Ejemplos de UserGroupInformation.CreateRemoteUser en C# (CSharp)

Ejemplo n.º 1

        /// <exception cref="System.Exception"/>
        public virtual void TestFstat()
        {
            FileOutputStream fos = new FileOutputStream(new FilePath(TestDir, "testfstat"));

            NativeIO.POSIX.Stat stat = NativeIO.POSIX.GetFstat(fos.GetFD());
            fos.Close();
            Log.Info("Stat: " + stat.ToString());
            string owner         = stat.GetOwner();
            string expectedOwner = Runtime.GetProperty("user.name");

            if (Path.Windows)
            {
                UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner);
                string adminsGroupString = "Administrators";
                if (Arrays.AsList(ugi.GetGroupNames()).Contains(adminsGroupString))
                {
                    expectedOwner = adminsGroupString;
                }
            }
            Assert.Equal(expectedOwner, owner);
            NUnit.Framework.Assert.IsNotNull(stat.GetGroup());
            Assert.True(!stat.GetGroup().IsEmpty());
            Assert.Equal("Stat mode field should indicate a regular file",
                         NativeIO.POSIX.Stat.SIfreg, stat.GetMode() & NativeIO.POSIX.Stat.SIfmt);
        }

Ejemplo n.º 2

Archivo: TestApplicationACLsManager.cs Proyecto: orf53975/hadoop.net

        public virtual void TestCheckAccessWithNullACLS()
        {
            Configuration conf = new Configuration();

            conf.SetBoolean(YarnConfiguration.YarnAclEnable, true);
            conf.Set(YarnConfiguration.YarnAdminAcl, AdminUser);
            ApplicationACLsManager aclManager = new ApplicationACLsManager(conf);
            UserGroupInformation   appOwner   = UserGroupInformation.CreateRemoteUser(AppOwner);
            ApplicationId          appId      = ApplicationId.NewInstance(1, 1);

            //Application ACL is not added
            //Application Owner should have all access even if Application ACL is not added
            NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType
                                                                 .ModifyApp, AppOwner, appId));
            NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType
                                                                 .ViewApp, AppOwner, appId));
            //Admin should have all access
            UserGroupInformation adminUser = UserGroupInformation.CreateRemoteUser(AdminUser);

            NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType
                                                                 .ViewApp, AppOwner, appId));
            NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType
                                                                 .ModifyApp, AppOwner, appId));
            // A regular user should Not have access
            UserGroupInformation testUser1 = UserGroupInformation.CreateRemoteUser(Testuser1);

            NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType
                                                                  .ViewApp, AppOwner, appId));
            NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType
                                                                  .ModifyApp, AppOwner, appId));
        }

Ejemplo n.º 3

 /// <exception cref="System.Exception"/>
 public virtual void TestFsCache()
 {
     {
         long          now   = Runtime.CurrentTimeMillis();
         string[]      users = new string[] { "foo", "bar" };
         Configuration conf  = new Configuration();
         FileSystem[]  fs    = new FileSystem[users.Length];
         for (int i = 0; i < users.Length; i++)
         {
             UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(users[i]);
             fs[i] = ugi.DoAs(new _PrivilegedExceptionAction_500(conf));
             for (int j = 0; j < i; j++)
             {
                 NUnit.Framework.Assert.IsFalse(fs[j] == fs[i]);
             }
         }
         FileSystem.CloseAll();
     }
     {
         try
         {
             RunTestCache(NameNode.DefaultPort);
         }
         catch (BindException be)
         {
             Log.Warn("Cannot test NameNode.DEFAULT_PORT (=" + NameNode.DefaultPort + ")", be);
         }
         RunTestCache(0);
     }
 }

Ejemplo n.º 4

        /// <summary>
        /// Validate the netgroups, both group membership and ACL
        /// functionality
        /// Note: assumes a specific acl setup done by testNetgroups
        /// </summary>
        /// <param name="groups">group to user mapping service</param>
        /// <param name="acl">ACL set up in a specific way, see testNetgroups</param>
        /// <exception cref="System.Exception"/>
        private void ValidateNetgroups(Groups groups, AccessControlList acl)
        {
            // check that the netgroups are working
            IList <string> elvisGroups = groups.GetGroups("elvis");

            Assert.True(elvisGroups.Contains("@lasVegas"));
            Assert.True(elvisGroups.Contains("@memphis"));
            IList <string> jerryLeeLewisGroups = groups.GetGroups("jerryLeeLewis");

            Assert.True(jerryLeeLewisGroups.Contains("@memphis"));
            // allowed becuase his netgroup is in ACL
            UserGroupInformation elvis = UserGroupInformation.CreateRemoteUser("elvis");

            AssertUserAllowed(elvis, acl);
            // allowed because he's in ACL
            UserGroupInformation carlPerkins = UserGroupInformation.CreateRemoteUser("carlPerkins"
                                                                                     );

            AssertUserAllowed(carlPerkins, acl);
            // not allowed because he's not in ACL and has no netgroups
            UserGroupInformation littleRichard = UserGroupInformation.CreateRemoteUser("littleRichard"
                                                                                       );

            AssertUserNotAllowed(littleRichard, acl);
        }

Ejemplo n.º 5

        public virtual void TestHttpUGI()
        {
            Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
            Context context = new Context();

            context.SetContextPath("/foo");
            jetty.SetHandler(context);
            context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
                                               ), "/*", 0);
            context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UGIServlet)),
                               "/bar");
            try
            {
                jetty.Start();
                Uri url = new Uri(GetJettyURL() + "/foo/bar");
                UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
                ugi.DoAs(new _PrivilegedExceptionAction_938(url));
            }
            finally
            {
                // user foo
                // user ok-user via proxyuser foo
                jetty.Stop();
            }
        }

Ejemplo n.º 6

        /// <exception cref="System.Exception"/>
        public virtual RegisterApplicationMasterResponse RegisterAppAttempt(bool wait)
        {
            if (wait)
            {
                WaitForState(RMAppAttemptState.Launched);
            }
            responseId = 0;
            RegisterApplicationMasterRequest req = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
                                                   <RegisterApplicationMasterRequest>();

            req.SetHost(string.Empty);
            req.SetRpcPort(1);
            req.SetTrackingUrl(string.Empty);
            if (ugi == null)
            {
                ugi = UserGroupInformation.CreateRemoteUser(attemptId.ToString());
                Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> token = context.GetRMApps
                                                                                         ()[attemptId.GetApplicationId()].GetRMAppAttempt(attemptId).GetAMRMToken();
                ugi.AddTokenIdentifier(token.DecodeIdentifier());
            }
            try
            {
                return(ugi.DoAs(new _PrivilegedExceptionAction_117(this, req)));
            }
            catch (UndeclaredThrowableException e)
            {
                throw (Exception)e.InnerException;
            }
        }

Ejemplo n.º 7

        /// <exception cref="System.IO.IOException"/>
        internal static ClientDatanodeProtocolPB CreateClientDatanodeProtocolProxy(DatanodeID
                                                                                   datanodeid, Configuration conf, int socketTimeout, bool connectToDnViaHostname,
                                                                                   LocatedBlock locatedBlock)
        {
            string     dnAddr = datanodeid.GetIpcAddr(connectToDnViaHostname);
            IPEndPoint addr   = NetUtils.CreateSocketAddr(dnAddr);

            if (Log.IsDebugEnabled())
            {
                Log.Debug("Connecting to datanode " + dnAddr + " addr=" + addr);
            }
            // Since we're creating a new UserGroupInformation here, we know that no
            // future RPC proxies will be able to re-use the same connection. And
            // usages of this proxy tend to be one-off calls.
            //
            // This is a temporary fix: callers should really achieve this by using
            // RPC.stopProxy() on the resulting object, but this is currently not
            // working in trunk. See the discussion on HDFS-1965.
            Configuration confWithNoIpcIdle = new Configuration(conf);

            confWithNoIpcIdle.SetInt(CommonConfigurationKeysPublic.IpcClientConnectionMaxidletimeKey
                                     , 0);
            UserGroupInformation ticket = UserGroupInformation.CreateRemoteUser(locatedBlock.
                                                                                GetBlock().GetLocalBlock().ToString());

            ticket.AddToken(locatedBlock.GetBlockToken());
            return(CreateClientDatanodeProtocolProxy(addr, ticket, confWithNoIpcIdle, NetUtils
                                                     .GetDefaultSocketFactory(conf), socketTimeout));
        }

Ejemplo n.º 8

Archivo: TestApplicationACLs.cs Proyecto: orf53975/hadoop.net

        public static void Setup()
        {
            RMStateStore store = RMStateStoreFactory.GetStore(conf);

            conf.SetBoolean(YarnConfiguration.YarnAclEnable, true);
            AccessControlList adminACL = new AccessControlList(string.Empty);

            adminACL.AddGroup(SuperGroup);
            conf.Set(YarnConfiguration.YarnAdminAcl, adminACL.GetAclString());
            resourceManager = new _MockRM_105(conf);
            new _Thread_127().Start();
            int waitCount = 0;

            while (resourceManager.GetServiceState() == Service.STATE.Inited && waitCount++ <
                   60)
            {
                Log.Info("Waiting for RM to start...");
                Sharpen.Thread.Sleep(1500);
            }
            if (resourceManager.GetServiceState() != Service.STATE.Started)
            {
                // RM could have failed.
                throw new IOException("ResourceManager failed to start. Final state is " + resourceManager
                                      .GetServiceState());
            }
            UserGroupInformation owner = UserGroupInformation.CreateRemoteUser(AppOwner);

            rmClient = owner.DoAs(new _PrivilegedExceptionAction_152());
        }

Ejemplo n.º 9

Archivo: TestKeyAuthorizationKeyProvider.cs Proyecto: orf53975/hadoop.net

        /// <exception cref="System.Exception"/>
        public virtual void TestDecryptWithKeyVersionNameKeyMismatch()
        {
            Configuration conf = new Configuration();
            KeyProvider   kp   = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
                                                                           );

            KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
                                                                                 >();
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .Management)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .GenerateEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .DecryptEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
                                                       .All)).ThenReturn(true);
            UserGroupInformation u1   = UserGroupInformation.CreateRemoteUser("u1");
            UserGroupInformation u2   = UserGroupInformation.CreateRemoteUser("u2");
            UserGroupInformation u3   = UserGroupInformation.CreateRemoteUser("u3");
            UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo");

            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType
                                                         .Management)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType
                                                         .GenerateEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType
                                                         .DecryptEek)).ThenReturn(true);
            Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType
                                                         .All)).ThenReturn(true);
            KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
                                                                               .CreateKeyProviderCryptoExtension(kp), mock);

            sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt));
        }

Ejemplo n.º 10

        public static void LoadTest(string ipString, int testRange)
        {
            Configuration conf = new Configuration();

            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
                         (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                         (RealUserName), ipString);
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            // First try proxying a group that's allowed
            UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                     );
            UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                    (ProxyUserName, realUserUgi, GroupNames);
            long         startTime = Runtime.NanoTime();
            SecureRandom sr        = new SecureRandom();

            for (int i = 1; i < 1000000; i++)
            {
                try
                {
                    ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange));
                }
                catch (AuthorizationException)
                {
                }
            }
            long stopTime    = Runtime.NanoTime();
            long elapsedTime = stopTime - startTime;

            System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms");
        }

Ejemplo n.º 11

        /// <exception cref="System.IO.IOException"/>
        private static void CheckStat(FilePath f, string owner, string group, string expectedOwner
                                      , string expectedGroup)
        {
            bool success = true;

            if (expectedOwner != null && !expectedOwner.Equals(owner))
            {
                if (Path.Windows)
                {
                    UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner);
                    string adminsGroupString = "Administrators";
                    success = owner.Equals(adminsGroupString) && Arrays.AsList(ugi.GetGroupNames()).Contains
                                  (adminsGroupString);
                }
                else
                {
                    success = false;
                }
            }
            if (!success)
            {
                throw new IOException("Owner '" + owner + "' for path " + f + " did not match " +
                                      "expected owner '" + expectedOwner + "'");
            }
        }

Ejemplo n.º 12

        public virtual void TestProxyUsersWithCustomPrefix()
        {
            Configuration conf = new Configuration(false);

            conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
                                                                                         )));
            conf.Set("x." + RealUserName + ".hosts", ProxyIp);
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x");
            // First try proxying a user that's allowed
            UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                     );
            UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                    (AuthorizedProxyUserName, realUserUgi, GroupNames);

            // From good IP
            AssertAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
            // Now try proxying a user that's not allowed
            realUserUgi  = UserGroupInformation.CreateRemoteUser(RealUserName);
            proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
                                                                          , GroupNames);
            // From good IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
        }

Ejemplo n.º 13

        public virtual void TestWildcardIP()
        {
            Configuration conf = new Configuration();

            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
                         (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                         (RealUserName), "*");
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            // First try proxying a group that's allowed
            UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                     );
            UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                    (ProxyUserName, realUserUgi, GroupNames);

            // From either IP should be fine
            AssertAuthorized(proxyUserUgi, "1.2.3.4");
            AssertAuthorized(proxyUserUgi, "1.2.3.5");
            // Now set up an unallowed group
            realUserUgi  = UserGroupInformation.CreateRemoteUser(RealUserName);
            proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
                                                                          , OtherGroupNames);
            // Neither IP should be OK
            AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
        }

Ejemplo n.º 14

        public virtual void TestWildcardUser()
        {
            Configuration conf = new Configuration();

            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
                         (RealUserName), "*");
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                         (RealUserName), ProxyIp);
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            // First try proxying a user that's allowed
            UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                     );
            UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                    (AuthorizedProxyUserName, realUserUgi, GroupNames);

            // From good IP
            AssertAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
            // Now try proxying a different user (just to make sure we aren't getting spill over
            // from the other test case!)
            realUserUgi  = UserGroupInformation.CreateRemoteUser(RealUserName);
            proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
                                                                          , OtherGroupNames);
            // From good IP
            AssertAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
        }

Ejemplo n.º 15

        public virtual void TestProxyUsersWithUserConf()
        {
            Configuration conf = new Configuration();

            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
                         (RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName)));
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                         (RealUserName), ProxyIp);
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            // First try proxying a user that's allowed
            UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                     );
            UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                    (AuthorizedProxyUserName, realUserUgi, GroupNames);

            // From good IP
            AssertAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
            // Now try proxying a user that's not allowed
            realUserUgi  = UserGroupInformation.CreateRemoteUser(RealUserName);
            proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
                                                                          , GroupNames);
            // From good IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
            // From bad IP
            AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
        }

Ejemplo n.º 16

        /// <exception cref="System.Exception"/>
        /// <exception cref="System.IO.IOException"/>
        private static DistributedFileSystem GetFileSystem(string user, URI uri, Configuration
                                                           conf)
        {
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);

            return(ugi.DoAs(new _PrivilegedExceptionAction_343(uri, conf)));
        }

Ejemplo n.º 17

        public virtual void TestRealUserGroupNotSpecified()
        {
            Configuration conf = new Configuration();

            ConfigureSuperUserIPAddresses(conf, RealUserShortName);
            Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
                                                                     )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
                            .SetPort(0).SetNumHandlers(2).SetVerbose(false).Build();

            try
            {
                server.Start();
                IPEndPoint           addr        = NetUtils.GetConnectAddress(server);
                UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
                                                                                         );
                UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
                                                        (ProxyUserName, realUserUgi, GroupNames);
                string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_359(this, addr,
                                                                                     conf));
                NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal);
            }
            catch (Exception e)
            {
                Runtime.PrintStackTrace(e);
            }
            finally
            {
                server.Stop();
                if (proxy != null)
                {
                    RPC.StopProxy(proxy);
                }
            }
        }

Ejemplo n.º 18

        /// <summary>
        /// Get
        /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
        /// and possibly the delegation token out of
        /// the request.
        /// </summary>
        /// <param name="context">the ServletContext that is serving this request.</param>
        /// <param name="request">the http request</param>
        /// <param name="conf">configuration</param>
        /// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
        /// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
        /// <returns>a new user from the request</returns>
        /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
        ///     </exception>
        /// <exception cref="System.IO.IOException"/>
        public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
                                                  request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
                                                  , bool tryUgiParameter)
        {
            UserGroupInformation ugi = null;
            string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
            string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
            string remoteUser;

            if (UserGroupInformation.IsSecurityEnabled())
            {
                remoteUser = request.GetRemoteUser();
                string tokenString = request.GetParameter(DelegationParameterName);
                if (tokenString != null)
                {
                    // Token-based connections need only verify the effective user, and
                    // disallow proxying to different user.  Proxy authorization checks
                    // are not required since the checks apply to issuing a token.
                    ugi = GetTokenUGI(context, request, tokenString, conf);
                    CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
                    CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
                }
                else
                {
                    if (remoteUser == null)
                    {
                        throw new IOException("Security enabled but user not authenticated by filter");
                    }
                }
            }
            else
            {
                // Security's not on, pull from url or use default web user
                remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
            }
            // not specified in request
            if (ugi == null)
            {
                // security is off, or there's no token
                ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
                CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
                if (UserGroupInformation.IsSecurityEnabled())
                {
                    // This is not necessarily true, could have been auth'ed by user-facing
                    // filter
                    ugi.SetAuthenticationMethod(secureAuthMethod);
                }
                if (doAsUserFromQuery != null)
                {
                    // create and attempt to authorize a proxy user
                    ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
                    ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
                }
            }
            if (Log.IsDebugEnabled())
            {
                Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
            }
            return(ugi);
        }

Ejemplo n.º 19

        /// <exception cref="System.IO.IOException"/>
        public virtual void TestSetLoginUser()
        {
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");

            UserGroupInformation.SetLoginUser(ugi);
            Assert.Equal(ugi, UserGroupInformation.GetLoginUser());
        }

Ejemplo n.º 20

Archivo: TestFileSystemCaching.cs Proyecto: orf53975/hadoop.net

        public virtual void TestCacheForUgi <T>()
            where T : TokenIdentifier
        {
            Configuration conf = new Configuration();

            conf.Set("fs.cachedfile.impl", FileSystem.GetFileSystemClass("file", null).FullName
                     );
            UserGroupInformation ugiA = UserGroupInformation.CreateRemoteUser("foo");
            UserGroupInformation ugiB = UserGroupInformation.CreateRemoteUser("bar");
            FileSystem           fsA  = ugiA.DoAs(new _PrivilegedExceptionAction_171(conf));
            FileSystem           fsA1 = ugiA.DoAs(new _PrivilegedExceptionAction_177(conf));

            //Since the UGIs are the same, we should have the same filesystem for both
            NUnit.Framework.Assert.AreSame(fsA, fsA1);
            FileSystem fsB = ugiB.DoAs(new _PrivilegedExceptionAction_186(conf));

            //Since the UGIs are different, we should end up with different filesystems
            //corresponding to the two UGIs
            NUnit.Framework.Assert.AreNotSame(fsA, fsB);
            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            UserGroupInformation ugiA2 = UserGroupInformation.CreateRemoteUser("foo");

            fsA = ugiA2.DoAs(new _PrivilegedExceptionAction_199(conf));
            // Although the users in the UGI are same, they have different subjects
            // and so are different.
            NUnit.Framework.Assert.AreNotSame(fsA, fsA1);
            ugiA.AddToken(t1);
            fsA = ugiA.DoAs(new _PrivilegedExceptionAction_211(conf));
            // Make sure that different UGI's with the same subject lead to the same
            // file system.
            NUnit.Framework.Assert.AreSame(fsA, fsA1);
        }

Ejemplo n.º 21

        /// <exception cref="System.Exception"/>
        public virtual void TestAddCreds <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
            Text service             = new Text("service");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service);
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2"));
            byte[] secret    = new byte[] {  };
            Text   secretKey = new Text("sshhh");
            // fill credentials
            Credentials creds = new Credentials();

            creds.AddToken(t1.GetService(), t1);
            creds.AddToken(t2.GetService(), t2);
            creds.AddSecretKey(secretKey, secret);
            // add creds to ugi, and check ugi
            ugi.AddCredentials(creds);
            CheckTokens(ugi, t1, t2);
            NUnit.Framework.Assert.AreSame(secret, ugi.GetCredentials().GetSecretKey(secretKey
                                                                                     ));
        }

Ejemplo n.º 22

        /// <exception cref="System.Exception"/>
        public virtual void TestGetCreds <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
            Text service             = new Text("service");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service);
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2"));
            Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(service);
            // add token to ugi
            ugi.AddToken(t1);
            ugi.AddToken(t2);
            CheckTokens(ugi, t1, t2);
            Credentials creds = ugi.GetCredentials();

            creds.AddToken(t3.GetService(), t3);
            NUnit.Framework.Assert.AreSame(t3, creds.GetToken(service));
            // check that ugi wasn't modified
            CheckTokens(ugi, t1, t2);
        }

Ejemplo n.º 23

        /// <exception cref="System.Exception"/>
        public virtual void TestAddToken <T>()
            where T : TokenIdentifier
        {
            // from Mockito mocks
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");

            Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
                                                                                      >();
            // add token to ugi
            ugi.AddToken(t1);
            CheckTokens(ugi, t1);
            // replace token t1 with t2 - with same key (null)
            ugi.AddToken(t2);
            CheckTokens(ugi, t2);
            // change t1 service and add token
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1"));
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2);
            // overwrite t1 token with t3 - same key (!null)
            Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(new Text("t1"));
            ugi.AddToken(t3);
            CheckTokens(ugi, t2, t3);
            // just try to re-add with new name
            Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1.1"));
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2, t3);
            // just try to re-add with new name again
            ugi.AddToken(t1);
            CheckTokens(ugi, t1, t2, t3);
        }

Ejemplo n.º 24

Archivo: FileContextPermissionBase.cs Proyecto: orf53975/hadoop.net

        public virtual void TestUgi()
        {
            UserGroupInformation otherUser = UserGroupInformation.CreateRemoteUser("otherUser"
                                                                                   );
            FileContext newFc = otherUser.DoAs(new _PrivilegedExceptionAction_194());

            Assert.Equal("otherUser", newFc.GetUgi().GetUserName());
        }

Ejemplo n.º 25

Archivo: GetGroupsTestBase.cs Proyecto: orf53975/hadoop.net

        public virtual void TestNonExistentUser()
        {
            string actualOutput = RunTool(conf, new string[] { "does-not-exist" }, true);

            Assert.Equal("Show the output for only the user given, with no groups"
                         , GetExpectedOutput(UserGroupInformation.CreateRemoteUser("does-not-exist")), actualOutput
                         );
        }

Ejemplo n.º 26

Archivo: QueueACLsTestBase.cs Proyecto: orf53975/hadoop.net

        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="System.Exception"/>
        private ApplicationClientProtocol GetRMClientForUser(string user)
        {
            UserGroupInformation      userUGI    = UserGroupInformation.CreateRemoteUser(user);
            ApplicationClientProtocol userClient = userUGI.DoAs(new _PrivilegedExceptionAction_257
                                                                    (this));

            return(userClient);
        }

Ejemplo n.º 27

Archivo: JobTokenIdentifier.cs Proyecto: orf53975/hadoop.net

 /// <summary>
 /// <inheritDoc/>
 ///
 /// </summary>
 public override UserGroupInformation GetUser()
 {
     if (jobid == null || string.Empty.Equals(jobid.ToString()))
     {
         return(null);
     }
     return(UserGroupInformation.CreateRemoteUser(jobid.ToString()));
 }

Ejemplo n.º 28

        /// <exception cref="System.IO.IOException"/>
        /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
        public static void StartContainer(NodeManager nm, ContainerId cId, FileContext localFS
                                          , FilePath scriptFileDir, FilePath processStartFile)
        {
            FilePath scriptFile = CreateUnhaltingScriptFile(cId, scriptFileDir, processStartFile
                                                            );
            ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
                                                                                             >();
            NodeId nodeId = BuilderUtils.NewNodeId(Sharpen.Extensions.GetAddressByName("localhost"
                                                                                       ).ToString(), 12345);
            URL localResourceUri = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new
                                                                                           Path(scriptFile.GetAbsolutePath())));
            LocalResource localResource = recordFactory.NewRecordInstance <LocalResource>();

            localResource.SetResource(localResourceUri);
            localResource.SetSize(-1);
            localResource.SetVisibility(LocalResourceVisibility.Application);
            localResource.SetType(LocalResourceType.File);
            localResource.SetTimestamp(scriptFile.LastModified());
            string destinationFile = "dest_file";
            IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource
                                                                                 >();

            localResources[destinationFile] = localResource;
            containerLaunchContext.SetLocalResources(localResources);
            IList <string> commands = Arrays.AsList(Shell.GetRunScriptCommand(scriptFile));

            containerLaunchContext.SetCommands(commands);
            IPEndPoint containerManagerBindAddress = NetUtils.CreateSocketAddrForHost("127.0.0.1"
                                                                                      , 12345);
            UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(cId.ToString
                                                                                         ());

            Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> nmToken = ConverterUtils
                                                                                 .ConvertFromYarn(nm.GetNMContext().GetNMTokenSecretManager().CreateNMToken(cId.GetApplicationAttemptId
                                                                                                                                                                (), nodeId, user), containerManagerBindAddress);
            currentUser.AddToken(nmToken);
            ContainerManagementProtocol containerManager = currentUser.DoAs(new _PrivilegedAction_229
                                                                                ());
            StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
                                                                                , TestContainerManager.CreateContainerToken(cId, 0, nodeId, user, nm.GetNMContext
                                                                                                                                ().GetContainerTokenSecretManager()));
            IList <StartContainerRequest> list = new AList <StartContainerRequest>();

            list.AddItem(scRequest);
            StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);

            containerManager.StartContainers(allRequests);
            IList <ContainerId> containerIds = new AList <ContainerId>();

            containerIds.AddItem(cId);
            GetContainerStatusesRequest request = GetContainerStatusesRequest.NewInstance(containerIds
                                                                                          );
            ContainerStatus containerStatus = containerManager.GetContainerStatuses(request).
                                              GetContainerStatuses()[0];

            NUnit.Framework.Assert.AreEqual(ContainerState.Running, containerStatus.GetState(
                                                ));
        }

Ejemplo n.º 29

Archivo: TestSafeMode.cs Proyecto: orf53975/hadoop.net

        public virtual void TestOperationsWhileInSafeMode()
        {
            Path file1 = new Path("/file1");

            NUnit.Framework.Assert.IsFalse(dfs.SetSafeMode(HdfsConstants.SafeModeAction.SafemodeGet
                                                           ));
            DFSTestUtil.CreateFile(fs, file1, 1024, (short)1, 0);
            NUnit.Framework.Assert.IsTrue("Could not enter SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction
                                                                                .SafemodeEnter));
            RunFsFun("Set quota while in SM", new _FSRun_319(file1));
            RunFsFun("Set perm while in SM", new _FSRun_325(file1));
            RunFsFun("Set owner while in SM", new _FSRun_331(file1));
            RunFsFun("Set repl while in SM", new _FSRun_337(file1));
            RunFsFun("Append file while in SM", new _FSRun_343(file1));
            RunFsFun("Truncate file while in SM", new _FSRun_349(file1));
            RunFsFun("Delete file while in SM", new _FSRun_355(file1));
            RunFsFun("Rename file while in SM", new _FSRun_361(file1));
            RunFsFun("Set time while in SM", new _FSRun_367(file1));
            RunFsFun("modifyAclEntries while in SM", new _FSRun_373(file1));
            RunFsFun("removeAclEntries while in SM", new _FSRun_379(file1));
            RunFsFun("removeDefaultAcl while in SM", new _FSRun_385(file1));
            RunFsFun("removeAcl while in SM", new _FSRun_391(file1));
            RunFsFun("setAcl while in SM", new _FSRun_397(file1));
            RunFsFun("setXAttr while in SM", new _FSRun_403(file1));
            RunFsFun("removeXAttr while in SM", new _FSRun_409(file1));
            try
            {
                DFSTestUtil.ReadFile(fs, file1);
            }
            catch (IOException)
            {
                NUnit.Framework.Assert.Fail("Set times failed while in SM");
            }
            try
            {
                fs.GetAclStatus(file1);
            }
            catch (IOException)
            {
                NUnit.Framework.Assert.Fail("getAclStatus failed while in SM");
            }
            // Test access
            UserGroupInformation ugiX = UserGroupInformation.CreateRemoteUser("userX");
            FileSystem           myfs = ugiX.DoAs(new _PrivilegedExceptionAction_429(this));

            myfs.Access(file1, FsAction.Read);
            try
            {
                myfs.Access(file1, FsAction.Write);
                NUnit.Framework.Assert.Fail("The access call should have failed.");
            }
            catch (AccessControlException)
            {
            }
            // expected
            NUnit.Framework.Assert.IsFalse("Could not leave SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction
                                                                                 .SafemodeLeave));
        }

Ejemplo n.º 30

        /// <exception cref="System.IO.IOException"/>
        public virtual void TestSecureProxyAuthParamsInUrl()
        {
            Configuration conf = new Configuration();

            // fake turning on security so api thinks it should use tokens
            SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
                                                 , conf);
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");

            ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
            ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
            UserGroupInformation.SetLoginUser(ugi);
            WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
            Path   fsPath             = new Path("/");
            string tokenString        = webhdfs.GetDelegationToken().EncodeToUrlString();
            // send real+effective
            Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);

            CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
                                            new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
                                                                                                                          .GetShortUserName()).ToString() }, getTokenUrl);
            // send real+effective
            Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
                                              TokenArgumentParam(tokenString));

            CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
                                                ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, renewTokenUrl);
            // send token
            Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
                                               TokenArgumentParam(tokenString));

            CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
                                                (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, cancelTokenUrl);
            // send token
            Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);

            CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
                                            DelegationParam(tokenString).ToString() }, fileStatusUrl);
            // wipe out internal token to simulate auth always required
            webhdfs.SetDelegationToken(null);
            // send real+effective
            cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
                                               (tokenString));
            CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
                                                (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, cancelTokenUrl);
            // send real+effective
            fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
            CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
                                            UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
                                                                                                                          ()).ToString() }, fileStatusUrl);
        }