org.apache.hadoop.service.ServiceStateException Java Examples

The following examples show how to use org.apache.hadoop.service.ServiceStateException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: RegistrySecurity.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Init the service: this sets up security based on the configuration
 * @param conf configuration
 * @throws Exception
 */
@Override
protected void serviceInit(Configuration conf) throws Exception {
  super.serviceInit(conf);
  String auth = conf.getTrimmed(KEY_REGISTRY_CLIENT_AUTH,
      REGISTRY_CLIENT_AUTH_ANONYMOUS);

  switch (auth) {
  case REGISTRY_CLIENT_AUTH_KERBEROS:
    access = AccessPolicy.sasl;
    break;
  case REGISTRY_CLIENT_AUTH_DIGEST:
    access = AccessPolicy.digest;
    break;
  case REGISTRY_CLIENT_AUTH_ANONYMOUS:
    access = AccessPolicy.anon;
    break;
  default:
    throw new ServiceStateException(E_UNKNOWN_AUTHENTICATION_MECHANISM
                                    + "\"" + auth + "\"");
  }
  initSecurity();
}
 
Example #2
Source File: RegistrySecurity.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Init the service: this sets up security based on the configuration
 * @param conf configuration
 * @throws Exception
 */
@Override
protected void serviceInit(Configuration conf) throws Exception {
  super.serviceInit(conf);
  String auth = conf.getTrimmed(KEY_REGISTRY_CLIENT_AUTH,
      REGISTRY_CLIENT_AUTH_ANONYMOUS);

  switch (auth) {
  case REGISTRY_CLIENT_AUTH_KERBEROS:
    access = AccessPolicy.sasl;
    break;
  case REGISTRY_CLIENT_AUTH_DIGEST:
    access = AccessPolicy.digest;
    break;
  case REGISTRY_CLIENT_AUTH_ANONYMOUS:
    access = AccessPolicy.anon;
    break;
  default:
    throw new ServiceStateException(E_UNKNOWN_AUTHENTICATION_MECHANISM
                                    + "\"" + auth + "\"");
  }
  initSecurity();
}
 
Example #3
Source File: TestLeveldbTimelineStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  LeveldbTimelineStore dbStore = (LeveldbTimelineStore) store;
  // default version
  Version defaultVersion = dbStore.getCurrentVersion();
  Assert.assertEquals(defaultVersion, dbStore.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  dbStore.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, dbStore.loadVersion());
  restartTimelineStore();
  dbStore = (LeveldbTimelineStore) store;
  // overwrite the compatible version
  Assert.assertEquals(defaultVersion, dbStore.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  dbStore.storeVersion(incompatibleVersion);
  try {
    restartTimelineStore();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for timeline store"));
  }
}
 
Example #4
Source File: TestServiceLifecycle.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testInitNullConf() throws Throwable {
  BreakableService svc = new BreakableService(false, false, false);
  try {
    svc.init(null);
    LOG.warn("Null Configurations are permitted ");
  } catch (ServiceStateException e) {
    //expected
  }
}
 
Example #5
Source File: TestSecureRMRegistryOperations.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test(expected = ServiceStateException.class)
public void testNoDigestAuthMissingPass2() throws Throwable {
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTH, REGISTRY_CLIENT_AUTH_DIGEST);
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "id");
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
  RegistryOperationsFactory.createInstance("DigestRegistryOperations",
      zkClientConf);
}
 
Example #6
Source File: TestSecureRMRegistryOperations.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test(expected = ServiceStateException.class)
public void testNoDigestAuthMissingId2() throws Throwable {
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTH, REGISTRY_CLIENT_AUTH_DIGEST);
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "pass");
  RegistryOperationsFactory.createInstance("DigestRegistryOperations",
      zkClientConf);
}
 
Example #7
Source File: RegistryAdminService.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Method to validate the validity of the kerberos realm.
 * <ul>
 *   <li>Insecure: not needed.</li>
 *   <li>Secure: must have been determined.</li>
 * </ul>
 */
protected void verifyRealmValidity() throws ServiceStateException {
  if (isSecure()) {
    String realm = getRegistrySecurity().getKerberosRealm();
    if (StringUtils.isEmpty(realm)) {
      throw new ServiceStateException("Cannot determine service realm");
    }
    if (LOG.isDebugEnabled()) {
      LOG.debug("Started Registry operations in realm {}", realm);
    }
  }
}
 
Example #8
Source File: CuratorService.java    From big-c with Apache License 2.0 5 votes vote down vote up
/**
 * Internal check that a service is in the live state
 * @throws ServiceStateException if not
 */
private void checkServiceLive() throws ServiceStateException {
  if (!isInState(STATE.STARTED)) {
    throw new ServiceStateException(
        "Service " + getName() + " is in wrong state: "
        + getServiceState());
  }
}
 
Example #9
Source File: TestLeveldbTimelineStateStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  LeveldbTimelineStateStore store =
      initAndStartTimelineServiceStateStoreService();
  // default version
  Version defaultVersion = store.getCurrentVersion();
  Assert.assertEquals(defaultVersion, store.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
          defaultVersion.getMinorVersion() + 2);
  store.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, store.loadVersion());
  store.stop();

  // overwrite the compatible version
  store = initAndStartTimelineServiceStateStoreService();
  Assert.assertEquals(defaultVersion, store.loadVersion());

  // incompatible version
  Version incompatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion() + 1,
          defaultVersion.getMinorVersion());
  store.storeVersion(incompatibleVersion);
  store.stop();

  try {
    initAndStartTimelineServiceStateStoreService();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch",
        e.getMessage().contains("Incompatible version for timeline state store"));
  }
}
 
Example #10
Source File: TestLeveldbTimelineStore.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  LeveldbTimelineStore dbStore = (LeveldbTimelineStore) store;
  // default version
  Version defaultVersion = dbStore.getCurrentVersion();
  Assert.assertEquals(defaultVersion, dbStore.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  dbStore.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, dbStore.loadVersion());
  restartTimelineStore();
  dbStore = (LeveldbTimelineStore) store;
  // overwrite the compatible version
  Assert.assertEquals(defaultVersion, dbStore.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  dbStore.storeVersion(incompatibleVersion);
  try {
    restartTimelineStore();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for timeline store"));
  }
}
 
Example #11
Source File: TestNMLeveldbStateStoreService.java    From big-c with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  // default version
  Version defaultVersion = stateStore.getCurrentVersion();
  Assert.assertEquals(defaultVersion, stateStore.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  stateStore.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, stateStore.loadVersion());
  restartStateStore();
  // overwrite the compatible version
  Assert.assertEquals(defaultVersion, stateStore.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  stateStore.storeVersion(incompatibleVersion);
  try {
    restartStateStore();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for NM state:"));
  }
}
 
Example #12
Source File: TestServiceLifecycle.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testInitNullConf() throws Throwable {
  BreakableService svc = new BreakableService(false, false, false);
  try {
    svc.init(null);
    LOG.warn("Null Configurations are permitted ");
  } catch (ServiceStateException e) {
    //expected
  }
}
 
Example #13
Source File: TestSecureRMRegistryOperations.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test(expected = ServiceStateException.class)
public void testNoDigestAuthMissingPass2() throws Throwable {
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTH, REGISTRY_CLIENT_AUTH_DIGEST);
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "id");
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
  RegistryOperationsFactory.createInstance("DigestRegistryOperations",
      zkClientConf);
}
 
Example #14
Source File: TestSecureRMRegistryOperations.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test(expected = ServiceStateException.class)
public void testNoDigestAuthMissingId2() throws Throwable {
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTH, REGISTRY_CLIENT_AUTH_DIGEST);
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
  zkClientConf.set(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "pass");
  RegistryOperationsFactory.createInstance("DigestRegistryOperations",
      zkClientConf);
}
 
Example #15
Source File: RegistryAdminService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Method to validate the validity of the kerberos realm.
 * <ul>
 *   <li>Insecure: not needed.</li>
 *   <li>Secure: must have been determined.</li>
 * </ul>
 */
protected void verifyRealmValidity() throws ServiceStateException {
  if (isSecure()) {
    String realm = getRegistrySecurity().getKerberosRealm();
    if (StringUtils.isEmpty(realm)) {
      throw new ServiceStateException("Cannot determine service realm");
    }
    if (LOG.isDebugEnabled()) {
      LOG.debug("Started Registry operations in realm {}", realm);
    }
  }
}
 
Example #16
Source File: CuratorService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
/**
 * Internal check that a service is in the live state
 * @throws ServiceStateException if not
 */
private void checkServiceLive() throws ServiceStateException {
  if (!isInState(STATE.STARTED)) {
    throw new ServiceStateException(
        "Service " + getName() + " is in wrong state: "
        + getServiceState());
  }
}
 
Example #17
Source File: TestLeveldbTimelineStateStore.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  LeveldbTimelineStateStore store =
      initAndStartTimelineServiceStateStoreService();
  // default version
  Version defaultVersion = store.getCurrentVersion();
  Assert.assertEquals(defaultVersion, store.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
          defaultVersion.getMinorVersion() + 2);
  store.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, store.loadVersion());
  store.stop();

  // overwrite the compatible version
  store = initAndStartTimelineServiceStateStoreService();
  Assert.assertEquals(defaultVersion, store.loadVersion());

  // incompatible version
  Version incompatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion() + 1,
          defaultVersion.getMinorVersion());
  store.storeVersion(incompatibleVersion);
  store.stop();

  try {
    initAndStartTimelineServiceStateStoreService();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch",
        e.getMessage().contains("Incompatible version for timeline state store"));
  }
}
 
Example #18
Source File: TestNMLeveldbStateStoreService.java    From hadoop with Apache License 2.0 5 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  // default version
  Version defaultVersion = stateStore.getCurrentVersion();
  Assert.assertEquals(defaultVersion, stateStore.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  stateStore.storeVersion(compatibleVersion);
  Assert.assertEquals(compatibleVersion, stateStore.loadVersion());
  restartStateStore();
  // overwrite the compatible version
  Assert.assertEquals(defaultVersion, stateStore.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  stateStore.storeVersion(incompatibleVersion);
  try {
    restartStateStore();
    Assert.fail("Incompatible version, should expect fail here.");
  } catch (ServiceStateException e) {
    Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for NM state:"));
  }
}
 
Example #19
Source File: TestHistoryServerLeveldbStateStoreService.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  HistoryServerLeveldbStateStoreService store =
      new HistoryServerLeveldbStateStoreService();
  store.init(conf);
  store.start();

  // default version
  Version defaultVersion = store.getCurrentVersion();
  assertEquals(defaultVersion, store.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  store.dbStoreVersion(compatibleVersion);
  assertEquals(compatibleVersion, store.loadVersion());
  store.close();
  store = new HistoryServerLeveldbStateStoreService();
  store.init(conf);
  store.start();

  // overwrite the compatible version
  assertEquals(defaultVersion, store.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  store.dbStoreVersion(incompatibleVersion);
  store.close();
  store = new HistoryServerLeveldbStateStoreService();
  try {
    store.init(conf);
    store.start();
    fail("Incompatible version, should have thrown before here.");
  } catch (ServiceStateException e) {
    assertTrue("Exception message mismatch",
      e.getMessage().contains("Incompatible version for state:"));
  }
  store.close();
}
 
Example #20
Source File: TestShuffleHandler.java    From hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testRecoveryFromOtherVersions() throws IOException {
  final String user = "someuser";
  final ApplicationId appId = ApplicationId.newInstance(12345, 1);
  final File tmpDir = new File(System.getProperty("test.build.data",
      System.getProperty("java.io.tmpdir")),
      TestShuffleHandler.class.getName());
  Configuration conf = new Configuration();
  conf.setInt(ShuffleHandler.SHUFFLE_PORT_CONFIG_KEY, 0);
  conf.setInt(ShuffleHandler.MAX_SHUFFLE_CONNECTIONS, 3);
  ShuffleHandler shuffle = new ShuffleHandler();
  // emulate aux services startup with recovery enabled
  shuffle.setRecoveryPath(new Path(tmpDir.toString()));
  tmpDir.mkdirs();
  try {
    shuffle.init(conf);
    shuffle.start();

    // setup a shuffle token for an application
    DataOutputBuffer outputBuffer = new DataOutputBuffer();
    outputBuffer.reset();
    Token<JobTokenIdentifier> jt = new Token<JobTokenIdentifier>(
        "identifier".getBytes(), "password".getBytes(), new Text(user),
        new Text("shuffleService"));
    jt.write(outputBuffer);
    shuffle.initializeApplication(new ApplicationInitializationContext(user,
        appId, ByteBuffer.wrap(outputBuffer.getData(), 0,
            outputBuffer.getLength())));

    // verify we are authorized to shuffle
    int rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);

    // emulate shuffle handler restart
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();

    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
    Version version = Version.newInstance(1, 0);
    Assert.assertEquals(version, shuffle.getCurrentVersion());
  
    // emulate shuffle handler restart with compatible version
    Version version11 = Version.newInstance(1, 1);
    // update version info before close shuffle
    shuffle.storeVersion(version11);
    Assert.assertEquals(version11, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();
    // shuffle version will be override by CURRENT_VERSION_INFO after restart
    // successfully.
    Assert.assertEquals(version, shuffle.loadVersion());
    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
  
    // emulate shuffle handler restart with incompatible version
    Version version21 = Version.newInstance(2, 1);
    shuffle.storeVersion(version21);
    Assert.assertEquals(version21, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
  
    try {
      shuffle.start();
      Assert.fail("Incompatible version, should expect fail here.");
    } catch (ServiceStateException e) {
      Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for state DB schema:"));
    } 
  
  } finally {
    if (shuffle != null) {
      shuffle.close();
    }
    FileUtil.fullyDelete(tmpDir);
  }
}
 
Example #21
Source File: RegistrySecurity.java    From big-c with Apache License 2.0 4 votes vote down vote up
/**
 * Init security.
 *
 * After this operation, the {@link #systemACLs} list is valid.
 * @throws IOException
 */
private void initSecurity() throws IOException {

  secureRegistry =
      getConfig().getBoolean(KEY_REGISTRY_SECURE, DEFAULT_REGISTRY_SECURE);
  systemACLs.clear();
  if (secureRegistry) {
    addSystemACL(ALL_READ_ACCESS);

    // determine the kerberos realm from JVM and settings
    kerberosRealm = getConfig().get(KEY_REGISTRY_KERBEROS_REALM,
        getDefaultRealmInJVM());

    // System Accounts
    String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
                              DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);

    systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));

    // user accounts (may be empty, but for digest one user AC must
    // be built up
    String user = getConfig().get(KEY_REGISTRY_USER_ACCOUNTS,
                            DEFAULT_REGISTRY_USER_ACCOUNTS);
    List<ACL> userACLs = buildACLs(user, kerberosRealm, ZooDefs.Perms.ALL);

    // add self if the current user can be determined
    ACL self;
    if (UserGroupInformation.isSecurityEnabled()) {
      self = createSaslACLFromCurrentUser(ZooDefs.Perms.ALL);
      if (self != null) {
        userACLs.add(self);
      }
    }

    // here check for UGI having secure on or digest + ID
    switch (access) {
      case sasl:
        // secure + SASL => has to be authenticated
        if (!UserGroupInformation.isSecurityEnabled()) {
          throw new IOException("Kerberos required for secure registry access");
        }
        UserGroupInformation currentUser =
            UserGroupInformation.getCurrentUser();
        jaasClientContext = getOrFail(KEY_REGISTRY_CLIENT_JAAS_CONTEXT,
            DEFAULT_REGISTRY_CLIENT_JAAS_CONTEXT);
        jaasClientIdentity = currentUser.getShortUserName();
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is SASL user=\"{}\" JAAS context=\"{}\"",
              jaasClientIdentity,
              jaasClientContext);
        }
        break;

      case digest:
        String id = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
        String pass = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
        if (userACLs.isEmpty()) {
          //
          throw new ServiceStateException(E_NO_USER_DETERMINED_FOR_ACLS);
        }
        digest(id, pass);
        ACL acl = new ACL(ZooDefs.Perms.ALL, toDigestId(id, pass));
        userACLs.add(acl);
        digestAuthUser = id;
        digestAuthPassword = pass;
        String authPair = id + ":" + pass;
        digestAuthData = authPair.getBytes("UTF-8");
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is Digest ACL: {}", aclToString(acl));
        }
        break;

      case anon:
        // nothing is needed; account is read only.
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is anonymous");
        }
        userACLs = new ArrayList<ACL>(0);
        break;
    }
    systemACLs.addAll(userACLs);

  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Registry has no security");
    }
    // wide open cluster, adding system acls
    systemACLs.addAll(WorldReadWriteACL);
  }
}
 
Example #22
Source File: RegistrySecurity.java    From hadoop with Apache License 2.0 4 votes vote down vote up
/**
 * Init security.
 *
 * After this operation, the {@link #systemACLs} list is valid.
 * @throws IOException
 */
private void initSecurity() throws IOException {

  secureRegistry =
      getConfig().getBoolean(KEY_REGISTRY_SECURE, DEFAULT_REGISTRY_SECURE);
  systemACLs.clear();
  if (secureRegistry) {
    addSystemACL(ALL_READ_ACCESS);

    // determine the kerberos realm from JVM and settings
    kerberosRealm = getConfig().get(KEY_REGISTRY_KERBEROS_REALM,
        getDefaultRealmInJVM());

    // System Accounts
    String system = getOrFail(KEY_REGISTRY_SYSTEM_ACCOUNTS,
                              DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);

    systemACLs.addAll(buildACLs(system, kerberosRealm, ZooDefs.Perms.ALL));

    // user accounts (may be empty, but for digest one user AC must
    // be built up
    String user = getConfig().get(KEY_REGISTRY_USER_ACCOUNTS,
                            DEFAULT_REGISTRY_USER_ACCOUNTS);
    List<ACL> userACLs = buildACLs(user, kerberosRealm, ZooDefs.Perms.ALL);

    // add self if the current user can be determined
    ACL self;
    if (UserGroupInformation.isSecurityEnabled()) {
      self = createSaslACLFromCurrentUser(ZooDefs.Perms.ALL);
      if (self != null) {
        userACLs.add(self);
      }
    }

    // here check for UGI having secure on or digest + ID
    switch (access) {
      case sasl:
        // secure + SASL => has to be authenticated
        if (!UserGroupInformation.isSecurityEnabled()) {
          throw new IOException("Kerberos required for secure registry access");
        }
        UserGroupInformation currentUser =
            UserGroupInformation.getCurrentUser();
        jaasClientContext = getOrFail(KEY_REGISTRY_CLIENT_JAAS_CONTEXT,
            DEFAULT_REGISTRY_CLIENT_JAAS_CONTEXT);
        jaasClientIdentity = currentUser.getShortUserName();
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is SASL user=\"{}\" JAAS context=\"{}\"",
              jaasClientIdentity,
              jaasClientContext);
        }
        break;

      case digest:
        String id = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
        String pass = getOrFail(KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
        if (userACLs.isEmpty()) {
          //
          throw new ServiceStateException(E_NO_USER_DETERMINED_FOR_ACLS);
        }
        digest(id, pass);
        ACL acl = new ACL(ZooDefs.Perms.ALL, toDigestId(id, pass));
        userACLs.add(acl);
        digestAuthUser = id;
        digestAuthPassword = pass;
        String authPair = id + ":" + pass;
        digestAuthData = authPair.getBytes("UTF-8");
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is Digest ACL: {}", aclToString(acl));
        }
        break;

      case anon:
        // nothing is needed; account is read only.
        if (LOG.isDebugEnabled()) {
          LOG.debug("Auth is anonymous");
        }
        userACLs = new ArrayList<ACL>(0);
        break;
    }
    systemACLs.addAll(userACLs);

  } else {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Registry has no security");
    }
    // wide open cluster, adding system acls
    systemACLs.addAll(WorldReadWriteACL);
  }
}
 
Example #23
Source File: TestShuffleHandler.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testRecoveryFromOtherVersions() throws IOException {
  final String user = "someuser";
  final ApplicationId appId = ApplicationId.newInstance(12345, 1);
  final File tmpDir = new File(System.getProperty("test.build.data",
      System.getProperty("java.io.tmpdir")),
      TestShuffleHandler.class.getName());
  Configuration conf = new Configuration();
  conf.setInt(ShuffleHandler.SHUFFLE_PORT_CONFIG_KEY, 0);
  conf.setInt(ShuffleHandler.MAX_SHUFFLE_CONNECTIONS, 3);
  ShuffleHandler shuffle = new ShuffleHandler();
  // emulate aux services startup with recovery enabled
  shuffle.setRecoveryPath(new Path(tmpDir.toString()));
  tmpDir.mkdirs();
  try {
    shuffle.init(conf);
    shuffle.start();

    // setup a shuffle token for an application
    DataOutputBuffer outputBuffer = new DataOutputBuffer();
    outputBuffer.reset();
    Token<JobTokenIdentifier> jt = new Token<JobTokenIdentifier>(
        "identifier".getBytes(), "password".getBytes(), new Text(user),
        new Text("shuffleService"));
    jt.write(outputBuffer);
    shuffle.initializeApplication(new ApplicationInitializationContext(user,
        appId, ByteBuffer.wrap(outputBuffer.getData(), 0,
            outputBuffer.getLength())));

    // verify we are authorized to shuffle
    int rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);

    // emulate shuffle handler restart
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();

    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
    Version version = Version.newInstance(1, 0);
    Assert.assertEquals(version, shuffle.getCurrentVersion());
  
    // emulate shuffle handler restart with compatible version
    Version version11 = Version.newInstance(1, 1);
    // update version info before close shuffle
    shuffle.storeVersion(version11);
    Assert.assertEquals(version11, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();
    // shuffle version will be override by CURRENT_VERSION_INFO after restart
    // successfully.
    Assert.assertEquals(version, shuffle.loadVersion());
    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
  
    // emulate shuffle handler restart with incompatible version
    Version version21 = Version.newInstance(2, 1);
    shuffle.storeVersion(version21);
    Assert.assertEquals(version21, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
  
    try {
      shuffle.start();
      Assert.fail("Incompatible version, should expect fail here.");
    } catch (ServiceStateException e) {
      Assert.assertTrue("Exception message mismatch", 
      e.getMessage().contains("Incompatible version for state DB schema:"));
    } 
  
  } finally {
    if (shuffle != null) {
      shuffle.close();
    }
    FileUtil.fullyDelete(tmpDir);
  }
}
 
Example #24
Source File: TestHistoryServerLeveldbStateStoreService.java    From big-c with Apache License 2.0 4 votes vote down vote up
@Test
public void testCheckVersion() throws IOException {
  HistoryServerLeveldbStateStoreService store =
      new HistoryServerLeveldbStateStoreService();
  store.init(conf);
  store.start();

  // default version
  Version defaultVersion = store.getCurrentVersion();
  assertEquals(defaultVersion, store.loadVersion());

  // compatible version
  Version compatibleVersion =
      Version.newInstance(defaultVersion.getMajorVersion(),
        defaultVersion.getMinorVersion() + 2);
  store.dbStoreVersion(compatibleVersion);
  assertEquals(compatibleVersion, store.loadVersion());
  store.close();
  store = new HistoryServerLeveldbStateStoreService();
  store.init(conf);
  store.start();

  // overwrite the compatible version
  assertEquals(defaultVersion, store.loadVersion());

  // incompatible version
  Version incompatibleVersion =
    Version.newInstance(defaultVersion.getMajorVersion() + 1,
        defaultVersion.getMinorVersion());
  store.dbStoreVersion(incompatibleVersion);
  store.close();
  store = new HistoryServerLeveldbStateStoreService();
  try {
    store.init(conf);
    store.start();
    fail("Incompatible version, should have thrown before here.");
  } catch (ServiceStateException e) {
    assertTrue("Exception message mismatch",
      e.getMessage().contains("Incompatible version for state:"));
  }
  store.close();
}
 
Example #25
Source File: TestShuffleHandler.java    From tez with Apache License 2.0 4 votes vote down vote up
@Test
public void testRecoveryFromOtherVersions() throws IOException {
  final String user = "someuser";
  final ApplicationId appId = ApplicationId.newInstance(12345, 1);
  final File tmpDir = new File(System.getProperty("test.build.data",
      System.getProperty("java.io.tmpdir")),
      TestShuffleHandler.class.getName());
  Configuration conf = new Configuration();
  conf.set(HADOOP_TMP_DIR, TEST_DIR.getAbsolutePath());
  conf.setInt(ShuffleHandler.SHUFFLE_PORT_CONFIG_KEY, 0);
  conf.setInt(ShuffleHandler.MAX_SHUFFLE_CONNECTIONS, 3);
  ShuffleHandler shuffle = new ShuffleHandler();
  // emulate aux services startup with recovery enabled
  shuffle.setRecoveryPath(new Path(tmpDir.toString()));
  tmpDir.mkdirs();
  try {
    shuffle.init(conf);
    shuffle.start();

    // setup a shuffle token for an application
    DataOutputBuffer outputBuffer = new DataOutputBuffer();
    outputBuffer.reset();
    Token<JobTokenIdentifier> jt = new Token<JobTokenIdentifier>(
        "identifier".getBytes(), "password".getBytes(), new Text(user),
        new Text("shuffleService"));
    jt.write(outputBuffer);
    shuffle.initializeApplication(new ApplicationInitializationContext(user,
        appId, ByteBuffer.wrap(outputBuffer.getData(), 0,
            outputBuffer.getLength())));

    // verify we are authorized to shuffle
    int rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);

    // emulate shuffle handler restart
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();

    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);
    Version version = Version.newInstance(1, 0);
    Assert.assertEquals(version, shuffle.getCurrentVersion());

    // emulate shuffle handler restart with compatible version
    Version version11 = Version.newInstance(1, 1);
    // update version info before close shuffle
    shuffle.storeVersion(version11);
    Assert.assertEquals(version11, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
    shuffle.start();
    // shuffle version will be override by CURRENT_VERSION_INFO after restart
    // successfully.
    Assert.assertEquals(version, shuffle.loadVersion());
    // verify we are still authorized to shuffle to the old application
    rc = getShuffleResponseCode(shuffle, jt);
    Assert.assertEquals(HttpURLConnection.HTTP_OK, rc);

    // emulate shuffle handler restart with incompatible version
    Version version21 = Version.newInstance(2, 1);
    shuffle.storeVersion(version21);
    Assert.assertEquals(version21, shuffle.loadVersion());
    shuffle.close();
    shuffle = new ShuffleHandler();
    shuffle.setRecoveryPath(new Path(tmpDir.toString()));
    shuffle.init(conf);
  
    try {
      shuffle.start();
      Assert.fail("Incompatible version, should expect fail here.");
    } catch (ServiceStateException e) {
      Assert.assertTrue("Exception message mismatch",
      e.getMessage().contains("Incompatible version for state DB schema:"));
    }

  } finally {
    if (shuffle != null) {
      shuffle.close();
    }
    FileUtil.fullyDelete(tmpDir);
  }
}