Java Code Examples for org.apache.hadoop.security.Groups#getUserToGroupsMappingService()

@Before
public void setup() throws IOException {
  this.conf = new JobConf();
  this.conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      NullGroupsProvider.class.getName());
  this.conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  Groups.getUserToGroupsMappingService(conf);
  this.ctx = buildHistoryContext(this.conf);
  WebApp webApp = mock(HsWebApp.class);
  when(webApp.name()).thenReturn("hsmockwebapp");
  this.hsWebServices= new HsWebServices(ctx, conf, webApp);
  this.hsWebServices.setResponse(mock(HttpServletResponse.class));

  Job job = ctx.getAllJobs().values().iterator().next();
  this.jobIdStr = job.getID().toString();
  Task task = job.getTasks().values().iterator().next();
  this.taskIdStr = task.getID().toString();
  this.taskAttemptIdStr =
      task.getAttempts().keySet().iterator().next().toString();
}
 

@Before
public void setup() throws IOException {
  this.conf = new JobConf();
  this.conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      NullGroupsProvider.class.getName());
  this.conf.setBoolean(MRConfig.MR_ACLS_ENABLED, true);
  Groups.getUserToGroupsMappingService(conf);
  this.ctx = buildHistoryContext(this.conf);
  WebApp webApp = mock(HsWebApp.class);
  when(webApp.name()).thenReturn("hsmockwebapp");
  this.hsWebServices= new HsWebServices(ctx, conf, webApp);
  this.hsWebServices.setResponse(mock(HttpServletResponse.class));

  Job job = ctx.getAllJobs().values().iterator().next();
  this.jobIdStr = job.getID().toString();
  Task task = job.getTasks().values().iterator().next();
  this.taskIdStr = task.getID().toString();
  this.taskAttemptIdStr =
      task.getAttempts().keySet().iterator().next().toString();
}
 

@Test
public void testRefreshUserToGroupsMappings() throws Exception {

  String[] args = new String[] { "-refreshUserToGroupsMappings" };
  Groups groups = Groups.getUserToGroupsMappingService(conf);
  String user = UserGroupInformation.getCurrentUser().getUserName();
  System.out.println("first attempt:");
  List<String> g1 = groups.getGroups(user);
  String[] str_groups = new String[g1.size()];
  g1.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));

  // Now groups of this user has changed but getGroups returns from the
  // cache,so we would see same groups as before
  System.out.println("second attempt, should be same:");
  List<String> g2 = groups.getGroups(user);
  g2.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g2.size(); i++) {
    assertEquals("Should be same group ", g1.get(i), g2.get(i));
  }
  // run the command,which clears the cache
  hsAdminClient.run(args);
  System.out
      .println("third attempt(after refresh command), should be different:");
  // Now get groups should return new groups
  List<String> g3 = groups.getGroups(user);
  g3.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g3.size(); i++) {
    assertFalse(
        "Should be different group: " + g1.get(i) + " and " + g3.get(i), g1
            .get(i).equals(g3.get(i)));
  }
}
 

private static Groups getGroups(Configuration conf) {
  if (conf.getBoolean(USE_NEW_GROUPS, false)) {
    return new Groups(conf);
  } else {
    return Groups.getUserToGroupsMappingService(conf);
  }
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 */
@Test
@Ignore
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Collections.singletonList("groupA"));
  MyGroupsProvider.mapping.put("userB", Collections.singletonList("groupB"));
  MyGroupsProvider.mapping.put("userC", Collections.singletonList("groupC"));
  MyGroupsProvider.mapping.put("userD", Collections.singletonList("groupD"));
  MyGroupsProvider.mapping.put("userE", Collections.singletonList("groupE"));

  HttpServer myServer = new HttpServer.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_UNAUTHORIZED, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

/**
 * Verify the access for /logs, /stacks, /conf, /logLevel and /metrics
 * servlets, when authentication filters are set, but authorization is not
 * enabled.
 */
@Test
@Ignore
public void testDisabledAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();

  // Authorization is disabled by default
  conf.set(HttpServer.FILTER_INITIALIZERS_PROPERTY,
      DummyFilterInitializer.class.getName());
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Collections.singletonList("groupA"));
  MyGroupsProvider.mapping.put("userB", Collections.singletonList("groupB"));

  HttpServer myServer = new HttpServer.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).build();
  myServer.setAttribute(HttpServer.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();
  String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
  }
  myServer.stop();
}
 

private void initGroupService(Configuration conf) {
  if (groupService == null) {
    if (conf.getBoolean(User.TestingGroups.TEST_CONF, false)) {
      UserProvider.setGroups(new User.TestingGroups(UserProvider.getGroups()));
      groupService = UserProvider.getGroups();
    } else {
      groupService = Groups.getUserToGroupsMappingService(conf);
    }
  }
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 * 
 * @throws Exception
 */
@Test
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));
  MyGroupsProvider.mapping.put("userC", Arrays.asList("groupC"));
  MyGroupsProvider.mapping.put("userD", Arrays.asList("groupD"));
  MyGroupsProvider.mapping.put("userE", Arrays.asList("groupE"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

/**
 * Verify the access for /logs, /stacks, /conf, /logLevel and /metrics
 * servlets, when authentication filters are set, but authorization is not
 * enabled.
 * @throws Exception 
 */
@Test
public void testDisabledAuthorizationOfDefaultServlets() throws Exception {

  Configuration conf = new Configuration();

  // Authorization is disabled by default
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();
  String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
  }
  myServer.stop();
}
 

@Before
public void init() throws HadoopIllegalArgumentException, IOException {
  conf = new JobConf();
  conf.set(JHAdminConfig.JHS_ADMIN_ADDRESS, "0.0.0.0:0");
  conf.setClass("hadoop.security.group.mapping", MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  conf.setLong("hadoop.security.groups.cache.secs", groupRefreshTimeoutSec);
  conf.setBoolean(
        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
        securityEnabled);
  Groups.getUserToGroupsMappingService(conf);
  jobHistoryService = mock(JobHistory.class);
  alds = mock(AggregatedLogDeletionService.class);

  hsAdminServer = new HSAdminServer(alds, jobHistoryService) {

    @Override
    protected Configuration createConf() {
      return conf;
    }
  };
  hsAdminServer.init(conf);
  hsAdminServer.start();
  conf.setSocketAddr(JHAdminConfig.JHS_ADMIN_ADDRESS,
      hsAdminServer.clientRpcServer.getListenerAddress());
  hsAdminClient = new HSAdmin(conf);
}
 

/**
 * Verify the administrator access for /logs, /stacks, /conf, /logLevel and
 * /metrics servlets.
 * 
 * @throws Exception
 */
@Test
public void testAuthorizationOfDefaultServlets() throws Exception {
  Configuration conf = new Configuration();
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION,
      true);
  conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN,
      true);
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());

  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));
  MyGroupsProvider.mapping.put("userC", Arrays.asList("groupC"));
  MyGroupsProvider.mapping.put("userD", Arrays.asList("groupD"));
  MyGroupsProvider.mapping.put("userE", Arrays.asList("groupE"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf)
      .setACL(new AccessControlList("userA,userB groupC,groupD")).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();

  String serverURL = "http://"
      + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(
        serverURL + servlet, "userE"));
  }
  myServer.stop();
}
 

/**
 * Verify the access for /logs, /stacks, /conf, /logLevel and /metrics
 * servlets, when authentication filters are set, but authorization is not
 * enabled.
 * @throws Exception 
 */
@Test
public void testDisabledAuthorizationOfDefaultServlets() throws Exception {

  Configuration conf = new Configuration();

  // Authorization is disabled by default
  conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY,
      DummyFilterInitializer.class.getName());
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
      MyGroupsProvider.class.getName());
  Groups.getUserToGroupsMappingService(conf);
  MyGroupsProvider.clearMapping();
  MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
  MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));

  HttpServer2 myServer = new HttpServer2.Builder().setName("test")
      .addEndpoint(new URI("http://localhost:0")).setFindPort(true).build();
  myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
  myServer.start();
  String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
  for (String servlet : new String[] { "conf", "logs", "stacks",
      "logLevel", "metrics" }) {
    for (String user : new String[] { "userA", "userB" }) {
      assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL
          + servlet, user));
    }
  }
  myServer.stop();
}
 

@Test
public void testRefreshUserToGroupsMappings() throws Exception {

  String[] args = new String[] { "-refreshUserToGroupsMappings" };
  Groups groups = Groups.getUserToGroupsMappingService(conf);
  String user = UserGroupInformation.getCurrentUser().getUserName();
  System.out.println("first attempt:");
  List<String> g1 = groups.getGroups(user);
  String[] str_groups = new String[g1.size()];
  g1.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));

  // Now groups of this user has changed but getGroups returns from the
  // cache,so we would see same groups as before
  System.out.println("second attempt, should be same:");
  List<String> g2 = groups.getGroups(user);
  g2.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g2.size(); i++) {
    assertEquals("Should be same group ", g1.get(i), g2.get(i));
  }
  // run the command,which clears the cache
  hsAdminClient.run(args);
  System.out
      .println("third attempt(after refresh command), should be different:");
  // Now get groups should return new groups
  List<String> g3 = groups.getGroups(user);
  g3.toArray(str_groups);
  System.out.println(Arrays.toString(str_groups));
  for (int i = 0; i < g3.size(); i++) {
    assertFalse(
        "Should be different group: " + g1.get(i) + " and " + g3.get(i), g1
            .get(i).equals(g3.get(i)));
  }
}
 

@Before
public void init() throws HadoopIllegalArgumentException, IOException {
  conf = new JobConf();
  conf.set(JHAdminConfig.JHS_ADMIN_ADDRESS, "0.0.0.0:0");
  conf.setClass("hadoop.security.group.mapping", MockUnixGroupsMapping.class,
      GroupMappingServiceProvider.class);
  conf.setLong("hadoop.security.groups.cache.secs", groupRefreshTimeoutSec);
  conf.setBoolean(
        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION,
        securityEnabled);
  Groups.getUserToGroupsMappingService(conf);
  jobHistoryService = mock(JobHistory.class);
  alds = mock(AggregatedLogDeletionService.class);

  hsAdminServer = new HSAdminServer(alds, jobHistoryService) {

    @Override
    protected Configuration createConf() {
      return conf;
    }
  };
  hsAdminServer.init(conf);
  hsAdminServer.start();
  conf.setSocketAddr(JHAdminConfig.JHS_ADMIN_ADDRESS,
      hsAdminServer.clientRpcServer.getListenerAddress());
  hsAdminClient = new HSAdmin(conf);
}
 

/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * lasVegas (,elvis,)
 * memphis (,elvis,) (,jerryLeeLewis,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * ant \
 *   -Dtestcase=TestAccessControlList \
 *   -Dtest.output=yes \
 *   -DTestAccessControlListGroupMapping=$className \
 *   compile-native test
 *
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */
@Test
public void testNetgroups() throws Exception {

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestAccessControlListGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestAccessControlListGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  Groups groups = Groups.getUserToGroupsMappingService(conf);

  AccessControlList acl;

  // create these ACLs to populate groups cache
  acl = new AccessControlList("ja my"); // plain
  acl = new AccessControlList("sinatra ratpack,@lasVegas"); // netgroup
  acl = new AccessControlList(" somegroup,@someNetgroup"); // no user

  // this ACL will be used for testing ACLs
  acl = new AccessControlList("carlPerkins ratpack,@lasVegas");
  acl.addGroup("@memphis");

  // validate the netgroups before and after rehresh to make
  // sure refresh works correctly
  validateNetgroups(groups, acl);
  groups.refresh();
  validateNetgroups(groups, acl);

}
 

/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * foo_group (,proxied_user,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * mvn test \
 *   -Dtest=TestProxyUsers \
 *   -DTestProxyUsersGroupMapping=$className \
 *   
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */

@Test
public void testNetgroups () throws IOException{

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestProxyUsersGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestProxyUsersGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
  Groups groups = Groups.getUserToGroupsMappingService(conf);

  // try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createRemoteUser(REAL_USER_NAME);

  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray(
          new String[groups.getGroups(PROXY_USER_NAME).size()]));

  assertAuthorized(proxyUserUgi, PROXY_IP);
}
 

/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * foo_group (,proxied_user,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * mvn test \
 *   -Dtest=TestProxyUsers \
 *   -DTestProxyUsersGroupMapping=$className \
 *   
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */

@Test
public void testNetgroups () throws IOException{

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestProxyUsersGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestProxyUsersGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserGroupConfKey(REAL_USER_NAME),
      StringUtils.join(",", Arrays.asList(NETGROUP_NAMES)));
  conf.set(
      DefaultImpersonationProvider.getTestProvider().
          getProxySuperuserIpConfKey(REAL_USER_NAME),
      PROXY_IP);
  
  ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
  Groups groups = Groups.getUserToGroupsMappingService(conf);

  // try proxying a group that's allowed
  UserGroupInformation realUserUgi = UserGroupInformation
  .createRemoteUser(REAL_USER_NAME);

  UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting(
      PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray(
          new String[groups.getGroups(PROXY_USER_NAME).size()]));

  assertAuthorized(proxyUserUgi, PROXY_IP);
}
 

/**
 * Test the netgroups (groups in ACL rules that start with @)
 *
 * This is a  manual test because it requires:
 *   - host setup
 *   - native code compiled
 *   - specify the group mapping class
 *
 * Host setup:
 *
 * /etc/nsswitch.conf should have a line like this:
 * netgroup: files
 *
 * /etc/netgroup should be (the whole file):
 * lasVegas (,elvis,)
 * memphis (,elvis,) (,jerryLeeLewis,)
 *
 * To run this test:
 *
 * export JAVA_HOME='path/to/java'
 * ant \
 *   -Dtestcase=TestAccessControlList \
 *   -Dtest.output=yes \
 *   -DTestAccessControlListGroupMapping=$className \
 *   compile-native test
 *
 * where $className is one of the classes that provide group
 * mapping services, i.e. classes that implement
 * GroupMappingServiceProvider interface, at this time:
 *   - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
 *   - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
 *
 */
@Test
public void testNetgroups() throws Exception {

  if(!NativeCodeLoader.isNativeCodeLoaded()) {
    LOG.info("Not testing netgroups, " +
      "this test only runs when native code is compiled");
    return;
  }

  String groupMappingClassName =
    System.getProperty("TestAccessControlListGroupMapping");

  if(groupMappingClassName == null) {
    LOG.info("Not testing netgroups, no group mapping class specified, " +
      "use -DTestAccessControlListGroupMapping=$className to specify " +
      "group mapping class (must implement GroupMappingServiceProvider " +
      "interface and support netgroups)");
    return;
  }

  LOG.info("Testing netgroups using: " + groupMappingClassName);

  Configuration conf = new Configuration();
  conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING,
    groupMappingClassName);

  Groups groups = Groups.getUserToGroupsMappingService(conf);

  AccessControlList acl;

  // create these ACLs to populate groups cache
  acl = new AccessControlList("ja my"); // plain
  acl = new AccessControlList("sinatra ratpack,@lasVegas"); // netgroup
  acl = new AccessControlList(" somegroup,@someNetgroup"); // no user

  // this ACL will be used for testing ACLs
  acl = new AccessControlList("carlPerkins ratpack,@lasVegas");
  acl.addGroup("@memphis");

  // validate the netgroups before and after rehresh to make
  // sure refresh works correctly
  validateNetgroups(groups, acl);
  groups.refresh();
  validateNetgroups(groups, acl);

}