Ejemplo n.º 1
0
 public static void Setup()
 {
     try
     {
         testMiniKDC = new MiniKdc(MiniKdc.CreateConf(), testRootDir);
         testMiniKDC.Start();
         testMiniKDC.CreatePrincipal(httpSpnegoKeytabFile, HttpUser + "/localhost");
     }
     catch (Exception)
     {
         NUnit.Framework.Assert.IsTrue("Couldn't setup MiniKDC", false);
     }
     try
     {
         testTimelineServer = new ApplicationHistoryServer();
         conf = new Configuration(false);
         conf.SetStrings(TimelineAuthenticationFilterInitializer.Prefix + "type", "kerberos"
                         );
         conf.Set(TimelineAuthenticationFilterInitializer.Prefix + KerberosAuthenticationHandler
                  .Principal, httpSpnegoPrincipal);
         conf.Set(TimelineAuthenticationFilterInitializer.Prefix + KerberosAuthenticationHandler
                  .Keytab, httpSpnegoKeytabFile.GetAbsolutePath());
         conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
         conf.Set(YarnConfiguration.TimelineServicePrincipal, httpSpnegoPrincipal);
         conf.Set(YarnConfiguration.TimelineServiceKeytab, httpSpnegoKeytabFile.GetAbsolutePath
                      ());
         conf.SetBoolean(YarnConfiguration.TimelineServiceEnabled, true);
         conf.SetClass(YarnConfiguration.TimelineServiceStore, typeof(MemoryTimelineStore)
                       , typeof(TimelineStore));
         conf.Set(YarnConfiguration.TimelineServiceAddress, "localhost:10200");
         conf.Set(YarnConfiguration.TimelineServiceWebappAddress, "localhost:8188");
         conf.Set(YarnConfiguration.TimelineServiceWebappHttpsAddress, "localhost:8190");
         conf.Set("hadoop.proxyuser.HTTP.hosts", "*");
         conf.Set("hadoop.proxyuser.HTTP.users", FooUser);
         conf.SetInt(YarnConfiguration.TimelineServiceClientMaxRetries, 1);
         if (withSsl)
         {
             conf.Set(YarnConfiguration.YarnHttpPolicyKey, HttpConfig.Policy.HttpsOnly.ToString
                          ());
             FilePath @base = new FilePath(Basedir);
             FileUtil.FullyDelete(@base);
             @base.Mkdirs();
             keystoresDir = new FilePath(Basedir).GetAbsolutePath();
             sslConfDir   = KeyStoreTestUtil.GetClasspathDir(typeof(Org.Apache.Hadoop.Yarn.Server.Timeline.Security.TestTimelineAuthenticationFilter
                                                                    ));
             KeyStoreTestUtil.SetupSSLConfig(keystoresDir, sslConfDir, conf, false);
         }
         UserGroupInformation.SetConfiguration(conf);
         testTimelineServer.Init(conf);
         testTimelineServer.Start();
     }
     catch (Exception)
     {
         NUnit.Framework.Assert.IsTrue("Couldn't setup TimelineServer", false);
     }
 }
Ejemplo n.º 2
0
        /// <summary>
        /// Create the keytabl for the given principal, includes
        /// raw principal and $principal/localhost
        /// </summary>
        /// <param name="principal">principal short name</param>
        /// <param name="filename">filename of keytab</param>
        /// <returns>file of keytab</returns>
        /// <exception cref="System.Exception"/>
        public static FilePath CreateKeytab(string principal, string filename)
        {
            AssertNotEmpty("empty principal", principal);
            AssertNotEmpty("empty host", filename);
            NUnit.Framework.Assert.IsNotNull("Null KDC", kdc);
            FilePath keytab = new FilePath(kdcWorkDir, filename);

            kdc.CreatePrincipal(keytab, principal, principal + "/localhost", principal + "/127.0.0.1"
                                );
            return(keytab);
        }
Ejemplo n.º 3
0
        /// <exception cref="System.Exception"/>
        private void TestKerberosDelegationTokenAuthenticator(bool doAs)
        {
            string doAsUser = doAs ? OkUser : null;
            // setting hadoop security to kerberos
            Configuration conf = new Configuration();

            conf.Set("hadoop.security.authentication", "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());

            Assert.True(testDir.Mkdirs());
            MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);

            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
                              , 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
                               "/bar");
            try
            {
                kdc.Start();
                FilePath keytabFile = new FilePath(testDir, "test.keytab");
                kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
                TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
                jetty.Start();
                DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
                                                                  ();
                DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                try
                {
                    aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
                    NUnit.Framework.Assert.Fail();
                }
                catch (AuthenticationException ex)
                {
                    Assert.True(ex.Message.Contains("GSSException"));
                }
                DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
                                                                                           url, token, doAs, doAsUser));
            }
            finally
            {
                // Make sure the token belongs to the right owner
                jetty.Stop();
                kdc.Stop();
            }
        }
Ejemplo n.º 4
0
        public static void Init()
        {
            baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"),
                                   typeof(TestSecureNNWithQJM).Name);
            FileUtil.FullyDelete(baseDir);
            NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs());
            Properties kdcConf = MiniKdc.CreateConf();

            kdc = new MiniKdc(kdcConf, baseDir);
            kdc.Start();
            baseConf = new HdfsConfiguration();
            SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
                                                 , baseConf);
            UserGroupInformation.SetConfiguration(baseConf);
            NUnit.Framework.Assert.IsTrue("Expected configuration to enable security", UserGroupInformation
                                          .IsSecurityEnabled());
            string   userName   = UserGroupInformation.GetLoginUser().GetShortUserName();
            FilePath keytabFile = new FilePath(baseDir, userName + ".keytab");
            string   keytab     = keytabFile.GetAbsolutePath();
            // Windows will not reverse name lookup "127.0.0.1" to "localhost".
            string krbInstance = Path.Windows ? "127.0.0.1" : "localhost";

            kdc.CreatePrincipal(keytabFile, userName + "/" + krbInstance, "HTTP/" + krbInstance
                                );
            string hdfsPrincipal   = userName + "/" + krbInstance + "@" + kdc.GetRealm();
            string spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.GetRealm();

            baseConf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, hdfsPrincipal);
            baseConf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, keytab);
            baseConf.Set(DFSConfigKeys.DfsDatanodeKerberosPrincipalKey, hdfsPrincipal);
            baseConf.Set(DFSConfigKeys.DfsDatanodeKeytabFileKey, keytab);
            baseConf.Set(DFSConfigKeys.DfsWebAuthenticationKerberosPrincipalKey, spnegoPrincipal
                         );
            baseConf.Set(DFSConfigKeys.DfsJournalnodeKeytabFileKey, keytab);
            baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosPrincipalKey, hdfsPrincipal);
            baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosInternalSpnegoPrincipalKey, spnegoPrincipal
                         );
            baseConf.SetBoolean(DFSConfigKeys.DfsBlockAccessTokenEnableKey, true);
            baseConf.Set(DFSConfigKeys.DfsDataTransferProtectionKey, "authentication");
            baseConf.Set(DFSConfigKeys.DfsHttpPolicyKey, HttpConfig.Policy.HttpsOnly.ToString
                             ());
            baseConf.Set(DFSConfigKeys.DfsNamenodeHttpsAddressKey, "localhost:0");
            baseConf.Set(DFSConfigKeys.DfsDatanodeHttpsAddressKey, "localhost:0");
            baseConf.Set(DFSConfigKeys.DfsJournalnodeHttpsAddressKey, "localhost:0");
            baseConf.SetInt(CommonConfigurationKeys.IpcClientConnectMaxRetriesOnSaslKey, 10);
            string keystoresDir = baseDir.GetAbsolutePath();
            string sslConfDir   = KeyStoreTestUtil.GetClasspathDir(typeof(TestSecureNNWithQJM));

            KeyStoreTestUtil.SetupSSLConfig(keystoresDir, sslConfDir, baseConf, false);
        }
Ejemplo n.º 5
0
        public static void InitKdc()
        {
            baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"),
                                   typeof(SaslDataTransferTestCase).Name);
            FileUtil.FullyDelete(baseDir);
            NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs());
            Properties kdcConf = MiniKdc.CreateConf();

            kdc = new MiniKdc(kdcConf, baseDir);
            kdc.Start();
            string   userName   = UserGroupInformation.GetLoginUser().GetShortUserName();
            FilePath keytabFile = new FilePath(baseDir, userName + ".keytab");

            keytab = keytabFile.GetAbsolutePath();
            kdc.CreatePrincipal(keytabFile, userName + "/localhost", "HTTP/localhost");
            hdfsPrincipal   = userName + "/localhost@" + kdc.GetRealm();
            spnegoPrincipal = "HTTP/localhost@" + kdc.GetRealm();
        }
Ejemplo n.º 6
0
        public virtual void TestUGILoginFromKeytab()
        {
            UserGroupInformation.SetShouldRenewImmediatelyForTests(true);
            string   principal = "foo";
            FilePath keytab    = new FilePath(workDir, "foo.keytab");

            kdc.CreatePrincipal(keytab, principal);
            UserGroupInformation.LoginUserFromKeytab(principal, keytab.GetPath());
            UserGroupInformation ugi = UserGroupInformation.GetLoginUser();

            Assert.True("UGI should be configured to login from keytab", ugi
                        .IsFromKeytab());
            // Verify relogin from keytab.
            User user       = ugi.GetSubject().GetPrincipals <User>().GetEnumerator().Next();
            long firstLogin = user.GetLastLogin();

            ugi.ReloginFromKeytab();
            long secondLogin = user.GetLastLogin();

            Assert.True("User should have been able to relogin from keytab"
                        , secondLogin > firstLogin);
        }
Ejemplo n.º 7
0
 /// <exception cref="System.Exception"/>
 private static void SetupKDC()
 {
     testMiniKDC.Start();
     testMiniKDC.CreatePrincipal(spnegoKeytabFile, "HTTP/localhost", "client", UserGroupInformation
                                 .GetLoginUser().GetShortUserName(), "client2");
 }