Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI()

The following examples show how to use org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI() . These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
public SMHiveRecordWriter (Configuration conf) throws IOException {
	this.conf = conf;
       String principal = conf.get("hive.server2.authentication.kerberos.principal");
       String keytab = conf.get("hive.server2.authentication.kerberos.keytab");
       if (principal != null && keytab != null) {
           UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
           ugi.doAs(new PrivilegedAction<Void>(){
               public Void run() {
                   init();
                   return null;
               }
           });
       }
       else {
           init();
       }
}
 
Example 2
@Test(expected = UndeclaredThrowableException.class)
public void testWrongServicePrincipal() throws IOException, InterruptedException {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, "omgWrongServerName");
        }
    });

    client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    fail("Should not be able to find non existent server credentials");
}
 
Example 3
Source Project: phoenix   File: SecureUserConnectionsIT.java    License: Apache License 2.0 6 votes vote down vote up
@Test
public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception {
    final HashSet<ConnectionInfo> connections = new HashSet<>();
    final String princ1 = getUserPrincipal(1);
    final File keytab1 = getUserKeytabFile(1);

    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());

    PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
        public Void run() throws Exception {
            String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
            connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
            return null;
        }
    };

    // Using the same UGI should result in two equivalent ConnectionInfo objects
    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);

    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);
}
 
Example 4
@Override public void start() throws IgniteException {
    super.start();

    KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory)proxy;

    A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty.");
    A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty.");
    A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative.");

    reloginInterval = proxy0.getReloginInterval();

    try {
        UserGroupInformation.setConfiguration(cfg);

        user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxy0.getKeyTabPrincipal(),
            proxy0.getKeyTab());
    }
    catch (IOException ioe) {
        throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() +
            ", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe);
    }
}
 
Example 5
Source Project: Bats   File: KerberosFactory.java    License: Apache License 2.0 5 votes vote down vote up
@Override
public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException {
  final Configuration conf = new SecurityConfiguration();
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
      UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
  UserGroupInformation.setConfiguration(conf);

  final String keytab = (String) properties.get(DrillProperties.KEYTAB);
  final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) &&
      Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT));
  try {
    final UserGroupInformation ugi;
    if (assumeSubject) {
      ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
      logger.debug("Assuming subject for {}.", ugi.getShortUserName());
    } else {
      if (keytab != null) {
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
            (String) properties.get(DrillProperties.USER), keytab);
        logger.debug("Logged in {} using keytab.", ugi.getShortUserName());
      } else {
        // includes Kerberos ticket login
        ugi = UserGroupInformation.getCurrentUser();
        logger.debug("Logged in {} using ticket.", ugi.getShortUserName());
      }
    }
    return ugi;
  } catch (final IOException e) {
    logger.debug("Login failed.", e);
    final Throwable cause = e.getCause();
    if (cause instanceof LoginException) {
      throw new SaslException("Failed to login.", cause);
    }
    throw new SaslException("Unexpected failure trying to login.", cause);
  }
}
 
Example 6
Source Project: Bats   File: SpnegoConfig.java    License: Apache License 2.0 5 votes vote down vote up
private UserGroupInformation loginAndReturnUgi() throws DrillException {

    validateSpnegoConfig();

    UserGroupInformation ugi;
    try {
      // Check if security is not enabled and try to set the security parameter to login the principal.
      // After the login is performed reset the static UGI state.
      if (!UserGroupInformation.isSecurityEnabled()) {
        final Configuration newConfig = new Configuration();
        newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
            UserGroupInformation.AuthenticationMethod.KERBEROS.toString());

        if (clientNameMapping != null) {
          newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL, clientNameMapping);
        }

        UserGroupInformation.setConfiguration(newConfig);
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);

        // Reset the original configuration for static UGI
        UserGroupInformation.setConfiguration(new Configuration());
      } else {
        // Let's not overwrite the rules here since it might be possible that CUSTOM security is configured for
        // JDBC/ODBC with default rules. If Kerberos was enabled then the correct rules must already be set
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
      }
    } catch (Exception e) {
      throw new DrillException(String.format("Login failed for %s with given keytab", principal), e);
    }
    return ugi;
  }
 
Example 7
private void createTable() throws Exception {
  tableName = name.getTableName();

  // Create a table and write a record as the service user (hbase)
  UserGroupInformation serviceUgi = UserGroupInformation
    .loginUserFromKeytabAndReturnUGI("hbase/localhost", KEYTAB_FILE.getAbsolutePath());
  clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
    @Override
    public String run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(CONF);
        Admin admin = conn.getAdmin();) {
        admin.createTable(TableDescriptorBuilder.newBuilder(tableName)
          .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build());

        UTIL.waitTableAvailable(tableName);

        try (Table t = conn.getTable(tableName)) {
          Put p = new Put(Bytes.toBytes("r1"));
          p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
          t.put(p);
        }

        return admin.getClusterMetrics().getClusterId();
      }
    }
  });
  assertNotNull(clusterId);
}
 
Example 8
Source Project: hbase   File: TestInfoServersACL.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testUnauthorizedUser() throws Exception {
  UserGroupInformation nonAdmin = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      USER_NONE_STR, KEYTAB_FILE.getAbsolutePath());
  nonAdmin.doAs(new PrivilegedExceptionAction<Void>() {
    @Override public Void run() throws Exception {
      Pair<Integer,String> pair = getLogLevelPage();
      assertEquals(HttpURLConnection.HTTP_FORBIDDEN, pair.getFirst().intValue());
      return null;
    }
  });
}
 
Example 9
@Test(expected = UndeclaredThrowableException.class)
public void testFalseResponseFromServerFails() throws IOException, InterruptedException {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, KerberosSuite.PRINCIPAL_SERVER);
        }
    });

    String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    final byte[] token = Base64.decodeBase64(baseToken);

    spnegoNegotiator.setTokenData(Base64.encodeBase64String(new byte[]{1,2,3,4,5}));
    client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    fail("Defective token given to Negotiator and accepted.");
}
 
Example 10
@Before
public void createTable() throws Exception {
  tableName = TableName.valueOf(name.getMethodName());

  // Create a table and write a record as the service user (hbase)
  UserGroupInformation serviceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      "hbase/localhost", KEYTAB_FILE.getAbsolutePath());
  clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
    @Override public String run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(CONF);
          Admin admin = conn.getAdmin();) {
        admin.createTable(TableDescriptorBuilder
            .newBuilder(tableName)
            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
            .build());

        UTIL.waitTableAvailable(tableName);

        try (Table t = conn.getTable(tableName)) {
          Put p = new Put(Bytes.toBytes("r1"));
          p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
          t.put(p);
        }

        return admin.getClusterMetrics().getClusterId();
      }
    }
  });

  assertNotNull(clusterId);
}
 
Example 11
Source Project: phoenix   File: SecureUserConnectionsIT.java    License: Apache License 2.0 5 votes vote down vote up
@Test
public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception {
    final HashSet<ConnectionInfo> connections = new HashSet<>();
    final String princ1 = getUserPrincipal(1);
    final File keytab1 = getUserKeytabFile(1);

    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());

    PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
        public Void run() throws Exception {
            String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
            connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
            return null;
        }
    };

    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);

    // A second, but equivalent, call from the same "real" user but a different UGI instance
    // is expected functionality (programmer error).
    UserGroupInformation ugiCopy = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());
    ugiCopy.doAs(callable);
    assertEquals(2, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);
}
 
Example 12
private void start() throws Exception {
    int regionServerPort = REGION_SERVER_PORT + memberNumber;
    int regionServerInfoPort = REGION_SERVER_WEB_PORT + memberNumber;
    int derbyPort = SQLConfiguration.DEFAULT_NETWORK_BIND_PORT + memberNumber;

    Configuration config = SpliceTestPlatformConfig.create(
            hbaseTargetDirectory,
            0,
            0,
            0, //regionServerPort,
            0, //regionServerInfoPort,
            derbyPort,
            false,
            null,
            secure
    );

    String keytab = hbaseTargetDirectory+"/splice.keytab";
    UserGroupInformation ugi;
    if (secure) {
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("hbase/[email protected]", keytab);
        UserGroupInformation.setLoginUser(ugi);
    } else {
        ugi = UserGroupInformation.getCurrentUser();
    }

    ugi.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            MiniHBaseCluster miniHBaseCluster = new MiniHBaseCluster(config, 0, 1);
            miniHBaseCluster.startRegionServer();
            return null;
        }

    });
}
 
Example 13
@Test
public void testAuth() throws Exception {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Execute Test
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());

    client.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            HttpParams params = new HttpClientParams();

            // Order auth schemes
            EsHadoopAuthPolicies.registerAuthSchemes();
            List<String> authPreferences = new ArrayList<String>();
            authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
            params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);

            AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);
            TestMethod method = new TestMethod();
            method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});

            Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), KerberosSuite.PRINCIPAL_SERVER);

            // Parse Challenge
            Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
            assertThat(challenges.isEmpty(), not(true));
            assertThat(challenges.containsKey("negotiate"), is(true));
            assertThat(challenges.get("negotiate"), is("Negotiate"));
            AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);

            assertNotNull(scheme);
            assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
            method.getHostAuthState().setAuthAttempted(true);

            // Execute Auth
            Header[] authHeaders = method.getRequestHeaders("Authorization");
            for (Header authHeader : authHeaders) {
                if (authHeader.isAutogenerated()) {
                    method.removeRequestHeader(authHeader);
                }
            }
            AuthState authState = method.getHostAuthState();
            AuthScheme authScheme = authState.getAuthScheme();
            assertNotNull(authScheme);
            assertThat(authScheme.isConnectionBased(), is(not(true)));
            String authString = authScheme.authenticate(credentials, method);

            assertNotNull(authString);
            assertThat(authString, startsWith("Negotiate "));
            method.addRequestHeader(new Header("Authorization", authString, true));

            return null;
        }
    });
}
 
Example 14
Source Project: crate   File: HdfsRepository.java    License: Apache License 2.0 4 votes vote down vote up
private UserGroupInformation login(Configuration hadoopConfiguration, Settings repositorySettings) {
    // Validate the authentication method:
    AuthenticationMethod authMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
    if (authMethod.equals(AuthenticationMethod.SIMPLE) == false
        && authMethod.equals(AuthenticationMethod.KERBEROS) == false) {
        throw new RuntimeException("Unsupported authorization mode [" + authMethod + "]");
    }

    // Check if the user added a principal to use, and that there is a keytab file provided
    String kerberosPrincipal = repositorySettings.get(CONF_SECURITY_PRINCIPAL);

    // Check to see if the authentication method is compatible
    if (kerberosPrincipal != null && authMethod.equals(AuthenticationMethod.SIMPLE)) {
        LOGGER.warn("Hadoop authentication method is set to [SIMPLE], but a Kerberos principal is " +
            "specified. Continuing with [KERBEROS] authentication.");
        SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, hadoopConfiguration);
    } else if (kerberosPrincipal == null && authMethod.equals(AuthenticationMethod.KERBEROS)) {
        throw new RuntimeException("HDFS Repository does not support [KERBEROS] authentication without " +
            "a valid Kerberos principal and keytab. Please specify a principal in the repository settings with [" +
            CONF_SECURITY_PRINCIPAL + "].");
    }

    // Now we can initialize the UGI with the configuration.
    UserGroupInformation.setConfiguration(hadoopConfiguration);

    // Debugging
    LOGGER.debug("Hadoop security enabled: [{}]", UserGroupInformation.isSecurityEnabled());
    LOGGER.debug("Using Hadoop authentication method: [{}]", SecurityUtil.getAuthenticationMethod(hadoopConfiguration));

    // UserGroupInformation (UGI) instance is just a Hadoop specific wrapper around a Java Subject
    try {
        if (UserGroupInformation.isSecurityEnabled()) {
            String principal = preparePrincipal(kerberosPrincipal);
            String keytab = HdfsSecurityContext.locateKeytabFile(environment).toString();
            LOGGER.debug("Using kerberos principal [{}] and keytab located at [{}]", principal, keytab);
            return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
        }
        return UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
        throw new UncheckedIOException("Could not retrieve the current user information", e);
    }
}
 
Example 15
@Test
public void testSuccessfulNegotiateWithRealmName() throws IOException, GSSException, InterruptedException {
    // Mechanisms
    final GSSManager gssManager = GSSManager.getInstance();
    final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");

    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Server
    UserGroupInformation server = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_SERVER), KEYTAB_FILE.getAbsolutePath());
    final GSSName gssServicePrincipalName = gssManager.createName(withRealm(KerberosSuite.PRINCIPAL_SERVER), GSSName.NT_USER_NAME);
    final GSSCredential gssServiceCredential = server.doAs(new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws Exception {
            return gssManager.createCredential(
                    gssServicePrincipalName,
                    GSSCredential.DEFAULT_LIFETIME,
                    spnegoOid,
                    GSSCredential.ACCEPT_ONLY
            );
        }
    });
    final GSSContext serverCtx = gssManager.createContext(gssServiceCredential);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_CLIENT), KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(withRealm(KerberosSuite.PRINCIPAL_CLIENT), withRealm(KerberosSuite.PRINCIPAL_SERVER));
        }
    });

    byte[] token = new byte[0];
    boolean authenticated = false;

    for (int idx = 0; idx < 100; idx++) {
        if (!spnegoNegotiator.established()) {
            final byte[] sendToken = token;
            String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
                @Override
                public String run() throws Exception {
                    if (sendToken.length > 0) {
                        return spnegoNegotiator.send(Base64.encodeBase64String(sendToken));
                    } else {
                        return spnegoNegotiator.send();
                    }
                }
            });
            token = Base64.decodeBase64(baseToken);
        }

        if (!spnegoNegotiator.established() && serverCtx.isEstablished()) {
            fail("Server is established, but client is not.");
        }

        if (!serverCtx.isEstablished()) {
            final byte[] currentToken = token;
            token = server.doAs(new PrivilegedExceptionAction<byte[]>() {
                @Override
                public byte[] run() throws Exception {
                    return serverCtx.acceptSecContext(currentToken, 0, currentToken.length);
                }
            });
        }

        if (serverCtx.isEstablished() && spnegoNegotiator.established()) {
            authenticated = true;
            break;
        }
    }

    assertThat(authenticated, is(true));
    assertThat(serverCtx.isEstablished(), is(true));
    assertThat(spnegoNegotiator.established(), is(true));

    spnegoNegotiator.close();
    assertThat(spnegoNegotiator.established(), is(false));
}
 
Example 16
@Test
public void testAuthWithReverseLookupServicePrincipal() throws Exception {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Execute Test
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());

    client.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            HttpParams params = new HttpClientParams();

            // Order auth schemes
            EsHadoopAuthPolicies.registerAuthSchemes();
            List<String> authPreferences = new ArrayList<String>();
            authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
            params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);

            AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);

            Map<String, String> dnsMappings = new HashMap<String, String>();
            dnsMappings.put("es.build.elastic.co", "127.0.0.1");

            TestMethod method = new TestMethod();
            method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});
            method.setURI(new org.apache.commons.httpclient.URI("http", null, "127.0.0.1", 9200));

            Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), "HTTP/[email protected]");

            // Parse Challenge
            Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
            assertThat(challenges.isEmpty(), not(true));
            assertThat(challenges.containsKey("negotiate"), is(true));
            assertThat(challenges.get("negotiate"), is("Negotiate"));
            AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);

            assertNotNull(scheme);
            assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
            method.getHostAuthState().setAuthAttempted(true);

            // Execute Auth
            Header[] authHeaders = method.getRequestHeaders("Authorization");
            for (Header authHeader : authHeaders) {
                if (authHeader.isAutogenerated()) {
                    method.removeRequestHeader(authHeader);
                }
            }
            AuthState authState = method.getHostAuthState();
            AuthScheme authScheme = authState.getAuthScheme();
            assertNotNull(authScheme);
            assertThat(authScheme.isConnectionBased(), is(not(true)));

            // Replace scheme with test harness scheme
            authScheme = new TestScheme(dnsMappings);
            String authString = authScheme.authenticate(credentials, method);

            assertNotNull(authString);
            assertThat(authString, startsWith("Negotiate "));
            method.addRequestHeader(new Header("Authorization", authString, true));

            return null;
        }
    });
}
 
Example 17
Source Project: hbase   File: TestSecureRESTServer.java    License: Apache License 2.0 4 votes vote down vote up
@Test
public void testPositiveAuthorization() throws Exception {
  // Create a table, write a row to it, grant read perms to the client
  UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
  final TableName table = TableName.valueOf("publicTable");
  superuser.doAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
        TableDescriptor desc = TableDescriptorBuilder.newBuilder(table)
            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
            .build();
        conn.getAdmin().createTable(desc);
        try (Table t = conn.getTable(table)) {
          Put p = new Put(Bytes.toBytes("a"));
          p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
          t.put(p);
        }
        AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ);
      } catch (Throwable e) {
        if (e instanceof Exception) {
          throw (Exception) e;
        } else {
          throw new Exception(e);
        }
      }
      return null;
    }
  });

  // Read that row as the client
  Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
  CloseableHttpClient client = pair.getFirst();
  HttpClientContext context = pair.getSecond();

  HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI()
      + "/" + table + "/a");
  get.addHeader("Accept", "application/json");
  UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath());
  String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() {
    @Override
    public String run() throws Exception {
      try (CloseableHttpResponse response = client.execute(get, context)) {
        final int statusCode = response.getStatusLine().getStatusCode();
        assertEquals(response.getStatusLine().toString(), HttpURLConnection.HTTP_OK, statusCode);
        HttpEntity entity = response.getEntity();
        return EntityUtils.toString(entity);
      }
    }
  });
  ObjectMapper mapper = new JacksonJaxbJsonProvider()
      .locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE);
  CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class);
  assertEquals(1, model.getRows().size());
  RowModel row = model.getRows().get(0);
  assertEquals("a", Bytes.toString(row.getKey()));
  assertEquals(1, row.getCells().size());
  CellModel cell = row.getCells().get(0);
  assertEquals("1", Bytes.toString(cell.getValue()));
}
 
Example 18
Source Project: hbase   File: TestLogLevel.java    License: Apache License 2.0 4 votes vote down vote up
/**
 * Run both client and server using the given protocol.
 *
 * @param bindProtocol specify either http or https for server
 * @param connectProtocol specify either http or https for client
 * @param isSpnego true if SPNEGO is enabled
 * @throws Exception if client can't accesss server.
 */
private void testDynamicLogLevel(final String bindProtocol, final String connectProtocol,
    final boolean isSpnego, final String newLevel)
    throws Exception {
  if (!LogLevel.isValidProtocol(bindProtocol)) {
    throw new Exception("Invalid server protocol " + bindProtocol);
  }
  if (!LogLevel.isValidProtocol(connectProtocol)) {
    throw new Exception("Invalid client protocol " + connectProtocol);
  }
  Level oldLevel = log.getEffectiveLevel();
  assertNotEquals("Get default Log Level which shouldn't be ERROR.",
      Level.ERROR, oldLevel);

  // configs needed for SPNEGO at server side
  if (isSpnego) {
    serverConf.set(PRINCIPAL, HTTP_PRINCIPAL);
    serverConf.set(KEYTAB, keyTabFile.getAbsolutePath());
    serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
    serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
    UserGroupInformation.setConfiguration(serverConf);
  } else {
    serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "simple");
    serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
    UserGroupInformation.setConfiguration(serverConf);
  }

  final HttpServer server = createServer(bindProtocol, isSpnego);
  // get server port
  final String authority = NetUtils.getHostPortString(server.getConnectorAddress(0));

  String keytabFilePath = keyTabFile.getAbsolutePath();

  UserGroupInformation clientUGI = UserGroupInformation.
      loginUserFromKeytabAndReturnUGI(clientPrincipal, keytabFilePath);
  try {
    clientUGI.doAs((PrivilegedExceptionAction<Void>) () -> {
      // client command line
      getLevel(connectProtocol, authority);
      setLevel(connectProtocol, authority, newLevel);
      return null;
    });
  } finally {
    clientUGI.logoutUserFromKeytab();
    server.stop();
  }

  // restore log level
  GenericTestUtils.setLogLevel(log, oldLevel);
}
 
Example 19
Source Project: localization_nifi   File: SecurityUtil.java    License: Apache License 2.0 3 votes vote down vote up
/**
 * Initializes UserGroupInformation with the given Configuration and performs the login for the given principal
 * and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying
 * UserGroupInformation.
 *
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab)
        throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(), keyTab.trim());
}
 
Example 20
Source Project: big-c   File: RegistryTestHelper.java    License: Apache License 2.0 3 votes vote down vote up
/**
 * Login via a UGI. Requres UGI to have been set up
 * @param user username
 * @param keytab keytab to list
 * @return the UGI
 * @throws IOException
 */
public static UserGroupInformation loginUGI(String user, File keytab) throws
    IOException {
  LOG.info("Logging in as {} from {}", user, keytab);
  return UserGroupInformation.loginUserFromKeytabAndReturnUGI(user,
      keytab.getAbsolutePath());
}