Java Code Examples for org.apache.hadoop.security.UserGroupInformation#createProxyUserForTesting()
The following examples show how to use
org.apache.hadoop.security.UserGroupInformation#createProxyUserForTesting() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: TestDelegationTokenForProxyUser.java From big-c with Apache License 2.0 | 6 votes |
@BeforeClass public static void setUp() throws Exception { config = new HdfsConfiguration(); config.setBoolean(DFSConfigKeys.DFS_WEBHDFS_ENABLED_KEY, true); config.setLong( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000); config.setLong( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000); config.setStrings(DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER), "group1"); config.setBoolean( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true); configureSuperUserIPAddresses(config, REAL_USER); FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0"); cluster = new MiniDFSCluster.Builder(config).build(); cluster.waitActive(); ProxyUsers.refreshSuperUserGroupsConfiguration(config); ugi = UserGroupInformation.createRemoteUser(REAL_USER); proxyUgi = UserGroupInformation.createProxyUserForTesting(PROXY_USER, ugi, GROUP_NAMES); }
Example 2
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 6 votes |
@Test public void testIPRange() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), "*"); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP_RANGE); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "10.222.0.0"); // From bad IP assertNotAuthorized(proxyUserUgi, "10.221.0.0"); }
Example 3
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 6 votes |
@Test public void testIPRange() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), "*"); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP_RANGE); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "10.222.0.0"); // From bad IP assertNotAuthorized(proxyUserUgi, "10.221.0.0"); }
Example 4
Source File: TestDelegationTokenForProxyUser.java From hadoop with Apache License 2.0 | 6 votes |
@BeforeClass public static void setUp() throws Exception { config = new HdfsConfiguration(); config.setBoolean(DFSConfigKeys.DFS_WEBHDFS_ENABLED_KEY, true); config.setLong( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_MAX_LIFETIME_KEY, 10000); config.setLong( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_RENEW_INTERVAL_KEY, 5000); config.setStrings(DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER), "group1"); config.setBoolean( DFSConfigKeys.DFS_NAMENODE_DELEGATION_TOKEN_ALWAYS_USE_KEY, true); configureSuperUserIPAddresses(config, REAL_USER); FileSystem.setDefaultUri(config, "hdfs://localhost:" + "0"); cluster = new MiniDFSCluster.Builder(config).build(); cluster.waitActive(); ProxyUsers.refreshSuperUserGroupsConfiguration(config); ugi = UserGroupInformation.createRemoteUser(REAL_USER); proxyUgi = UserGroupInformation.createProxyUserForTesting(PROXY_USER, ugi, GROUP_NAMES); }
Example 5
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 5 votes |
@Test public void testNoHostsForUsers() throws Exception { Configuration conf = new Configuration(false); conf.set("y." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // IP doesn't matter assertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
Example 6
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
public static void loadTest(String ipString, int testRange) { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), ipString ); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); long startTime = System.nanoTime(); SecureRandom sr = new SecureRandom(); for (int i=1; i < 1000000; i++){ try { ProxyUsers.authorize(proxyUserUgi, "1.2.3."+ sr.nextInt(testRange)); } catch (AuthorizationException e) { } } long stopTime = System.nanoTime(); long elapsedTime = stopTime - startTime; System.out.println(elapsedTime/1000000 + " ms"); }
Example 7
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testWildcardUser() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserUserConfKey(REAL_USER_NAME), "*"); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a different user (just to make sure we aren't getting spill over // from the other test case!) realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 8
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testNoHostsForUsers() throws Exception { Configuration conf = new Configuration(false); conf.set("y." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // IP doesn't matter assertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
Example 9
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testProxyUsersWithUserConf() throws Exception { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserUserConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 10
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testProxyUsers() throws Exception { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 11
Source File: MiniRPCBenchmark.java From hadoop with Apache License 2.0 | 5 votes |
void connectToServerAndGetDelegationToken( final Configuration conf, final InetSocketAddress addr) throws IOException { MiniProtocol client = null; try { UserGroupInformation current = UserGroupInformation.getCurrentUser(); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( MINI_USER, current, GROUP_NAMES); try { client = proxyUserUgi.doAs(new PrivilegedExceptionAction<MiniProtocol>() { @Override public MiniProtocol run() throws IOException { MiniProtocol p = RPC.getProxy(MiniProtocol.class, MiniProtocol.versionID, addr, conf); Token<TestDelegationTokenIdentifier> token; token = p.getDelegationToken(new Text(RENEWER)); currentUgi = UserGroupInformation.createUserForTesting(MINI_USER, GROUP_NAMES); SecurityUtil.setTokenService(token, addr); currentUgi.addToken(token); return p; } }); } catch (InterruptedException e) { Assert.fail(Arrays.toString(e.getStackTrace())); } } finally { RPC.stopProxy(client); } }
Example 12
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 5 votes |
public static void loadTest(String ipString, int testRange) { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), ipString ); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); long startTime = System.nanoTime(); SecureRandom sr = new SecureRandom(); for (int i=1; i < 1000000; i++){ try { ProxyUsers.authorize(proxyUserUgi, "1.2.3."+ sr.nextInt(testRange)); } catch (AuthorizationException e) { } } long stopTime = System.nanoTime(); long elapsedTime = stopTime - startTime; System.out.println(elapsedTime/1000000 + " ms"); }
Example 13
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 5 votes |
@Test public void testProxyUsersWithProviderOverride() throws Exception { Configuration conf = new Configuration(); conf.set( CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, GROUP_NAMES); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 14
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 5 votes |
@Test public void testWildcardIP() { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(GROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From either IP should be fine assertAuthorized(proxyUserUgi, "1.2.3.4"); assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now set up an unallowed group realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, OTHER_GROUP_NAMES); // Neither IP should be OK assertNotAuthorized(proxyUserUgi, "1.2.3.4"); assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 15
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testProxyUsersWithCustomPrefix() throws Exception { Configuration conf = new Configuration(false); conf.set("x." + REAL_USER_NAME + ".users", StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); conf.set("x." + REAL_USER_NAME+ ".hosts", PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf, "x"); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 16
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 5 votes |
@Test public void testProxyUsersWithProviderOverride() throws Exception { Configuration conf = new Configuration(); conf.set( CommonConfigurationKeysPublic.HADOOP_SECURITY_IMPERSONATION_PROVIDER_CLASS, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, SUDO_GROUP_NAMES); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation .createUserForTesting(REAL_USER_NAME, GROUP_NAMES); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 17
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 5 votes |
@Test public void testProxyUsersWithUserConf() throws Exception { Configuration conf = new Configuration(); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserUserConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(AUTHORIZED_PROXY_USER_NAME))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( AUTHORIZED_PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.createRemoteUser(REAL_USER_NAME); proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, GROUP_NAMES); // From good IP assertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP assertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
Example 18
Source File: MiniRPCBenchmark.java From big-c with Apache License 2.0 | 5 votes |
void connectToServerAndGetDelegationToken( final Configuration conf, final InetSocketAddress addr) throws IOException { MiniProtocol client = null; try { UserGroupInformation current = UserGroupInformation.getCurrentUser(); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( MINI_USER, current, GROUP_NAMES); try { client = proxyUserUgi.doAs(new PrivilegedExceptionAction<MiniProtocol>() { @Override public MiniProtocol run() throws IOException { MiniProtocol p = RPC.getProxy(MiniProtocol.class, MiniProtocol.versionID, addr, conf); Token<TestDelegationTokenIdentifier> token; token = p.getDelegationToken(new Text(RENEWER)); currentUgi = UserGroupInformation.createUserForTesting(MINI_USER, GROUP_NAMES); SecurityUtil.setTokenService(token, addr); currentUgi.addToken(token); return p; } }); } catch (InterruptedException e) { Assert.fail(Arrays.toString(e.getStackTrace())); } } finally { RPC.stopProxy(client); } }
Example 19
Source File: TestProxyUsers.java From big-c with Apache License 2.0 | 4 votes |
/** * Test the netgroups (groups in ACL rules that start with @) * * This is a manual test because it requires: * - host setup * - native code compiled * - specify the group mapping class * * Host setup: * * /etc/nsswitch.conf should have a line like this: * netgroup: files * * /etc/netgroup should be (the whole file): * foo_group (,proxied_user,) * * To run this test: * * export JAVA_HOME='path/to/java' * mvn test \ * -Dtest=TestProxyUsers \ * -DTestProxyUsersGroupMapping=$className \ * * where $className is one of the classes that provide group * mapping services, i.e. classes that implement * GroupMappingServiceProvider interface, at this time: * - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping * - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping * */ @Test public void testNetgroups () throws IOException{ if(!NativeCodeLoader.isNativeCodeLoaded()) { LOG.info("Not testing netgroups, " + "this test only runs when native code is compiled"); return; } String groupMappingClassName = System.getProperty("TestProxyUsersGroupMapping"); if(groupMappingClassName == null) { LOG.info("Not testing netgroups, no group mapping class specified, " + "use -DTestProxyUsersGroupMapping=$className to specify " + "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)"); return; } LOG.info("Testing netgroups using: " + groupMappingClassName); Configuration conf = new Configuration(); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING, groupMappingClassName); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(NETGROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); Groups groups = Groups.getUserToGroupsMappingService(conf); // try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray( new String[groups.getGroups(PROXY_USER_NAME).size()])); assertAuthorized(proxyUserUgi, PROXY_IP); }
Example 20
Source File: TestProxyUsers.java From hadoop with Apache License 2.0 | 4 votes |
/** * Test the netgroups (groups in ACL rules that start with @) * * This is a manual test because it requires: * - host setup * - native code compiled * - specify the group mapping class * * Host setup: * * /etc/nsswitch.conf should have a line like this: * netgroup: files * * /etc/netgroup should be (the whole file): * foo_group (,proxied_user,) * * To run this test: * * export JAVA_HOME='path/to/java' * mvn test \ * -Dtest=TestProxyUsers \ * -DTestProxyUsersGroupMapping=$className \ * * where $className is one of the classes that provide group * mapping services, i.e. classes that implement * GroupMappingServiceProvider interface, at this time: * - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping * - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping * */ @Test public void testNetgroups () throws IOException{ if(!NativeCodeLoader.isNativeCodeLoaded()) { LOG.info("Not testing netgroups, " + "this test only runs when native code is compiled"); return; } String groupMappingClassName = System.getProperty("TestProxyUsersGroupMapping"); if(groupMappingClassName == null) { LOG.info("Not testing netgroups, no group mapping class specified, " + "use -DTestProxyUsersGroupMapping=$className to specify " + "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)"); return; } LOG.info("Testing netgroups using: " + groupMappingClassName); Configuration conf = new Configuration(); conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING, groupMappingClassName); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserGroupConfKey(REAL_USER_NAME), StringUtils.join(",", Arrays.asList(NETGROUP_NAMES))); conf.set( DefaultImpersonationProvider.getTestProvider(). getProxySuperuserIpConfKey(REAL_USER_NAME), PROXY_IP); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); Groups groups = Groups.getUserToGroupsMappingService(conf); // try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation .createRemoteUser(REAL_USER_NAME); UserGroupInformation proxyUserUgi = UserGroupInformation.createProxyUserForTesting( PROXY_USER_NAME, realUserUgi, groups.getGroups(PROXY_USER_NAME).toArray( new String[groups.getGroups(PROXY_USER_NAME).size()])); assertAuthorized(proxyUserUgi, PROXY_IP); }