Java Code Examples for org.apache.hadoop.minikdc.MiniKdc#createPrincipal()

@BeforeClass
public static void initKdc() throws Exception {
  baseDir = new File(System.getProperty("test.build.dir", "target/test-dir"),
    SaslDataTransferTestCase.class.getSimpleName());
  FileUtil.fullyDelete(baseDir);
  assertTrue(baseDir.mkdirs());

  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  String userName = UserGroupInformation.getLoginUser().getShortUserName();
  File keytabFile = new File(baseDir, userName + ".keytab");
  keytab = keytabFile.getAbsolutePath();
  kdc.createPrincipal(keytabFile, userName + "/localhost", "HTTP/localhost");
  hdfsPrincipal = userName + "/localhost@" + kdc.getRealm();
  spnegoPrincipal = "HTTP/localhost@" + kdc.getRealm();
}
 

private static void createBaseCluster(HBaseTestingUtility util, File keytabFile, MiniKdc kdc)
  throws Exception {
  String servicePrincipal = "hbase/localhost";
  String spnegoPrincipal = "HTTP/localhost";
  kdc.createPrincipal(keytabFile, servicePrincipal);
  util.startMiniZKCluster();

  HBaseKerberosUtils.setSecuredConfiguration(util.getConfiguration(),
    servicePrincipal + "@" + kdc.getRealm(), spnegoPrincipal + "@" + kdc.getRealm());
  HBaseKerberosUtils.setSSLConfiguration(util, SecureTestCluster.class);

  util.getConfiguration().setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,
    TokenProvider.class.getName());
  util.startMiniDFSCluster(1);
  Path rootdir = util.getDataTestDirOnTestFS("TestCustomSaslAuthenticationProvider");
  CommonFSUtils.setRootDir(util.getConfiguration(), rootdir);
}
 

@BeforeClass
public static void setUpMiniKdc() throws Exception {
  File kdcDir = getTestDir();
  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, kdcDir);
  kdc.start();
  keytab = new File(kdcDir, "keytab");
  List<String> principals = new ArrayList<String>();
  principals.add("HTTP/localhost");
  principals.add("client");
  principals.add("hdfs");
  principals.add("otheradmin");
  principals.add("client/host");
  principals.add("client1");
  for (KMSACLs.Type type : KMSACLs.Type.values()) {
    principals.add(type.toString());
  }
  principals.add("CREATE_MATERIAL");
  principals.add("ROLLOVER_MATERIAL");
  kdc.createPrincipal(keytab,
      principals.toArray(new String[principals.size()]));
}
 

@BeforeClass
public static void initKdc() throws Exception {
  baseDir = new File(System.getProperty("test.build.dir", "target/test-dir"),
    SaslDataTransferTestCase.class.getSimpleName());
  FileUtil.fullyDelete(baseDir);
  assertTrue(baseDir.mkdirs());

  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  String userName = UserGroupInformation.getLoginUser().getShortUserName();
  File keytabFile = new File(baseDir, userName + ".keytab");
  keytab = keytabFile.getAbsolutePath();
  kdc.createPrincipal(keytabFile, userName + "/localhost", "HTTP/localhost");
  hdfsPrincipal = userName + "/localhost@" + kdc.getRealm();
  spnegoPrincipal = "HTTP/localhost@" + kdc.getRealm();
}
 

@BeforeClass
public static void setUpMiniKdc() throws Exception {
  File kdcDir = getTestDir();
  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, kdcDir);
  kdc.start();
  keytab = new File(kdcDir, "keytab");
  List<String> principals = new ArrayList<String>();
  principals.add("HTTP/localhost");
  principals.add("client");
  principals.add("hdfs");
  principals.add("otheradmin");
  principals.add("client/host");
  principals.add("client1");
  for (KMSACLs.Type type : KMSACLs.Type.values()) {
    principals.add(type.toString());
  }
  principals.add("CREATE_MATERIAL");
  principals.add("ROLLOVER_MATERIAL");
  kdc.createPrincipal(keytab,
      principals.toArray(new String[principals.size()]));
}
 

static LocalHBaseCluster createCluster(HBaseTestingUtility util, File keytabFile,
    MiniKdc kdc, Map<String,char[]> userDatabase) throws Exception {
  String servicePrincipal = "hbase/localhost";
  String spnegoPrincipal = "HTTP/localhost";
  kdc.createPrincipal(keytabFile, servicePrincipal);
  util.startMiniZKCluster();

  HBaseKerberosUtils.setSecuredConfiguration(util.getConfiguration(),
      servicePrincipal + "@" + kdc.getRealm(), spnegoPrincipal + "@" + kdc.getRealm());
  HBaseKerberosUtils.setSSLConfiguration(util, TestShadeSaslAuthenticationProvider.class);

  util.getConfiguration().setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,
      TokenProvider.class.getName());
  util.startMiniDFSCluster(1);
  Path testDir = util.getDataTestDirOnTestFS("TestShadeSaslAuthenticationProvider");
  USER_DATABASE_FILE = new Path(testDir, "user-db.txt");

  createUserDBFile(
      USER_DATABASE_FILE.getFileSystem(CONF), USER_DATABASE_FILE, userDatabase);
  CONF.set(ShadeSaslServerAuthenticationProvider.PASSWORD_FILE_KEY,
      USER_DATABASE_FILE.toString());

  Path rootdir = new Path(testDir, "hbase-root");
  CommonFSUtils.setRootDir(CONF, rootdir);
  LocalHBaseCluster cluster = new LocalHBaseCluster(CONF, 1);
  return cluster;
}
 

@BeforeClass
public static void setupKDC() throws Exception {
  testRootDir = new File("target",
    TestRMWebServicesDelegationTokens.class.getName() + "-root");
  testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
  testMiniKDC.start();
  testMiniKDC.createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost",
    "client", "client2", "client3");
}
 

@BeforeClass
public static void setupKDC() throws Exception {
  testRootDir = new File("target",
    TestRMWebServicesDelegationTokens.class.getName() + "-root");
  testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
  testMiniKDC.start();
  testMiniKDC.createPrincipal(httpSpnegoKeytabFile, "HTTP/localhost",
    "client", "client2", "client3");
}
 

@BeforeClass
public static void setUpKerberos() throws Exception {
    servicePrincipal = prepareServiceName();
    LOG.info("Using service principal: " + servicePrincipal);

    Path targetDir = FileSystems.getDefault().getPath("target");
    Path tempDirectory = Files.createTempDirectory(targetDir, "junit.SaslGssApiIntegrationTest.");
    File root = tempDirectory.toFile();

    kdc = new MiniKdc(MiniKdc.createConf(), new File(root, "kdc"));
    kdc.start();

    // hard coded match, default_keytab_name in minikdc-krb5.conf template
    File userKeyTab = new File(KRB5_KEYTAB);
    kdc.createPrincipal(userKeyTab, CLIENT_PRINCIPAL_LOGIN_CONFIG, CLIENT_PRINCIPAL_FACTORY_USERNAME,
            CLIENT_PRINCIPAL_URI_USERNAME, CLIENT_PRINCIPAL_DEFAULT_CONFIG_SCOPE, servicePrincipal);

    if (DEBUG) {
        Keytab kt = Keytab.read(userKeyTab);
        for (KeytabEntry entry : kt.getEntries()) {
            LOG.info("KeyTab Entry: PrincipalName:" + entry.getPrincipalName() + " ; KeyInfo:"+ entry.getKey().getKeyType());
        }

        java.util.logging.Logger logger = java.util.logging.Logger.getLogger("javax.security.sasl");
        logger.setLevel(java.util.logging.Level.FINEST);
        logger.addHandler(new java.util.logging.ConsoleHandler());
        for (java.util.logging.Handler handler : logger.getHandlers()) {
            handler.setLevel(java.util.logging.Level.FINEST);
        }
    }
}
 

@BeforeClass
public static void startKdc() throws Exception {
  testDir = new File("target", UUID.randomUUID().toString()).getAbsoluteFile();
  Assert.assertTrue(testDir.mkdirs());
  File kdcDir = new File(testDir, "kdc");
  Assert.assertTrue(kdcDir.mkdirs());
  keytabFile = new File(testDir, "test.keytab");
  miniKdc = new MiniKdc(MiniKdc.createConf(), testDir);
  miniKdc.start();
  miniKdc.createPrincipal(keytabFile, "foo", "bar/localhost");
}
 

@BeforeClass
public static void init() throws Exception {
  baseDir = new File(System.getProperty("test.build.dir", "target/test-dir"),
    TestSecureNNWithQJM.class.getSimpleName());
  FileUtil.fullyDelete(baseDir);
  assertTrue(baseDir.mkdirs());

  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  baseConf = new HdfsConfiguration();
  SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS,
    baseConf);
  UserGroupInformation.setConfiguration(baseConf);
  assertTrue("Expected configuration to enable security",
    UserGroupInformation.isSecurityEnabled());

  String userName = UserGroupInformation.getLoginUser().getShortUserName();
  File keytabFile = new File(baseDir, userName + ".keytab");
  String keytab = keytabFile.getAbsolutePath();
  // Windows will not reverse name lookup "127.0.0.1" to "localhost".
  String krbInstance = Path.WINDOWS ? "127.0.0.1" : "localhost";
  kdc.createPrincipal(keytabFile,
    userName + "/" + krbInstance,
    "HTTP/" + krbInstance);
  String hdfsPrincipal = userName + "/" + krbInstance + "@" + kdc.getRealm();
  String spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.getRealm();

  baseConf.set(DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_NAMENODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_DATANODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoPrincipal);
  baseConf.set(DFS_JOURNALNODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_JOURNALNODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_JOURNALNODE_KERBEROS_INTERNAL_SPNEGO_PRINCIPAL_KEY,
    spnegoPrincipal);
  baseConf.setBoolean(DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
  baseConf.set(DFS_DATA_TRANSFER_PROTECTION_KEY, "authentication");
  baseConf.set(DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());
  baseConf.set(DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.set(DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.set(DFS_JOURNALNODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_ON_SASL_KEY, 10);

  String keystoresDir = baseDir.getAbsolutePath();
  String sslConfDir = KeyStoreTestUtil.getClasspathDir(
    TestSecureNNWithQJM.class);
  KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, baseConf, false);
}
 

private static void initKdc() throws Exception {
  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  configuration = new HdfsConfiguration();
  SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
  UserGroupInformation.setConfiguration(configuration);
  assertTrue("Expected configuration to enable security", UserGroupInformation.isSecurityEnabled());
  userName = UserGroupInformation.createUserForTesting("guest", new String[]{"users"}).getUserName();
  File keytabFile = new File(baseDir, userName + ".keytab");
  String keytab = keytabFile.getAbsolutePath();
  // Windows will not reverse name lookup "127.0.0.1" to "localhost".
  String krbInstance = Path.WINDOWS ? "127.0.0.1" : "localhost";
  kdc.createPrincipal(keytabFile, userName + "/" + krbInstance, "HTTP/" + krbInstance);
  String hdfsPrincipal = userName + "/" + krbInstance + "@" + kdc.getRealm();
  String spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.getRealm();

  configuration.set(DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_NAMENODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_DATANODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoPrincipal);
  configuration.set(DFS_JOURNALNODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_JOURNALNODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_JOURNALNODE_KERBEROS_INTERNAL_SPNEGO_PRINCIPAL_KEY, spnegoPrincipal);
  configuration.setBoolean(DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
  configuration.set(DFS_DATA_ENCRYPTION_ALGORITHM_KEY, "authentication");
  configuration.set(DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTP_AND_HTTPS.name());
  configuration.set(DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.set(DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.set(DFS_JOURNALNODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_KEY, 10);
  configuration.set("hadoop.proxyuser." + userName + ".hosts", "*");
  configuration.set("hadoop.proxyuser." + userName + ".groups", "*");
  configuration.setBoolean("dfs.permissions", true);

  String keystoresDir = baseDir.getAbsolutePath();
  File sslClientConfFile = new File(keystoresDir + "/ssl-client.xml");
  File sslServerConfFile = new File(keystoresDir + "/ssl-server.xml");
  KeyStoreTestUtil.setupSSLConfig(keystoresDir, keystoresDir, configuration, false);
  configuration.set(DFS_CLIENT_HTTPS_KEYSTORE_RESOURCE_KEY,
      sslClientConfFile.getName());
  configuration.set(DFS_SERVER_HTTPS_KEYSTORE_RESOURCE_KEY,
      sslServerConfFile.getName());

  setupKnox(keytab, hdfsPrincipal);
}
 

public static void prepare(TemporaryFolder tempFolder) {

		try {
			File baseDirForSecureRun = tempFolder.newFolder();
			LOG.info("Base Directory for Secure Environment: {}", baseDirForSecureRun);

			String hostName = "localhost";
			Properties kdcConf = MiniKdc.createConf();
			if (LOG.isDebugEnabled()) {
				kdcConf.setProperty(MiniKdc.DEBUG, "true");
			}
			kdcConf.setProperty(MiniKdc.KDC_BIND_ADDRESS, hostName);
			kdc = new MiniKdc(kdcConf, baseDirForSecureRun);
			kdc.start();
			LOG.info("Started Mini KDC");

			File keytabFile = new File(baseDirForSecureRun, "test-users.keytab");
			testKeytab = keytabFile.getAbsolutePath();
			testZkServerPrincipal = "zookeeper/" + hostName;
			testZkClientPrincipal = "zk-client/" + hostName;
			testKafkaServerPrincipal = "kafka/" + hostName;
			hadoopServicePrincipal = "hadoop/" + hostName;
			testPrincipal = "client/" + hostName;

			kdc.createPrincipal(keytabFile, testPrincipal, testZkServerPrincipal,
					hadoopServicePrincipal,
					testZkClientPrincipal,
					testKafkaServerPrincipal);

			testPrincipal = testPrincipal + "@" + kdc.getRealm();
			testZkServerPrincipal = testZkServerPrincipal + "@" + kdc.getRealm();
			testZkClientPrincipal = testZkClientPrincipal + "@" + kdc.getRealm();
			testKafkaServerPrincipal = testKafkaServerPrincipal + "@" + kdc.getRealm();
			hadoopServicePrincipal = hadoopServicePrincipal + "@" + kdc.getRealm();

			LOG.info("-------------------------------------------------------------------");
			LOG.info("Test Principal: {}", testPrincipal);
			LOG.info("Test ZK Server Principal: {}", testZkServerPrincipal);
			LOG.info("Test ZK Client Principal: {}", testZkClientPrincipal);
			LOG.info("Test Kafka Server Principal: {}", testKafkaServerPrincipal);
			LOG.info("Test Hadoop Service Principal: {}", hadoopServicePrincipal);
			LOG.info("Test Keytab: {}", testKeytab);
			LOG.info("-------------------------------------------------------------------");

			//Security Context is established to allow non hadoop applications that requires JAAS
			//based SASL/Kerberos authentication to work. However, for Hadoop specific applications
			//the context can be reinitialized with Hadoop configuration by calling
			//ctx.setHadoopConfiguration() for the UGI implementation to work properly.
			//See Yarn test case module for reference
			Configuration flinkConfig = GlobalConfiguration.loadConfiguration();
			flinkConfig.setBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE, false);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, testKeytab);
			flinkConfig.setBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE, false);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, testPrincipal);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS, "Client,KafkaClient");
			SecurityConfiguration ctx = new SecurityConfiguration(flinkConfig);
			TestingSecurityContext.install(ctx, getClientSecurityConfigurationMap());

			populateJavaPropertyVariables();

		} catch (Exception e) {
			throw new RuntimeException("Exception occured while preparing secure environment.", e);
		}

	}
 

@Before
public void startMiniKdc() throws Exception {

    createMiniKdcConf();
    kdc = new MiniKdc(conf, kdcDir.getRoot());
    kdc.start();

    String localhostName = "localhost";
    String principalServerNoRealm = "blazingcache/" + localhostName;
    String principalServer = "blazingcache/" + localhostName + "@" + kdc.getRealm();
    String principalClientNoRealm = "blazingcacheclient/" + localhostName;
    String principalClient = principalClientNoRealm + "@" + kdc.getRealm();

    System.out.println("adding principal: " + principalServerNoRealm);
    System.out.println("adding principal: " + principalClientNoRealm);

    File keytabClient = new File(kerberosWorkDir.getRoot(), "blazingcacheclient.keytab");
    kdc.createPrincipal(keytabClient, principalClientNoRealm);

    File keytabServer = new File(kerberosWorkDir.getRoot(), "blazingcacheserver.keytab");
    kdc.createPrincipal(keytabServer, principalServerNoRealm);

    File jaas_file = new File(kerberosWorkDir.getRoot(), "jaas.conf");
    try (FileWriter writer = new FileWriter(jaas_file)) {
        writer.write("\n"
            + "BlazingCacheServer {\n"
            + "  com.sun.security.auth.module.Krb5LoginModule required debug=true\n"
            + "  useKeyTab=true\n"
            + "  keyTab=\"" + keytabServer.getAbsolutePath() + "\n"
            + "  storeKey=true\n"
            + "  useTicketCache=false\n"
            + "  principal=\"" + principalServer + "\";\n"
            + "};\n"
            + "\n"
            + "\n"
            + "\n"
            + "BlazingCacheClient {\n"
            + "  com.sun.security.auth.module.Krb5LoginModule required debug=true\n"
            + "  useKeyTab=true\n"
            + "  keyTab=\"" + keytabClient.getAbsolutePath() + "\n"
            + "  storeKey=true\n"
            + "  useTicketCache=false\n"
            + "  principal=\"" + principalClient + "\";\n"
            + "};\n"
        );

    }

    File krb5file = new File(kerberosWorkDir.getRoot(), "krb5.conf");
    try (FileWriter writer = new FileWriter(krb5file)) {
        writer.write("[libdefaults]\n"
            + " default_realm = " + kdc.getRealm() + "\n"
            // disable UDP as Kerby will listen only on TCP by default
            + " udp_preference_limit=1\n"
            + "\n"
            + "\n"
            + "[realms]\n"
            + " " + kdc.getRealm() + "  = {\n"
            + "  kdc = " + kdc.getHost() + ":" + kdc.getPort() + "\n"
            + " }"
        );

    }

    System.setProperty("java.security.auth.login.config", jaas_file.getAbsolutePath());
    System.setProperty("java.security.krb5.conf", krb5file.getAbsolutePath());
    System.setProperty("sun.security.krb5.debug", "true");
    javax.security.auth.login.Configuration.getConfiguration().refresh();

}
 

protected File createKeytab(MiniKdc kdc, File kdcWorkDir, String principal, String filename) throws Exception {
    File keytab = new File(kdcWorkDir, filename);
    kdc.createPrincipal(keytab, principal, principal + "/localhost", principal + "/127.0.0.1");
    return keytab;
}
 

public static void prepare(TemporaryFolder tempFolder) {

		try {
			File baseDirForSecureRun = tempFolder.newFolder();
			LOG.info("Base Directory for Secure Environment: {}", baseDirForSecureRun);

			String hostName = "localhost";
			Properties kdcConf = MiniKdc.createConf();
			if (LOG.isDebugEnabled()) {
				kdcConf.setProperty(MiniKdc.DEBUG, "true");
			}
			kdcConf.setProperty(MiniKdc.KDC_BIND_ADDRESS, hostName);
			kdc = new MiniKdc(kdcConf, baseDirForSecureRun);
			kdc.start();
			LOG.info("Started Mini KDC");

			File keytabFile = new File(baseDirForSecureRun, "test-users.keytab");
			testKeytab = keytabFile.getAbsolutePath();
			testZkServerPrincipal = "zookeeper/127.0.0.1";
			testZkClientPrincipal = "zk-client/127.0.0.1";
			testKafkaServerPrincipal = "kafka/" + hostName;
			hadoopServicePrincipal = "hadoop/" + hostName;
			testPrincipal = "client/" + hostName;

			kdc.createPrincipal(keytabFile, testPrincipal, testZkServerPrincipal,
					hadoopServicePrincipal,
					testZkClientPrincipal,
					testKafkaServerPrincipal);

			testPrincipal = testPrincipal + "@" + kdc.getRealm();
			testZkServerPrincipal = testZkServerPrincipal + "@" + kdc.getRealm();
			testZkClientPrincipal = testZkClientPrincipal + "@" + kdc.getRealm();
			testKafkaServerPrincipal = testKafkaServerPrincipal + "@" + kdc.getRealm();
			hadoopServicePrincipal = hadoopServicePrincipal + "@" + kdc.getRealm();

			LOG.info("-------------------------------------------------------------------");
			LOG.info("Test Principal: {}", testPrincipal);
			LOG.info("Test ZK Server Principal: {}", testZkServerPrincipal);
			LOG.info("Test ZK Client Principal: {}", testZkClientPrincipal);
			LOG.info("Test Kafka Server Principal: {}", testKafkaServerPrincipal);
			LOG.info("Test Hadoop Service Principal: {}", hadoopServicePrincipal);
			LOG.info("Test Keytab: {}", testKeytab);
			LOG.info("-------------------------------------------------------------------");

			//Security Context is established to allow non hadoop applications that requires JAAS
			//based SASL/Kerberos authentication to work. However, for Hadoop specific applications
			//the context can be reinitialized with Hadoop configuration by calling
			//ctx.setHadoopConfiguration() for the UGI implementation to work properly.
			//See Yarn test case module for reference
			Configuration flinkConfig = GlobalConfiguration.loadConfiguration();
			flinkConfig.setBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE, false);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, testKeytab);
			flinkConfig.setBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE, false);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, testPrincipal);
			flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS, "Client,KafkaClient");
			SecurityConfiguration ctx = new SecurityConfiguration(flinkConfig);
			TestingSecurityContext.install(ctx, getClientSecurityConfigurationMap());

			populateJavaPropertyVariables();

		} catch (Exception e) {
			throw new RuntimeException("Exception occured while preparing secure environment.", e);
		}

	}
 

@Before
public void startMiniKdc() throws Exception {

    conf = MiniKdc.createConf();
    kdc = new MiniKdc(conf, kdcDir.getRoot());
    kdc.start();

    String localhostName = "localhost";
    String principalServerNoRealm = "herddb/" + localhostName;
    String principalServer = "herddb/" + localhostName + "@" + kdc.getRealm();
    String principalClientNoRealm = "herddbclient/" + localhostName;
    String principalClient = principalClientNoRealm + "@" + kdc.getRealm();

    System.out.println("adding principal: " + principalServerNoRealm);
    System.out.println("adding principal: " + principalClientNoRealm);

    File keytabClient = new File(workDir.getRoot(), "herddbclient.keytab");
    kdc.createPrincipal(keytabClient, principalClientNoRealm);

    File keytabServer = new File(workDir.getRoot(), "herddbserver.keytab");
    kdc.createPrincipal(keytabServer, principalServerNoRealm);

    File jaas_file = new File(workDir.getRoot(), "jaas.conf");
    try (FileWriter writer = new FileWriter(jaas_file)) {
        writer.write("\n"
                + "HerdDBServer {\n"
                + "  com.sun.security.auth.module.Krb5LoginModule required debug=true\n"
                + "  useKeyTab=true\n"
                + "  keyTab=\"" + keytabServer.getAbsolutePath() + "\n"
                + "  storeKey=true\n"
                + "  useTicketCache=false\n"
                + "  principal=\"" + principalServer + "\";\n"
                + "};\n"
                + "\n"
                + "\n"
                + "\n"
                + "HerdDBClient {\n"
                + "  com.sun.security.auth.module.Krb5LoginModule required debug=true\n"
                + "  useKeyTab=true\n"
                + "  keyTab=\"" + keytabClient.getAbsolutePath() + "\n"
                + "  storeKey=true\n"
                + "  useTicketCache=false\n"
                + "  principal=\"" + principalClient + "\";\n"
                + "};\n"
        );

    }

    File krb5file = new File(workDir.getRoot(), "krb5.conf");
    try (FileWriter writer = new FileWriter(krb5file)) {
        writer.write("[libdefaults]\n"
                + " default_realm = " + kdc.getRealm() + "\n"
                // disable UDP as Kerby will listen only on TCP by default
                + " udp_preference_limit=1\n"
                + "\n"
                + "[realms]\n"
                + " " + kdc.getRealm() + "  = {\n"
                + "  kdc = " + kdc.getHost() + ":" + kdc.getPort() + "\n"
                + " }"
        );

    }

    System.setProperty("java.security.auth.login.config", jaas_file.getAbsolutePath());
    System.setProperty("java.security.krb5.conf", krb5file.getAbsolutePath());

}
 

@BeforeClass
public static void init() throws Exception {
  baseDir = new File(System.getProperty("test.build.dir", "target/test-dir"),
    TestSecureNNWithQJM.class.getSimpleName());
  FileUtil.fullyDelete(baseDir);
  assertTrue(baseDir.mkdirs());

  Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  baseConf = new HdfsConfiguration();
  SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS,
    baseConf);
  UserGroupInformation.setConfiguration(baseConf);
  assertTrue("Expected configuration to enable security",
    UserGroupInformation.isSecurityEnabled());

  String userName = UserGroupInformation.getLoginUser().getShortUserName();
  File keytabFile = new File(baseDir, userName + ".keytab");
  String keytab = keytabFile.getAbsolutePath();
  // Windows will not reverse name lookup "127.0.0.1" to "localhost".
  String krbInstance = Path.WINDOWS ? "127.0.0.1" : "localhost";
  kdc.createPrincipal(keytabFile,
    userName + "/" + krbInstance,
    "HTTP/" + krbInstance);
  String hdfsPrincipal = userName + "/" + krbInstance + "@" + kdc.getRealm();
  String spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.getRealm();

  baseConf.set(DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_NAMENODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_DATANODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoPrincipal);
  baseConf.set(DFS_JOURNALNODE_KEYTAB_FILE_KEY, keytab);
  baseConf.set(DFS_JOURNALNODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  baseConf.set(DFS_JOURNALNODE_KERBEROS_INTERNAL_SPNEGO_PRINCIPAL_KEY,
    spnegoPrincipal);
  baseConf.setBoolean(DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
  baseConf.set(DFS_DATA_TRANSFER_PROTECTION_KEY, "authentication");
  baseConf.set(DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());
  baseConf.set(DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.set(DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.set(DFS_JOURNALNODE_HTTPS_ADDRESS_KEY, "localhost:0");
  baseConf.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_ON_SASL_KEY, 10);

  String keystoresDir = baseDir.getAbsolutePath();
  String sslConfDir = KeyStoreTestUtil.getClasspathDir(
    TestSecureNNWithQJM.class);
  KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, baseConf, false);
}
 

protected File createKeytab(MiniKdc kdc, File kdcWorkDir, String principal, String filename) throws Exception {
    File keytab = new File(kdcWorkDir, filename);
    kdc.createPrincipal(keytab, principal, principal + "/localhost", principal + "/127.0.0.1");
    return keytab;
}
 

private static void initKdc() throws Exception {
  final Properties kdcConf = MiniKdc.createConf();
  kdc = new MiniKdc(kdcConf, baseDir);
  kdc.start();

  userName = UserGroupInformation
      .createUserForTesting("guest", new String[] { "users" }).getUserName();
  final File keytabFile = new File(baseDir, userName + ".keytab");
  keytab = keytabFile.getAbsolutePath();
  // Windows will not reverse name lookup "127.0.0.1" to "localhost".
  final String krbInstance = Path.WINDOWS ? "127.0.0.1" : "localhost";
  kdc.createPrincipal(keytabFile, userName + "/" + krbInstance,
      "HTTP/" + krbInstance);

  hdfsPrincipal =
      userName + "/" + krbInstance + "@" + kdc.getRealm();
  spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.getRealm();

  configuration.set(DFS_NAMENODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_NAMENODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_DATANODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_DATANODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_WEB_AUTHENTICATION_KERBEROS_PRINCIPAL_KEY, spnegoPrincipal);
  configuration.set(DFS_JOURNALNODE_KEYTAB_FILE_KEY, keytab);
  configuration.set(DFS_JOURNALNODE_KERBEROS_PRINCIPAL_KEY, hdfsPrincipal);
  configuration.set(DFS_JOURNALNODE_KERBEROS_INTERNAL_SPNEGO_PRINCIPAL_KEY, spnegoPrincipal);
  configuration.setBoolean(DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
  configuration.set(DFS_DATA_ENCRYPTION_ALGORITHM_KEY, "authentication");
  configuration.set(DFS_HTTP_POLICY_KEY, HttpConfig.Policy.HTTP_AND_HTTPS.name());
  configuration.set(DFS_NAMENODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.set(DFS_DATANODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.set(DFS_JOURNALNODE_HTTPS_ADDRESS_KEY, "localhost:0");
  configuration.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_KEY, 10);
  configuration.set("hadoop.proxyuser." + userName + ".hosts", "*");
  configuration.set("hadoop.proxyuser." + userName + ".groups", "*");
  configuration.setBoolean("dfs.permissions", true);

  String keystoresDir = baseDir.getAbsolutePath();
  File sslClientConfFile = new File(keystoresDir + "/ssl-client.xml");
  File sslServerConfFile = new File(keystoresDir + "/ssl-server.xml");
  KeyStoreTestUtil.setupSSLConfig(keystoresDir, keystoresDir, configuration, false);
  configuration.set(DFS_CLIENT_HTTPS_KEYSTORE_RESOURCE_KEY,
      sslClientConfFile.getName());
  configuration.set(DFS_SERVER_HTTPS_KEYSTORE_RESOURCE_KEY,
      sslServerConfFile.getName());

  krb5conf = kdc.getKrb5conf().getAbsolutePath();
}