getTaskAttemptListener(), getContext()
        .getClock(), getCommitter(), isNewApiCommitter(),
        currentUser.getUserName(), getContext(), forcedState, diagnostic);
  ((AppContext) getContext()).getAllJobs().put(newJob.getID(), newJob);

  getDispatcher().register(JobFinishEvent.Type.class,
    createJobFinishEventHandler());

  return newJob;
}
 
Example 11
Source Project: hadoop   File: TestClientRMService.java    License: Apache License 2.0 6 votes vote down vote up
private void checkTokenCancellation(ClientRMService rmService,
    UserGroupInformation owner, UserGroupInformation renewer)
    throws IOException, YarnException {
  RMDelegationTokenIdentifier tokenIdentifier =
      new RMDelegationTokenIdentifier(new Text(owner.getUserName()),
        new Text(renewer.getUserName()), null);
  Token<?> token =
      new Token<RMDelegationTokenIdentifier>(tokenIdentifier, dtsm);
  org.apache.hadoop.yarn.api.records.Token dToken =
      BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind()
        .toString(), token.getPassword(), token.getService().toString());
  CancelDelegationTokenRequest request =
      Records.newRecord(CancelDelegationTokenRequest.class);
  request.setDelegationToken(dToken);
  rmService.cancelDelegationToken(request);
}
 
Example 12
Source Project: hadoop-gpu   File: TestCopyFiles.java    License: Apache License 2.0 5 votes vote down vote up
static Path createHomeDirectory(FileSystem fs, UserGroupInformation ugi
    ) throws IOException {
  final Path home = new Path("/user/" + ugi.getUserName());
  fs.mkdirs(home);
  fs.setOwner(home, ugi.getUserName(), ugi.getGroupNames()[0]);
  fs.setPermission(home, new FsPermission((short)0700));
  return home;
}
 
Example 13
Source Project: gcp-token-broker   File: PingServer.java    License: Apache License 2.0 5 votes vote down vote up
private static BrokerTokenIdentifier getBTI(String sessionToken) throws IOException {
    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
    Text username = new Text(loginUser.getUserName());
    BrokerTokenIdentifier identifier = new BrokerTokenIdentifier();
    identifier.setOwner(username);
    identifier.setRenewer(username);
    identifier.setRealUser(username);
    identifier.setSessionToken(sessionToken);
    return identifier;
}
 
Example 14
Source Project: hadoop-ozone   File: ServerUtils.java    License: Apache License 2.0 4 votes vote down vote up
public static String getRemoteUserName() {
  UserGroupInformation remoteUser = Server.getRemoteUser();
  return remoteUser != null ? remoteUser.getUserName() : null;
}
 
Example 15
@Test
public void testGetS3Secret() throws Exception {

  // Setup secure OM for start
  setupOm(conf);
  long omVersion =
      RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
  try {
    // Start OM
    om.setCertClient(new CertificateClientTestImpl(conf));
    om.start();
    UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
    String username = ugi.getUserName();

    // Get first OM client which will authenticate via Kerberos
    omClient = new OzoneManagerProtocolClientSideTranslatorPB(
        OmTransportFactory.create(conf, ugi, null),
        RandomStringUtils.randomAscii(5));

    //Creates a secret since it does not exist
    S3SecretValue attempt1 = omClient.getS3Secret(username);

    //Fetches the secret from db since it was created in previous step
    S3SecretValue attempt2 = omClient.getS3Secret(username);

    //secret fetched on both attempts must be same
    assertEquals(attempt1.getAwsSecret(), attempt2.getAwsSecret());

    //access key fetched on both attempts must be same
    assertEquals(attempt1.getAwsAccessKey(), attempt2.getAwsAccessKey());


    try {
      omClient.getS3Secret("HADOOP/JOHNDOE");
      fail("testGetS3Secret failed");
    } catch (IOException ex) {
      GenericTestUtils.assertExceptionContains("USER_MISMATCH", ex);
    }
  } finally {
    IOUtils.closeQuietly(om);
  }
}
 
Example 16
@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 
Example 17
@Test
public void testDelegationTokenRpc() throws Exception {
  ClientProtocol mockNN = mock(ClientProtocol.class);
  FSNamesystem mockNameSys = mock(FSNamesystem.class);

  DelegationTokenSecretManager sm = new DelegationTokenSecretManager(
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_KEY_UPDATE_INTERVAL_DEFAULT,
      DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_DEFAULT,
      3600000, mockNameSys);
  sm.startThreads();
  final Server server = new RPC.Builder(conf)
      .setProtocol(ClientProtocol.class).setInstance(mockNN)
      .setBindAddress(ADDRESS).setPort(0).setNumHandlers(5).setVerbose(true)
      .setSecretManager(sm).build();
  
  server.start();

  final UserGroupInformation current = UserGroupInformation.getCurrentUser();
  final InetSocketAddress addr = NetUtils.getConnectAddress(server);
  String user = current.getUserName();
  Text owner = new Text(user);
  DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null);
  Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>(
      dtId, sm);
  SecurityUtil.setTokenService(token, addr);
  LOG.info("Service for token is " + token.getService());
  current.addToken(token);
  current.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws Exception {
      ClientProtocol proxy = null;
      try {
        proxy = RPC.getProxy(ClientProtocol.class,
            ClientProtocol.versionID, addr, conf);
        proxy.getServerDefaults();
      } finally {
        server.stop();
        if (proxy != null) {
          RPC.stopProxy(proxy);
        }
      }
      return null;
    }
  });
}
 
Example 18
Source Project: pxf   File: SecurityServletFilter.java    License: Apache License 2.0 4 votes vote down vote up
/**
 * If user impersonation is configured, examines the request for the presence of the expected security headers
 * and create a proxy user to execute further request chain. If security is enabled for the configuration server
 * used for the requests, makes sure that a login UGI for the the Kerberos principal is created and cached for
 * future use.
 * Responds with an HTTP error if the header is missing or the chain processing throws an exception.
 *
 * @param request  http request
 * @param response http response
 * @param chain    filter chain
 */
@Override
public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain)
        throws IOException, ServletException {

    // retrieve user header and make sure header is present and is not empty
    final String gpdbUser = getHeaderValue(request, USER_HEADER, true);
    final String transactionId = getHeaderValue(request, TRANSACTION_ID_HEADER, true);
    final Integer segmentId = getHeaderValueInt(request, SEGMENT_ID_HEADER, true);
    final boolean lastCallForSegment = getHeaderValueBoolean(request, LAST_FRAGMENT_HEADER, false);

    final String serverName = StringUtils.defaultIfBlank(getHeaderValue(request, SERVER_HEADER, false), "default");
    final String configDirectory = StringUtils.defaultIfBlank(getHeaderValue(request, CONFIG_HEADER, false), serverName);

    Configuration configuration = configurationFactory.initConfiguration(configDirectory, serverName, gpdbUser, null);

    boolean isUserImpersonation = secureLogin.isUserImpersonationEnabled(configuration);

    // Establish the UGI for the login user or the Kerberos principal for the given server, if applicable
    UserGroupInformation loginUser = secureLogin.getLoginUser(serverName, configDirectory, configuration);

    String serviceUser = loginUser.getUserName();

    if (!isUserImpersonation && Utilities.isSecurityEnabled(configuration)) {
        // When impersonation is disabled and security is enabled
        // we check whether the pxf.service.user.name property was provided
        // and if provided we use the value as the remote user instead of
        // the principal defined in pxf.service.kerberos.principal. However,
        // the principal will need to have proxy privileges on hadoop.
        String pxfServiceUserName = configuration.get(SecureLogin.CONFIG_KEY_SERVICE_USER_NAME);
        if (StringUtils.isNotBlank(pxfServiceUserName)) {
            serviceUser = pxfServiceUserName;
        }
    }

    String remoteUser = (isUserImpersonation ? gpdbUser : serviceUser);

    SessionId session = new SessionId(
            segmentId,
            transactionId,
            remoteUser,
            serverName,
            configuration,
            loginUser);

    final String serviceUserName = serviceUser;

    // Prepare privileged action to run on behalf of proxy user
    PrivilegedExceptionAction<Boolean> action = () -> {
        LOG.debug("Performing request for gpdb_user = {} as [remote_user = {} service_user = {} login_user ={}] with{} impersonation",
                gpdbUser, remoteUser, serviceUserName, loginUser.getUserName(), isUserImpersonation ? "" : "out");
        chain.doFilter(request, response);
        return true;
    };

    try {
        // Retrieve proxy user UGI from the UGI of the logged in user
        UserGroupInformation userGroupInformation = ugiCache
                .getUserGroupInformation(session, isUserImpersonation);

        LOG.debug("Retrieved proxy user {} for server {} and session {}", userGroupInformation, serverName, session);

        // Execute the servlet chain as that user
        userGroupInformation.doAs(action);
    } catch (UndeclaredThrowableException ute) {
        // unwrap the real exception thrown by the action
        throw new ServletException(ute.getCause());
    } catch (InterruptedException ie) {
        throw new ServletException(ie);
    } finally {
        // Optimization to cleanup the cache if it is the last fragment
        LOG.debug("Releasing proxy user for session: {}. {}",
                session, lastCallForSegment ? " Last fragment call" : "");
        try {
            ugiCache.release(session, lastCallForSegment);
        } catch (Throwable t) {
            LOG.error("Error releasing UGICache for session: {}", session, t);
        }
        if (lastCallForSegment) {
            LOG.info("Finished processing {}", session);
        }
    }
}
 
Example 19
Source Project: hadoop   File: RMWebServices.java    License: Apache License 2.0 4 votes vote down vote up
protected Response moveApp(RMApp app, UserGroupInformation callerUGI,
    String targetQueue) throws IOException, InterruptedException {

  if (app == null) {
    throw new IllegalArgumentException("app cannot be null");
  }
  String userName = callerUGI.getUserName();
  final ApplicationId appid = app.getApplicationId();
  final String reqTargetQueue = targetQueue;
  try {
    callerUGI
      .doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws IOException,
            YarnException {
          MoveApplicationAcrossQueuesRequest req =
              MoveApplicationAcrossQueuesRequest.newInstance(appid,
                reqTargetQueue);
          rm.getClientRMService().moveApplicationAcrossQueues(req);
          return null;
        }
      });
  } catch (UndeclaredThrowableException ue) {
    // if the root cause is a permissions issue
    // bubble that up to the user
    if (ue.getCause() instanceof YarnException) {
      YarnException ye = (YarnException) ue.getCause();
      if (ye.getCause() instanceof AccessControlException) {
        String appId = app.getApplicationId().toString();
        String msg =
            "Unauthorized attempt to move appid " + appId
                + " by remote user " + userName;
        return Response.status(Status.FORBIDDEN).entity(msg).build();
      } else if (ye.getMessage().startsWith("App in")
          && ye.getMessage().endsWith("state cannot be moved.")) {
        return Response.status(Status.BAD_REQUEST).entity(ye.getMessage())
          .build();
      } else {
        throw ue;
      }
    } else {
      throw ue;
    }
  }

  AppQueue ret = new AppQueue();
  ret.setQueue(app.getQueue());
  return Response.status(Status.OK).entity(ret).build();
}
 
Example 20
Source Project: big-c   File: TestRMAdminService.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void
    testRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider()
        throws IOException, YarnException {
  configuration.set(YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
      "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");

  String[] defaultTestUserGroups = {"dummy_group1", "dummy_group2"};
  UserGroupInformation ugi = UserGroupInformation.createUserForTesting
      ("dummyUser", defaultTestUserGroups);

  String user = ugi.getUserName();
  List<String> groupWithInit = new ArrayList<String>(2);
   for(int i = 0; i < ugi.getGroupNames().length; i++ ) {
     groupWithInit.add(ugi.getGroupNames()[i]);
   }

  // upload default configurations
  uploadDefaultConfiguration();
  Configuration conf = new Configuration();
  conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  uploadConfiguration(conf, "core-site.xml");

  try {
    rm = new MockRM(configuration);
    rm.init(configuration);
    rm.start();
  } catch (Exception ex) {
    fail("Should not get any exceptions");
  }

  // Make sure RM will use the updated GroupMappingServiceProvider
  List<String> groupBefore =
      new ArrayList<String>(Groups.getUserToGroupsMappingService(
          configuration).getGroups(user));
  Assert.assertTrue(groupBefore.contains("test_group_A")
      && groupBefore.contains("test_group_B")
      && groupBefore.contains("test_group_C") && groupBefore.size() == 3);
  Assert.assertTrue(groupWithInit.size() != groupBefore.size());
  Assert.assertFalse(groupWithInit.contains("test_group_A")
      || groupWithInit.contains("test_group_B")
      || groupWithInit.contains("test_group_C"));

  // update the groups
  MockUnixGroupsMapping.updateGroups();

  rm.adminService
      .refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest
          .newInstance());
  List<String> groupAfter =
      Groups.getUserToGroupsMappingService(configuration).getGroups(user);

  // should get the updated groups
  Assert.assertTrue(groupAfter.contains("test_group_D")
      && groupAfter.contains("test_group_E")
      && groupAfter.contains("test_group_F") && groupAfter.size() == 3);

}