Java Code Examples for org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod#KERBEROS

/**
 * @return true if delegation token operation is allowed
 */
private boolean isAllowedDelegationTokenOp() throws IOException {
  AuthenticationMethod authMethod = getConnectionAuthenticationMethod();
  if (UserGroupInformation.isSecurityEnabled()
      && (authMethod != AuthenticationMethod.KERBEROS)
      && (authMethod != AuthenticationMethod.KERBEROS_SSL)
      && (authMethod != AuthenticationMethod.CERTIFICATE)) {
    return false;
  }
  return true;
}
 

/** Ensure the authentication method is kerberos */
private void checkKerberosAuthMethod(String msg) throws IOException {
  // User invoking the call must be same as the datanode user
  if (!UserGroupInformation.isSecurityEnabled()) {
    return;
  }
  if (UserGroupInformation.getCurrentUser().getAuthenticationMethod() != 
      AuthenticationMethod.KERBEROS) {
    throw new AccessControlException("Error in " + msg
        + "Only kerberos based authentication is allowed.");
  }
}
 

@Test (timeout = 30000)
public void testUGIAuthMethod() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getAuthenticationMethod());
      return null;
    }
  });
}
 

@Test (timeout = 30000)
public void testUGIAuthMethodInRealUser() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
      "proxy", ugi);
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  Assert.assertEquals(AuthenticationMethod.PROXY,
                      proxyUgi.getAuthenticationMethod());
  Assert.assertEquals(am, UserGroupInformation
      .getRealAuthenticationMethod(proxyUgi));
  proxyUgi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(AuthenticationMethod.PROXY, UserGroupInformation
          .getCurrentUser().getAuthenticationMethod());
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getRealUser().getAuthenticationMethod());
      return null;
    }
  });
  UserGroupInformation proxyUgi2 = 
    new UserGroupInformation(proxyUgi.getSubject());
  proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
  Assert.assertEquals(proxyUgi, proxyUgi2);
  // Equality should work if authMethod is null
  UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser(
      "proxyAnother", realugi);
  UserGroupInformation proxyUgi4 = 
    new UserGroupInformation(proxyUgi3.getSubject());
  Assert.assertEquals(proxyUgi3, proxyUgi4);
}
 

/** Ensure the authentication method is kerberos */
private void checkKerberosAuthMethod(String msg) throws IOException {
  // User invoking the call must be same as the datanode user
  if (!UserGroupInformation.isSecurityEnabled()) {
    return;
  }
  if (UserGroupInformation.getCurrentUser().getAuthenticationMethod() != 
      AuthenticationMethod.KERBEROS) {
    throw new AccessControlException("Error in " + msg
        + "Only kerberos based authentication is allowed.");
  }
}
 

@Test (timeout = 30000)
public void testUGIAuthMethod() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  ugi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getAuthenticationMethod());
      return null;
    }
  });
}
 

@Test (timeout = 30000)
public void testUGIAuthMethodInRealUser() throws Exception {
  final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi = UserGroupInformation.createProxyUser(
      "proxy", ugi);
  final AuthenticationMethod am = AuthenticationMethod.KERBEROS;
  ugi.setAuthenticationMethod(am);
  Assert.assertEquals(am, ugi.getAuthenticationMethod());
  Assert.assertEquals(AuthenticationMethod.PROXY,
                      proxyUgi.getAuthenticationMethod());
  Assert.assertEquals(am, UserGroupInformation
      .getRealAuthenticationMethod(proxyUgi));
  proxyUgi.doAs(new PrivilegedExceptionAction<Object>() {
    @Override
    public Object run() throws IOException {
      Assert.assertEquals(AuthenticationMethod.PROXY, UserGroupInformation
          .getCurrentUser().getAuthenticationMethod());
      Assert.assertEquals(am, UserGroupInformation.getCurrentUser()
          .getRealUser().getAuthenticationMethod());
      return null;
    }
  });
  UserGroupInformation proxyUgi2 = 
    new UserGroupInformation(proxyUgi.getSubject());
  proxyUgi2.setAuthenticationMethod(AuthenticationMethod.PROXY);
  Assert.assertEquals(proxyUgi, proxyUgi2);
  // Equality should work if authMethod is null
  UserGroupInformation realugi = UserGroupInformation.getCurrentUser();
  UserGroupInformation proxyUgi3 = UserGroupInformation.createProxyUser(
      "proxyAnother", realugi);
  UserGroupInformation proxyUgi4 = 
    new UserGroupInformation(proxyUgi3.getSubject());
  Assert.assertEquals(proxyUgi3, proxyUgi4);
}
 

/**
 * @param ugi A user group information.
 * @return true if delegation token operation is allowed
 */
private boolean isAllowedDelegationTokenOp(UserGroupInformation ugi) throws IOException {
  AuthenticationMethod authMethod = ugi.getAuthenticationMethod();
  if (authMethod == AuthenticationMethod.PROXY) {
    authMethod = ugi.getRealUser().getAuthenticationMethod();
  }
  if (authMethod != AuthenticationMethod.KERBEROS
      && authMethod != AuthenticationMethod.KERBEROS_SSL
      && authMethod != AuthenticationMethod.CERTIFICATE) {
    return false;
  }
  return true;
}
 

@Before
public void setUp() throws Exception {
  conf = new YarnConfiguration();
  AuthenticationMethod authMethod = AuthenticationMethod.SIMPLE;
  if (isSecurityEnabled) {
    authMethod = AuthenticationMethod.KERBEROS;
  }
  SecurityUtil.setAuthenticationMethod(authMethod, conf);
  UserGroupInformation.setConfiguration(conf);

  rmDispatcher = new DrainDispatcher();
  ContainerAllocationExpirer containerAllocationExpirer = 
      mock(ContainerAllocationExpirer.class);
  AMLivelinessMonitor amLivelinessMonitor = mock(AMLivelinessMonitor.class);
  AMLivelinessMonitor amFinishingMonitor = mock(AMLivelinessMonitor.class);
  store = mock(RMStateStore.class);
  writer = mock(RMApplicationHistoryWriter.class);
  DelegationTokenRenewer renewer = mock(DelegationTokenRenewer.class);
  RMContext realRMContext = 
      new RMContextImpl(rmDispatcher,
        containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor,
        renewer, new AMRMTokenSecretManager(conf, this.rmContext),
        new RMContainerTokenSecretManager(conf),
        new NMTokenSecretManagerInRM(conf),
        new ClientToAMTokenSecretManagerInRM(),
        writer);
  ((RMContextImpl)realRMContext).setStateStore(store);
  publisher = mock(SystemMetricsPublisher.class);
  ((RMContextImpl)realRMContext).setSystemMetricsPublisher(publisher);

  this.rmContext = spy(realRMContext);

  ResourceScheduler resourceScheduler = mock(ResourceScheduler.class);
  doReturn(null).when(resourceScheduler)
            .getAppResourceUsageReport((ApplicationAttemptId)Matchers.any());
  doReturn(resourceScheduler).when(rmContext).getScheduler();

  rmDispatcher.register(RMAppAttemptEventType.class,
      new TestApplicationAttemptEventDispatcher(this.rmContext));

  rmDispatcher.register(RMAppEventType.class,
      new TestApplicationEventDispatcher(rmContext));
  
  rmDispatcher.register(RMAppManagerEventType.class,
      new TestApplicationManagerEventDispatcher());
  
  schedulerDispatcher = new TestSchedulerEventDispatcher();
  rmDispatcher.register(SchedulerEventType.class,
      schedulerDispatcher);
  
  rmDispatcher.init(conf);
  rmDispatcher.start();
}
 

@SuppressWarnings("deprecation")
@Before
public void setUp() throws Exception {
  AuthenticationMethod authMethod = AuthenticationMethod.SIMPLE;
  if (isSecurityEnabled) {
    authMethod = AuthenticationMethod.KERBEROS;
  }
  SecurityUtil.setAuthenticationMethod(authMethod, conf);
  UserGroupInformation.setConfiguration(conf);
  InlineDispatcher rmDispatcher = new InlineDispatcher();

  ContainerAllocationExpirer containerAllocationExpirer =
      mock(ContainerAllocationExpirer.class);
  amLivelinessMonitor = mock(AMLivelinessMonitor.class);
  amFinishingMonitor = mock(AMLivelinessMonitor.class);
  writer = mock(RMApplicationHistoryWriter.class);
  MasterKeyData masterKeyData = amRMTokenManager.createNewMasterKey();
  when(amRMTokenManager.getMasterKey()).thenReturn(masterKeyData);
  rmContext =
      new RMContextImpl(rmDispatcher,
        containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor,
        null, amRMTokenManager,
        new RMContainerTokenSecretManager(conf),
        nmTokenManager,
        clientToAMTokenManager,
        writer);
  
  store = mock(RMStateStore.class);
  ((RMContextImpl) rmContext).setStateStore(store);
  publisher = mock(SystemMetricsPublisher.class);
  ((RMContextImpl) rmContext).setSystemMetricsPublisher(publisher);
  
  scheduler = mock(YarnScheduler.class);
  masterService = mock(ApplicationMasterService.class);
  applicationMasterLauncher = mock(ApplicationMasterLauncher.class);
  
  rmDispatcher.register(RMAppAttemptEventType.class,
      new TestApplicationAttemptEventDispatcher());

  rmDispatcher.register(RMAppEventType.class,
      new TestApplicationEventDispatcher());
  
  rmDispatcher.register(SchedulerEventType.class, 
      new TestSchedulerEventDispatcher());
  
  rmDispatcher.register(AMLauncherEventType.class, 
      new TestAMLauncherEventDispatcher());

  rmnodeEventHandler = mock(RMNodeImpl.class);
  rmDispatcher.register(RMNodeEventType.class, rmnodeEventHandler);

  rmDispatcher.init(conf);
  rmDispatcher.start();
  

  ApplicationId applicationId = MockApps.newAppID(appId++);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(applicationId, 0);

  resourceScheduler = mock(ResourceScheduler.class);

  ApplicationResourceUsageReport appResUsgRpt =
      mock(ApplicationResourceUsageReport.class);
  when(appResUsgRpt.getMemorySeconds()).thenReturn(0L);
  when(appResUsgRpt.getVcoreSeconds()).thenReturn(0L);
  when(appResUsgRpt.getGcoreSeconds()).thenReturn(0L);
  when(resourceScheduler
      .getAppResourceUsageReport((ApplicationAttemptId)Matchers.any()))
   .thenReturn(appResUsgRpt);
  spyRMContext = spy(rmContext);
  Mockito.doReturn(resourceScheduler).when(spyRMContext).getScheduler();


  final String user = MockApps.newUserName();
  final String queue = MockApps.newQueue();
  submissionContext = mock(ApplicationSubmissionContext.class);
  when(submissionContext.getQueue()).thenReturn(queue);
  Resource resource = BuilderUtils.newResource(1536, 1, 1);
  ContainerLaunchContext amContainerSpec =
      BuilderUtils.newContainerLaunchContext(null, null,
          null, null, null, null);
  when(submissionContext.getAMContainerSpec()).thenReturn(amContainerSpec);
  when(submissionContext.getResource()).thenReturn(resource);

  unmanagedAM = false;
  
  application = mock(RMAppImpl.class);
  applicationAttempt =
      new RMAppAttemptImpl(applicationAttemptId, spyRMContext, scheduler,
          masterService, submissionContext, new Configuration(), false,
          BuilderUtils.newResourceRequest(
              RMAppAttemptImpl.AM_CONTAINER_PRIORITY, ResourceRequest.ANY,
              submissionContext.getResource(), 1));

  when(application.getCurrentAppAttempt()).thenReturn(applicationAttempt);
  when(application.getApplicationId()).thenReturn(applicationId);
  spyRMContext.getRMApps().put(application.getApplicationId(), application);

  testAppAttemptNewState();
}
 

@Before
public void setUp() throws Exception {
  conf = new YarnConfiguration();
  AuthenticationMethod authMethod = AuthenticationMethod.SIMPLE;
  if (isSecurityEnabled) {
    authMethod = AuthenticationMethod.KERBEROS;
  }
  SecurityUtil.setAuthenticationMethod(authMethod, conf);
  UserGroupInformation.setConfiguration(conf);

  rmDispatcher = new DrainDispatcher();
  ContainerAllocationExpirer containerAllocationExpirer = 
      mock(ContainerAllocationExpirer.class);
  AMLivelinessMonitor amLivelinessMonitor = mock(AMLivelinessMonitor.class);
  AMLivelinessMonitor amFinishingMonitor = mock(AMLivelinessMonitor.class);
  store = mock(RMStateStore.class);
  writer = mock(RMApplicationHistoryWriter.class);
  DelegationTokenRenewer renewer = mock(DelegationTokenRenewer.class);
  RMContext realRMContext = 
      new RMContextImpl(rmDispatcher,
        containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor,
        renewer, new AMRMTokenSecretManager(conf, this.rmContext),
        new RMContainerTokenSecretManager(conf),
        new NMTokenSecretManagerInRM(conf),
        new ClientToAMTokenSecretManagerInRM(),
        writer);
  ((RMContextImpl)realRMContext).setStateStore(store);
  publisher = mock(SystemMetricsPublisher.class);
  ((RMContextImpl)realRMContext).setSystemMetricsPublisher(publisher);

  this.rmContext = spy(realRMContext);

  ResourceScheduler resourceScheduler = mock(ResourceScheduler.class);
  doReturn(null).when(resourceScheduler)
            .getAppResourceUsageReport((ApplicationAttemptId)Matchers.any());
  doReturn(resourceScheduler).when(rmContext).getScheduler();

  rmDispatcher.register(RMAppAttemptEventType.class,
      new TestApplicationAttemptEventDispatcher(this.rmContext));

  rmDispatcher.register(RMAppEventType.class,
      new TestApplicationEventDispatcher(rmContext));
  
  rmDispatcher.register(RMAppManagerEventType.class,
      new TestApplicationManagerEventDispatcher());
  
  schedulerDispatcher = new TestSchedulerEventDispatcher();
  rmDispatcher.register(SchedulerEventType.class,
      schedulerDispatcher);
  
  rmDispatcher.init(conf);
  rmDispatcher.start();
}
 

@SuppressWarnings("deprecation")
@Before
public void setUp() throws Exception {
  AuthenticationMethod authMethod = AuthenticationMethod.SIMPLE;
  if (isSecurityEnabled) {
    authMethod = AuthenticationMethod.KERBEROS;
  }
  SecurityUtil.setAuthenticationMethod(authMethod, conf);
  UserGroupInformation.setConfiguration(conf);
  InlineDispatcher rmDispatcher = new InlineDispatcher();

  ContainerAllocationExpirer containerAllocationExpirer =
      mock(ContainerAllocationExpirer.class);
  amLivelinessMonitor = mock(AMLivelinessMonitor.class);
  amFinishingMonitor = mock(AMLivelinessMonitor.class);
  writer = mock(RMApplicationHistoryWriter.class);
  MasterKeyData masterKeyData = amRMTokenManager.createNewMasterKey();
  when(amRMTokenManager.getMasterKey()).thenReturn(masterKeyData);
  rmContext =
      new RMContextImpl(rmDispatcher,
        containerAllocationExpirer, amLivelinessMonitor, amFinishingMonitor,
        null, amRMTokenManager,
        new RMContainerTokenSecretManager(conf),
        nmTokenManager,
        clientToAMTokenManager,
        writer);
  
  store = mock(RMStateStore.class);
  ((RMContextImpl) rmContext).setStateStore(store);
  publisher = mock(SystemMetricsPublisher.class);
  ((RMContextImpl) rmContext).setSystemMetricsPublisher(publisher);
  
  scheduler = mock(YarnScheduler.class);
  masterService = mock(ApplicationMasterService.class);
  applicationMasterLauncher = mock(ApplicationMasterLauncher.class);
  
  rmDispatcher.register(RMAppAttemptEventType.class,
      new TestApplicationAttemptEventDispatcher());

  rmDispatcher.register(RMAppEventType.class,
      new TestApplicationEventDispatcher());
  
  rmDispatcher.register(SchedulerEventType.class, 
      new TestSchedulerEventDispatcher());
  
  rmDispatcher.register(AMLauncherEventType.class, 
      new TestAMLauncherEventDispatcher());

  rmnodeEventHandler = mock(RMNodeImpl.class);
  rmDispatcher.register(RMNodeEventType.class, rmnodeEventHandler);

  rmDispatcher.init(conf);
  rmDispatcher.start();
  

  ApplicationId applicationId = MockApps.newAppID(appId++);
  ApplicationAttemptId applicationAttemptId =
      ApplicationAttemptId.newInstance(applicationId, 0);

  resourceScheduler = mock(ResourceScheduler.class);

  ApplicationResourceUsageReport appResUsgRpt =
      mock(ApplicationResourceUsageReport.class);
  when(appResUsgRpt.getMemorySeconds()).thenReturn(0L);
  when(appResUsgRpt.getVcoreSeconds()).thenReturn(0L);
  when(resourceScheduler
      .getAppResourceUsageReport((ApplicationAttemptId)Matchers.any()))
   .thenReturn(appResUsgRpt);
  spyRMContext = spy(rmContext);
  Mockito.doReturn(resourceScheduler).when(spyRMContext).getScheduler();


  final String user = MockApps.newUserName();
  final String queue = MockApps.newQueue();
  submissionContext = mock(ApplicationSubmissionContext.class);
  when(submissionContext.getQueue()).thenReturn(queue);
  Resource resource = BuilderUtils.newResource(1536, 1);
  ContainerLaunchContext amContainerSpec =
      BuilderUtils.newContainerLaunchContext(null, null,
          null, null, null, null);
  when(submissionContext.getAMContainerSpec()).thenReturn(amContainerSpec);
  when(submissionContext.getResource()).thenReturn(resource);

  unmanagedAM = false;
  
  application = mock(RMAppImpl.class);
  applicationAttempt =
      new RMAppAttemptImpl(applicationAttemptId, spyRMContext, scheduler,
          masterService, submissionContext, new Configuration(), false,
          BuilderUtils.newResourceRequest(
              RMAppAttemptImpl.AM_CONTAINER_PRIORITY, ResourceRequest.ANY,
              submissionContext.getResource(), 1));

  when(application.getCurrentAppAttempt()).thenReturn(applicationAttempt);
  when(application.getApplicationId()).thenReturn(applicationId);
  spyRMContext.getRMApps().put(application.getApplicationId(), application);

  testAppAttemptNewState();
}