Beispiel #1
0
        public virtual void TestCreateRemoteUser()
        {
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");

            Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
                         ugi.GetAuthenticationMethod());
            Assert.True(ugi.ToString().Contains("(auth:SIMPLE)"));
            ugi = UserGroupInformation.CreateRemoteUser("user1", SaslRpcServer.AuthMethod.Kerberos
                                                        );
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos
                         , ugi.GetAuthenticationMethod());
            Assert.True(ugi.ToString().Contains("(auth:KERBEROS)"));
        }
Beispiel #2
0
 private void CheckUgiFromToken(UserGroupInformation ugi)
 {
     if (ugi.GetRealUser() != null)
     {
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy,
                                         ugi.GetAuthenticationMethod());
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
                                         ugi.GetRealUser().GetAuthenticationMethod());
     }
     else
     {
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
                                         ugi.GetAuthenticationMethod());
     }
 }
Beispiel #3
0
        public virtual void TestGetRealAuthenticationMethod()
        {
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");

            ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple);
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
                         ugi.GetAuthenticationMethod());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
                         ugi.GetRealAuthenticationMethod());
            ugi = UserGroupInformation.CreateProxyUser("user2", ugi);
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
                         ugi.GetAuthenticationMethod());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
                         ugi.GetRealAuthenticationMethod());
        }
Beispiel #4
0
        /// <exception cref="System.Exception"/>
        public virtual void TestUGIAuthMethodInRealUser()
        {
            UserGroupInformation ugi      = UserGroupInformation.GetCurrentUser();
            UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi
                                                                                 );

            UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
                                                           .Kerberos;
            ugi.SetAuthenticationMethod(am);
            Assert.Equal(am, ugi.GetAuthenticationMethod());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
                         proxyUgi.GetAuthenticationMethod());
            Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod
                             (proxyUgi));
            proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am));
            UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject());

            proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy
                                              );
            Assert.Equal(proxyUgi, proxyUgi2);
            // Equality should work if authMethod is null
            UserGroupInformation realugi   = UserGroupInformation.GetCurrentUser();
            UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother"
                                                                                  , realugi);
            UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject());

            Assert.Equal(proxyUgi3, proxyUgi4);
        }
Beispiel #5
0
        /// <exception cref="System.IO.IOException"/>
        private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod
                                                  method, bool expectSuccess)
        {
            SecurityUtil.SetAuthenticationMethod(method, conf);
            UserGroupInformation.SetConfiguration(conf);
            // pick up changed auth
            UserGroupInformation ugi = null;
            Exception            ex  = null;

            try
            {
                ugi = UserGroupInformation.GetLoginUser();
            }
            catch (Exception e)
            {
                ex = e;
            }
            if (expectSuccess)
            {
                NUnit.Framework.Assert.IsNotNull(ugi);
                Assert.Equal(method, ugi.GetAuthenticationMethod());
            }
            else
            {
                NUnit.Framework.Assert.IsNotNull(ex);
                Assert.Equal(typeof(NotSupportedException), ex.GetType());
                Assert.Equal(method + " login authentication is not supported"
                             , ex.Message);
            }
        }
Beispiel #6
0
        /// <exception cref="System.IO.IOException"/>
        private HttpURLConnection CreateConnection(Uri url, string method)
        {
            HttpURLConnection conn;

            try
            {
                // if current UGI is different from UGI at constructor time, behave as
                // proxyuser
                UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser();
                string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod
                                   .Proxy) ? currentUgi.GetShortUserName() : null;
                // creating the HTTP connection using the current UGI at constructor time
                conn = actualUgi.DoAs(new _PrivilegedExceptionAction_478(this, url, doAsUser));
            }
            catch (IOException ex)
            {
                throw;
            }
            catch (UndeclaredThrowableException ex)
            {
                throw new IOException(ex.GetUndeclaredThrowable());
            }
            catch (Exception ex)
            {
                throw new IOException(ex);
            }
            conn.SetUseCaches(false);
            conn.SetRequestMethod(method);
            if (method.Equals(HttpPost) || method.Equals(HttpPut))
            {
                conn.SetDoOutput(true);
            }
            conn = ConfigureConnection(conn);
            return(conn);
        }
        public virtual void TestLogin()
        {
            string userPrincipal = Runtime.GetProperty("user.principal");
            string userKeyTab    = Runtime.GetProperty("user.keytab");

            NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal
                                             );
            NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab);
            Configuration conf = new Configuration();

            conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal
                                                                                            , userKeyTab);

            Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos
                         , ugi.GetAuthenticationMethod());
            try
            {
                UserGroupInformation.LoginUserFromKeytabAndReturnUGI("*****@*****.**", userKeyTab
                                                                     );
                NUnit.Framework.Assert.Fail("Login should have failed");
            }
            catch (Exception ex)
            {
                Runtime.PrintStackTrace(ex);
            }
        }
Beispiel #8
0
        public virtual void TestSecureNameNode()
        {
            MiniDFSCluster cluster = null;

            try
            {
                string nnPrincipal       = Runtime.GetProperty("dfs.namenode.kerberos.principal");
                string nnSpnegoPrincipal = Runtime.GetProperty("dfs.namenode.kerberos.internal.spnego.principal"
                                                               );
                string nnKeyTab = Runtime.GetProperty("dfs.namenode.keytab.file");
                NUnit.Framework.Assert.IsNotNull("NameNode principal was not specified", nnPrincipal
                                                 );
                NUnit.Framework.Assert.IsNotNull("NameNode SPNEGO principal was not specified", nnSpnegoPrincipal
                                                 );
                NUnit.Framework.Assert.IsNotNull("NameNode keytab was not specified", nnKeyTab);
                Configuration conf = new HdfsConfiguration();
                conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
                conf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, nnPrincipal);
                conf.Set(DFSConfigKeys.DfsNamenodeKerberosInternalSpnegoPrincipalKey, nnSpnegoPrincipal
                         );
                conf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, nnKeyTab);
                cluster = new MiniDFSCluster.Builder(conf).NumDataNodes(NumOfDatanodes).Build();
                MiniDFSCluster clusterRef = cluster;
                cluster.WaitActive();
                FileSystem fsForCurrentUser = cluster.GetFileSystem();
                fsForCurrentUser.Mkdirs(new Path("/tmp"));
                fsForCurrentUser.SetPermission(new Path("/tmp"), new FsPermission((short)511));
                // The user specified should not be a superuser
                string userPrincipal = Runtime.GetProperty("user.principal");
                string userKeyTab    = Runtime.GetProperty("user.keytab");
                NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal
                                                 );
                NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab);
                UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal
                                                                                                , userKeyTab);
                FileSystem fs = ugi.DoAs(new _PrivilegedExceptionAction_105(clusterRef));
                try
                {
                    Path p = new Path("/users");
                    fs.Mkdirs(p);
                    NUnit.Framework.Assert.Fail("User must not be allowed to write in /");
                }
                catch (IOException)
                {
                }
                Path p_1 = new Path("/tmp/alpha");
                fs.Mkdirs(p_1);
                NUnit.Framework.Assert.IsNotNull(fs.ListStatus(p_1));
                NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Kerberos
                                                , ugi.GetAuthenticationMethod());
            }
            finally
            {
                if (cluster != null)
                {
                    cluster.Shutdown();
                }
            }
        }
Beispiel #9
0
        /// <exception cref="System.Exception"/>
        public virtual void TestUGIAuthMethod()
        {
            UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

            UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
                                                           .Kerberos;
            ugi.SetAuthenticationMethod(am);
            Assert.Equal(am, ugi.GetAuthenticationMethod());
            ugi.DoAs(new _PrivilegedExceptionAction_668(am));
        }
        public virtual void TestGetUserWithOwner()
        {
            TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier
                                                                          (new Text("owner"), null, null);
            UserGroupInformation ugi = ident.GetUser();

            NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
            Assert.Equal("owner", ugi.GetUserName());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Token,
                         ugi.GetAuthenticationMethod());
        }
Beispiel #11
0
        /// <exception cref="System.Exception"/>
        public virtual void TestTestAuthMethod()
        {
            UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

            // verify the reverse mappings works
            foreach (UserGroupInformation.AuthenticationMethod am in UserGroupInformation.AuthenticationMethod
                     .Values())
            {
                if (am.GetAuthMethod() != null)
                {
                    ugi.SetAuthenticationMethod(am.GetAuthMethod());
                    Assert.Equal(am, ugi.GetAuthenticationMethod());
                }
            }
        }
Beispiel #12
0
        /// <exception cref="System.IO.IOException"/>
        public virtual Org.Apache.Hadoop.Security.Token.Token <object>[] AddDelegationTokens
            (string renewer, Credentials credentials)
        {
            Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = null;
            Text dtService = GetDelegationTokenService();

            Org.Apache.Hadoop.Security.Token.Token <object> token = credentials.GetToken(dtService
                                                                                         );
            if (token == null)
            {
                Uri url = CreateURL(null, null, null, null);
                DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator
                                                                                              );
                try
                {
                    // 'actualUGI' is the UGI of the user creating the client
                    // It is possible that the creator of the KMSClientProvier
                    // calls this method on behalf of a proxyUser (the doAsUser).
                    // In which case this call has to be made as the proxy user.
                    UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser();
                    string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod
                                       .Proxy) ? currentUgi.GetShortUserName() : null;
                    token = actualUgi.DoAs(new _PrivilegedExceptionAction_870(authUrl, url, renewer,
                                                                              doAsUser));
                    // Not using the cached token here.. Creating a new token here
                    // everytime.
                    if (token != null)
                    {
                        credentials.AddToken(token.GetService(), token);
                        tokens = new Org.Apache.Hadoop.Security.Token.Token <object>[] { token };
                    }
                    else
                    {
                        throw new IOException("Got NULL as delegation token");
                    }
                }
                catch (Exception)
                {
                    Thread.CurrentThread().Interrupt();
                }
                catch (Exception e)
                {
                    throw new IOException(e);
                }
            }
            return(tokens);
        }
        public virtual void TestGetUserGroupInformation()
        {
            string userName    = "******";
            string currentUser = "******";
            UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser
                                                                                            , new string[0]);
            NfsConfiguration conf = new NfsConfiguration();

            conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost");
            DFSClientCache       cache     = new DFSClientCache(conf);
            UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
                                                                           );

            Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
            Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
            Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
                                                                         .Proxy));
        }
        public virtual void TestGetUserGroupInformationSecure()
        {
            string               userName       = "******";
            string               currentUser    = "******";
            NfsConfiguration     conf           = new NfsConfiguration();
            UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser
                                                                                        );

            currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.
                                                   Kerberos);
            UserGroupInformation.SetLoginUser(currentUserUgi);
            DFSClientCache       cache     = new DFSClientCache(conf);
            UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
                                                                           );

            Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
            Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
            Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
                                                                         .Proxy));
        }
Beispiel #15
0
            /// <exception cref="Javax.Servlet.ServletException"/>
            /// <exception cref="System.IO.IOException"/>
            protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
            {
                UserGroupInformation ugi = HttpUserGroupInformation.Get();

                if (ugi != null)
                {
                    string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName
                                     ();
                    if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy)
                    {
                        ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret;
                    }
                    resp.SetStatus(HttpServletResponse.ScOk);
                    resp.GetWriter().Write(ret);
                }
                else
                {
                    resp.SetStatus(HttpServletResponse.ScInternalServerError);
                }
            }