Java Code Examples for org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI()

public SMHiveRecordWriter (Configuration conf) throws IOException {
	this.conf = conf;
       String principal = conf.get("hive.server2.authentication.kerberos.principal");
       String keytab = conf.get("hive.server2.authentication.kerberos.keytab");
       if (principal != null && keytab != null) {
           UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
           ugi.doAs(new PrivilegedAction<Void>(){
               public Void run() {
                   init();
                   return null;
               }
           });
       }
       else {
           init();
       }
}
 

@Test(expected = UndeclaredThrowableException.class)
public void testWrongServicePrincipal() throws IOException, InterruptedException {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, "omgWrongServerName");
        }
    });

    client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    fail("Should not be able to find non existent server credentials");
}
 

@Test
public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception {
    final HashSet<ConnectionInfo> connections = new HashSet<>();
    final String princ1 = getUserPrincipal(1);
    final File keytab1 = getUserKeytabFile(1);

    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());

    PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
        public Void run() throws Exception {
            String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
            connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
            return null;
        }
    };

    // Using the same UGI should result in two equivalent ConnectionInfo objects
    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);

    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);
}
 

@Override public void start() throws IgniteException {
    super.start();

    KerberosHadoopFileSystemFactory proxy0 = (KerberosHadoopFileSystemFactory)proxy;

    A.ensure(!F.isEmpty(proxy0.getKeyTab()), "keyTab cannot not be empty.");
    A.ensure(!F.isEmpty(proxy0.getKeyTabPrincipal()), "keyTabPrincipal cannot not be empty.");
    A.ensure(proxy0.getReloginInterval() >= 0, "reloginInterval cannot not be negative.");

    reloginInterval = proxy0.getReloginInterval();

    try {
        UserGroupInformation.setConfiguration(cfg);

        user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxy0.getKeyTabPrincipal(),
            proxy0.getKeyTab());
    }
    catch (IOException ioe) {
        throw new IgniteException("Failed login from keytab [keyTab=" + proxy0.getKeyTab() +
            ", keyTabPrincipal=" + proxy0.getKeyTabPrincipal() + ']', ioe);
    }
}
 

@Override
public UserGroupInformation createAndLoginUser(final Map<String, ?> properties) throws IOException {
  final Configuration conf = new SecurityConfiguration();
  conf.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
      UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
  UserGroupInformation.setConfiguration(conf);

  final String keytab = (String) properties.get(DrillProperties.KEYTAB);
  final boolean assumeSubject = properties.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) &&
      Boolean.parseBoolean((String) properties.get(DrillProperties.KERBEROS_FROM_SUBJECT));
  try {
    final UserGroupInformation ugi;
    if (assumeSubject) {
      ugi = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
      logger.debug("Assuming subject for {}.", ugi.getShortUserName());
    } else {
      if (keytab != null) {
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
            (String) properties.get(DrillProperties.USER), keytab);
        logger.debug("Logged in {} using keytab.", ugi.getShortUserName());
      } else {
        // includes Kerberos ticket login
        ugi = UserGroupInformation.getCurrentUser();
        logger.debug("Logged in {} using ticket.", ugi.getShortUserName());
      }
    }
    return ugi;
  } catch (final IOException e) {
    logger.debug("Login failed.", e);
    final Throwable cause = e.getCause();
    if (cause instanceof LoginException) {
      throw new SaslException("Failed to login.", cause);
    }
    throw new SaslException("Unexpected failure trying to login.", cause);
  }
}
 

private void start() throws Exception {
    int regionServerPort = REGION_SERVER_PORT + memberNumber;
    int regionServerInfoPort = REGION_SERVER_WEB_PORT + memberNumber;
    int derbyPort = SQLConfiguration.DEFAULT_NETWORK_BIND_PORT + memberNumber;

    Configuration config = SpliceTestPlatformConfig.create(
            hbaseTargetDirectory,
            0,
            0,
            0, //regionServerPort,
            0, //regionServerInfoPort,
            derbyPort,
            false,
            null,
            secure
    );

    String keytab = hbaseTargetDirectory+"/splice.keytab";
    UserGroupInformation ugi;
    if (secure) {
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("hbase/[email protected]", keytab);
        UserGroupInformation.setLoginUser(ugi);
    } else {
        ugi = UserGroupInformation.getCurrentUser();
    }

    ugi.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            MiniHBaseCluster miniHBaseCluster = new MiniHBaseCluster(config, 0, 1);
            miniHBaseCluster.startRegionServer();
            return null;
        }

    });
}
 

@Test
public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception {
    final HashSet<ConnectionInfo> connections = new HashSet<>();
    final String princ1 = getUserPrincipal(1);
    final File keytab1 = getUserKeytabFile(1);

    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());

    PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() {
        public Void run() throws Exception {
            String url = joinUserAuthentication(BASE_URL, princ1, keytab1);
            connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
            return null;
        }
    };

    ugi.doAs(callable);
    assertEquals(1, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);

    // A second, but equivalent, call from the same "real" user but a different UGI instance
    // is expected functionality (programmer error).
    UserGroupInformation ugiCopy = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath());
    ugiCopy.doAs(callable);
    assertEquals(2, connections.size());
    verifyAllConnectionsAreKerberosBased(connections);
}
 

@Before
public void createTable() throws Exception {
  tableName = TableName.valueOf(name.getMethodName());

  // Create a table and write a record as the service user (hbase)
  UserGroupInformation serviceUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      "hbase/localhost", KEYTAB_FILE.getAbsolutePath());
  clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
    @Override public String run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(CONF);
          Admin admin = conn.getAdmin();) {
        admin.createTable(TableDescriptorBuilder
            .newBuilder(tableName)
            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
            .build());

        UTIL.waitTableAvailable(tableName);

        try (Table t = conn.getTable(tableName)) {
          Put p = new Put(Bytes.toBytes("r1"));
          p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
          t.put(p);
        }

        return admin.getClusterMetrics().getClusterId();
      }
    }
  });

  assertNotNull(clusterId);
}
 

@Test(expected = UndeclaredThrowableException.class)
public void testFalseResponseFromServerFails() throws IOException, InterruptedException {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, KerberosSuite.PRINCIPAL_SERVER);
        }
    });

    String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    final byte[] token = Base64.decodeBase64(baseToken);

    spnegoNegotiator.setTokenData(Base64.encodeBase64String(new byte[]{1,2,3,4,5}));
    client.doAs(new PrivilegedExceptionAction<String>() {
        @Override
        public String run() throws Exception {
            return spnegoNegotiator.send();
        }
    });
    fail("Defective token given to Negotiator and accepted.");
}
 

@Test
public void testUnauthorizedUser() throws Exception {
  UserGroupInformation nonAdmin = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      USER_NONE_STR, KEYTAB_FILE.getAbsolutePath());
  nonAdmin.doAs(new PrivilegedExceptionAction<Void>() {
    @Override public Void run() throws Exception {
      Pair<Integer,String> pair = getLogLevelPage();
      assertEquals(HttpURLConnection.HTTP_FORBIDDEN, pair.getFirst().intValue());
      return null;
    }
  });
}
 

private void createTable() throws Exception {
  tableName = name.getTableName();

  // Create a table and write a record as the service user (hbase)
  UserGroupInformation serviceUgi = UserGroupInformation
    .loginUserFromKeytabAndReturnUGI("hbase/localhost", KEYTAB_FILE.getAbsolutePath());
  clusterId = serviceUgi.doAs(new PrivilegedExceptionAction<String>() {
    @Override
    public String run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(CONF);
        Admin admin = conn.getAdmin();) {
        admin.createTable(TableDescriptorBuilder.newBuilder(tableName)
          .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build());

        UTIL.waitTableAvailable(tableName);

        try (Table t = conn.getTable(tableName)) {
          Put p = new Put(Bytes.toBytes("r1"));
          p.addColumn(Bytes.toBytes("f1"), Bytes.toBytes("q1"), Bytes.toBytes("1"));
          t.put(p);
        }

        return admin.getClusterMetrics().getClusterId();
      }
    }
  });
  assertNotNull(clusterId);
}
 

private UserGroupInformation loginAndReturnUgi() throws DrillException {

    validateSpnegoConfig();

    UserGroupInformation ugi;
    try {
      // Check if security is not enabled and try to set the security parameter to login the principal.
      // After the login is performed reset the static UGI state.
      if (!UserGroupInformation.isSecurityEnabled()) {
        final Configuration newConfig = new Configuration();
        newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
            UserGroupInformation.AuthenticationMethod.KERBEROS.toString());

        if (clientNameMapping != null) {
          newConfig.set(CommonConfigurationKeys.HADOOP_SECURITY_AUTH_TO_LOCAL, clientNameMapping);
        }

        UserGroupInformation.setConfiguration(newConfig);
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);

        // Reset the original configuration for static UGI
        UserGroupInformation.setConfiguration(new Configuration());
      } else {
        // Let's not overwrite the rules here since it might be possible that CUSTOM security is configured for
        // JDBC/ODBC with default rules. If Kerberos was enabled then the correct rules must already be set
        ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
      }
    } catch (Exception e) {
      throw new DrillException(String.format("Login failed for %s with given keytab", principal), e);
    }
    return ugi;
  }
 

@Test
public void testSuccessfulNegotiateWithRealmName() throws IOException, GSSException, InterruptedException {
    // Mechanisms
    final GSSManager gssManager = GSSManager.getInstance();
    final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");

    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Server
    UserGroupInformation server = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_SERVER), KEYTAB_FILE.getAbsolutePath());
    final GSSName gssServicePrincipalName = gssManager.createName(withRealm(KerberosSuite.PRINCIPAL_SERVER), GSSName.NT_USER_NAME);
    final GSSCredential gssServiceCredential = server.doAs(new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws Exception {
            return gssManager.createCredential(
                    gssServicePrincipalName,
                    GSSCredential.DEFAULT_LIFETIME,
                    spnegoOid,
                    GSSCredential.ACCEPT_ONLY
            );
        }
    });
    final GSSContext serverCtx = gssManager.createContext(gssServiceCredential);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(withRealm(KerberosSuite.PRINCIPAL_CLIENT), KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(withRealm(KerberosSuite.PRINCIPAL_CLIENT), withRealm(KerberosSuite.PRINCIPAL_SERVER));
        }
    });

    byte[] token = new byte[0];
    boolean authenticated = false;

    for (int idx = 0; idx < 100; idx++) {
        if (!spnegoNegotiator.established()) {
            final byte[] sendToken = token;
            String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
                @Override
                public String run() throws Exception {
                    if (sendToken.length > 0) {
                        return spnegoNegotiator.send(Base64.encodeBase64String(sendToken));
                    } else {
                        return spnegoNegotiator.send();
                    }
                }
            });
            token = Base64.decodeBase64(baseToken);
        }

        if (!spnegoNegotiator.established() && serverCtx.isEstablished()) {
            fail("Server is established, but client is not.");
        }

        if (!serverCtx.isEstablished()) {
            final byte[] currentToken = token;
            token = server.doAs(new PrivilegedExceptionAction<byte[]>() {
                @Override
                public byte[] run() throws Exception {
                    return serverCtx.acceptSecContext(currentToken, 0, currentToken.length);
                }
            });
        }

        if (serverCtx.isEstablished() && spnegoNegotiator.established()) {
            authenticated = true;
            break;
        }
    }

    assertThat(authenticated, is(true));
    assertThat(serverCtx.isEstablished(), is(true));
    assertThat(spnegoNegotiator.established(), is(true));

    spnegoNegotiator.close();
    assertThat(spnegoNegotiator.established(), is(false));
}
 

@Test
public void testAuthWithReverseLookupServicePrincipal() throws Exception {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Execute Test
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());

    client.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            HttpParams params = new HttpClientParams();

            // Order auth schemes
            EsHadoopAuthPolicies.registerAuthSchemes();
            List<String> authPreferences = new ArrayList<String>();
            authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
            params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);

            AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);

            Map<String, String> dnsMappings = new HashMap<String, String>();
            dnsMappings.put("es.build.elastic.co", "127.0.0.1");

            TestMethod method = new TestMethod();
            method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});
            method.setURI(new org.apache.commons.httpclient.URI("http", null, "127.0.0.1", 9200));

            Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), "HTTP/[email protected]");

            // Parse Challenge
            Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
            assertThat(challenges.isEmpty(), not(true));
            assertThat(challenges.containsKey("negotiate"), is(true));
            assertThat(challenges.get("negotiate"), is("Negotiate"));
            AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);

            assertNotNull(scheme);
            assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
            method.getHostAuthState().setAuthAttempted(true);

            // Execute Auth
            Header[] authHeaders = method.getRequestHeaders("Authorization");
            for (Header authHeader : authHeaders) {
                if (authHeader.isAutogenerated()) {
                    method.removeRequestHeader(authHeader);
                }
            }
            AuthState authState = method.getHostAuthState();
            AuthScheme authScheme = authState.getAuthScheme();
            assertNotNull(authScheme);
            assertThat(authScheme.isConnectionBased(), is(not(true)));

            // Replace scheme with test harness scheme
            authScheme = new TestScheme(dnsMappings);
            String authString = authScheme.authenticate(credentials, method);

            assertNotNull(authString);
            assertThat(authString, startsWith("Negotiate "));
            method.addRequestHeader(new Header("Authorization", authString, true));

            return null;
        }
    });
}
 

private UserGroupInformation login(Configuration hadoopConfiguration, Settings repositorySettings) {
    // Validate the authentication method:
    AuthenticationMethod authMethod = SecurityUtil.getAuthenticationMethod(hadoopConfiguration);
    if (authMethod.equals(AuthenticationMethod.SIMPLE) == false
        && authMethod.equals(AuthenticationMethod.KERBEROS) == false) {
        throw new RuntimeException("Unsupported authorization mode [" + authMethod + "]");
    }

    // Check if the user added a principal to use, and that there is a keytab file provided
    String kerberosPrincipal = repositorySettings.get(CONF_SECURITY_PRINCIPAL);

    // Check to see if the authentication method is compatible
    if (kerberosPrincipal != null && authMethod.equals(AuthenticationMethod.SIMPLE)) {
        LOGGER.warn("Hadoop authentication method is set to [SIMPLE], but a Kerberos principal is " +
            "specified. Continuing with [KERBEROS] authentication.");
        SecurityUtil.setAuthenticationMethod(AuthenticationMethod.KERBEROS, hadoopConfiguration);
    } else if (kerberosPrincipal == null && authMethod.equals(AuthenticationMethod.KERBEROS)) {
        throw new RuntimeException("HDFS Repository does not support [KERBEROS] authentication without " +
            "a valid Kerberos principal and keytab. Please specify a principal in the repository settings with [" +
            CONF_SECURITY_PRINCIPAL + "].");
    }

    // Now we can initialize the UGI with the configuration.
    UserGroupInformation.setConfiguration(hadoopConfiguration);

    // Debugging
    LOGGER.debug("Hadoop security enabled: [{}]", UserGroupInformation.isSecurityEnabled());
    LOGGER.debug("Using Hadoop authentication method: [{}]", SecurityUtil.getAuthenticationMethod(hadoopConfiguration));

    // UserGroupInformation (UGI) instance is just a Hadoop specific wrapper around a Java Subject
    try {
        if (UserGroupInformation.isSecurityEnabled()) {
            String principal = preparePrincipal(kerberosPrincipal);
            String keytab = HdfsSecurityContext.locateKeytabFile(environment).toString();
            LOGGER.debug("Using kerberos principal [{}] and keytab located at [{}]", principal, keytab);
            return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab);
        }
        return UserGroupInformation.getCurrentUser();
    } catch (IOException e) {
        throw new UncheckedIOException("Could not retrieve the current user information", e);
    }
}
 

@Test
public void testPositiveAuthorization() throws Exception {
  // Create a table, write a row to it, grant read perms to the client
  UserGroupInformation superuser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
  final TableName table = TableName.valueOf("publicTable");
  superuser.doAs(new PrivilegedExceptionAction<Void>() {
    @Override
    public Void run() throws Exception {
      try (Connection conn = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration())) {
        TableDescriptor desc = TableDescriptorBuilder.newBuilder(table)
            .setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1"))
            .build();
        conn.getAdmin().createTable(desc);
        try (Table t = conn.getTable(table)) {
          Put p = new Put(Bytes.toBytes("a"));
          p.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
          t.put(p);
        }
        AccessControlClient.grant(conn, CLIENT_PRINCIPAL, Action.READ);
      } catch (Throwable e) {
        if (e instanceof Exception) {
          throw (Exception) e;
        } else {
          throw new Exception(e);
        }
      }
      return null;
    }
  });

  // Read that row as the client
  Pair<CloseableHttpClient,HttpClientContext> pair = getClient();
  CloseableHttpClient client = pair.getFirst();
  HttpClientContext context = pair.getSecond();

  HttpGet get = new HttpGet(new URL("http://localhost:"+ REST_TEST.getServletPort()).toURI()
      + "/" + table + "/a");
  get.addHeader("Accept", "application/json");
  UserGroupInformation user = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
      CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath());
  String jsonResponse = user.doAs(new PrivilegedExceptionAction<String>() {
    @Override
    public String run() throws Exception {
      try (CloseableHttpResponse response = client.execute(get, context)) {
        final int statusCode = response.getStatusLine().getStatusCode();
        assertEquals(response.getStatusLine().toString(), HttpURLConnection.HTTP_OK, statusCode);
        HttpEntity entity = response.getEntity();
        return EntityUtils.toString(entity);
      }
    }
  });
  ObjectMapper mapper = new JacksonJaxbJsonProvider()
      .locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE);
  CellSetModel model = mapper.readValue(jsonResponse, CellSetModel.class);
  assertEquals(1, model.getRows().size());
  RowModel row = model.getRows().get(0);
  assertEquals("a", Bytes.toString(row.getKey()));
  assertEquals(1, row.getCells().size());
  CellModel cell = row.getCells().get(0);
  assertEquals("1", Bytes.toString(cell.getValue()));
}
 

/**
 * Run both client and server using the given protocol.
 *
 * @param bindProtocol specify either http or https for server
 * @param connectProtocol specify either http or https for client
 * @param isSpnego true if SPNEGO is enabled
 * @throws Exception if client can't accesss server.
 */
private void testDynamicLogLevel(final String bindProtocol, final String connectProtocol,
    final boolean isSpnego, final String newLevel)
    throws Exception {
  if (!LogLevel.isValidProtocol(bindProtocol)) {
    throw new Exception("Invalid server protocol " + bindProtocol);
  }
  if (!LogLevel.isValidProtocol(connectProtocol)) {
    throw new Exception("Invalid client protocol " + connectProtocol);
  }
  Level oldLevel = log.getEffectiveLevel();
  assertNotEquals("Get default Log Level which shouldn't be ERROR.",
      Level.ERROR, oldLevel);

  // configs needed for SPNEGO at server side
  if (isSpnego) {
    serverConf.set(PRINCIPAL, HTTP_PRINCIPAL);
    serverConf.set(KEYTAB, keyTabFile.getAbsolutePath());
    serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
    serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
    UserGroupInformation.setConfiguration(serverConf);
  } else {
    serverConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "simple");
    serverConf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
    UserGroupInformation.setConfiguration(serverConf);
  }

  final HttpServer server = createServer(bindProtocol, isSpnego);
  // get server port
  final String authority = NetUtils.getHostPortString(server.getConnectorAddress(0));

  String keytabFilePath = keyTabFile.getAbsolutePath();

  UserGroupInformation clientUGI = UserGroupInformation.
      loginUserFromKeytabAndReturnUGI(clientPrincipal, keytabFilePath);
  try {
    clientUGI.doAs((PrivilegedExceptionAction<Void>) () -> {
      // client command line
      getLevel(connectProtocol, authority);
      setLevel(connectProtocol, authority, newLevel);
      return null;
    });
  } finally {
    clientUGI.logoutUserFromKeytab();
    server.stop();
  }

  // restore log level
  GenericTestUtils.setLogLevel(log, oldLevel);
}
 

@Test
public void testAuth() throws Exception {
    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Client and Execute Test
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());

    client.doAs(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
            HttpParams params = new HttpClientParams();

            // Order auth schemes
            EsHadoopAuthPolicies.registerAuthSchemes();
            List<String> authPreferences = new ArrayList<String>();
            authPreferences.add(EsHadoopAuthPolicies.NEGOTIATE);
            params.setParameter(AuthPolicy.AUTH_SCHEME_PRIORITY, authPreferences);

            AuthChallengeProcessor authChallengeProcessor = new AuthChallengeProcessor(params);
            TestMethod method = new TestMethod();
            method.setHeaders(new Header[]{new Header("WWW-Authenticate", "Negotiate")});

            Credentials credentials = new SpnegoCredentials(HadoopUserProvider.create(new TestSettings()), KerberosSuite.PRINCIPAL_SERVER);

            // Parse Challenge
            Map challenges = AuthChallengeParser.parseChallenges(method.getResponseHeaders("WWW-Authenticate"));
            assertThat(challenges.isEmpty(), not(true));
            assertThat(challenges.containsKey("negotiate"), is(true));
            assertThat(challenges.get("negotiate"), is("Negotiate"));
            AuthScheme scheme = authChallengeProcessor.processChallenge(method.getHostAuthState(), challenges);

            assertNotNull(scheme);
            assertThat(scheme, instanceOf(SpnegoAuthScheme.class));
            method.getHostAuthState().setAuthAttempted(true);

            // Execute Auth
            Header[] authHeaders = method.getRequestHeaders("Authorization");
            for (Header authHeader : authHeaders) {
                if (authHeader.isAutogenerated()) {
                    method.removeRequestHeader(authHeader);
                }
            }
            AuthState authState = method.getHostAuthState();
            AuthScheme authScheme = authState.getAuthScheme();
            assertNotNull(authScheme);
            assertThat(authScheme.isConnectionBased(), is(not(true)));
            String authString = authScheme.authenticate(credentials, method);

            assertNotNull(authString);
            assertThat(authString, startsWith("Negotiate "));
            method.addRequestHeader(new Header("Authorization", authString, true));

            return null;
        }
    });
}
 

/**
 * Login via a UGI. Requres UGI to have been set up
 * @param user username
 * @param keytab keytab to list
 * @return the UGI
 * @throws IOException
 */
public static UserGroupInformation loginUGI(String user, File keytab) throws
    IOException {
  LOG.info("Logging in as {} from {}", user, keytab);
  return UserGroupInformation.loginUserFromKeytabAndReturnUGI(user,
      keytab.getAbsolutePath());
}
 

/**
 * Initializes UserGroupInformation with the given Configuration and performs the login for the given principal
 * and keytab. All logins should happen through this class to ensure other threads are not concurrently modifying
 * UserGroupInformation.
 *
 * @param config the configuration instance
 * @param principal the principal to authenticate as
 * @param keyTab the keytab to authenticate with
 *
 * @return the UGI for the given principal
 *
 * @throws IOException if login failed
 */
public static synchronized UserGroupInformation loginKerberos(final Configuration config, final String principal, final String keyTab)
        throws IOException {
    Validate.notNull(config);
    Validate.notNull(principal);
    Validate.notNull(keyTab);

    UserGroupInformation.setConfiguration(config);
    return UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal.trim(), keyTab.trim());
}