/// <exception cref="System.Exception"/> public virtual void TestFstat() { FileOutputStream fos = new FileOutputStream(new FilePath(TestDir, "testfstat")); NativeIO.POSIX.Stat stat = NativeIO.POSIX.GetFstat(fos.GetFD()); fos.Close(); Log.Info("Stat: " + stat.ToString()); string owner = stat.GetOwner(); string expectedOwner = Runtime.GetProperty("user.name"); if (Path.Windows) { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner); string adminsGroupString = "Administrators"; if (Arrays.AsList(ugi.GetGroupNames()).Contains(adminsGroupString)) { expectedOwner = adminsGroupString; } } Assert.Equal(expectedOwner, owner); NUnit.Framework.Assert.IsNotNull(stat.GetGroup()); Assert.True(!stat.GetGroup().IsEmpty()); Assert.Equal("Stat mode field should indicate a regular file", NativeIO.POSIX.Stat.SIfreg, stat.GetMode() & NativeIO.POSIX.Stat.SIfmt); }
public virtual void TestCheckAccessWithNullACLS() { Configuration conf = new Configuration(); conf.SetBoolean(YarnConfiguration.YarnAclEnable, true); conf.Set(YarnConfiguration.YarnAdminAcl, AdminUser); ApplicationACLsManager aclManager = new ApplicationACLsManager(conf); UserGroupInformation appOwner = UserGroupInformation.CreateRemoteUser(AppOwner); ApplicationId appId = ApplicationId.NewInstance(1, 1); //Application ACL is not added //Application Owner should have all access even if Application ACL is not added NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType .ModifyApp, AppOwner, appId)); NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType .ViewApp, AppOwner, appId)); //Admin should have all access UserGroupInformation adminUser = UserGroupInformation.CreateRemoteUser(AdminUser); NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType .ViewApp, AppOwner, appId)); NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType .ModifyApp, AppOwner, appId)); // A regular user should Not have access UserGroupInformation testUser1 = UserGroupInformation.CreateRemoteUser(Testuser1); NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType .ViewApp, AppOwner, appId)); NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType .ModifyApp, AppOwner, appId)); }
/// <exception cref="System.Exception"/> public virtual void TestFsCache() { { long now = Runtime.CurrentTimeMillis(); string[] users = new string[] { "foo", "bar" }; Configuration conf = new Configuration(); FileSystem[] fs = new FileSystem[users.Length]; for (int i = 0; i < users.Length; i++) { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(users[i]); fs[i] = ugi.DoAs(new _PrivilegedExceptionAction_500(conf)); for (int j = 0; j < i; j++) { NUnit.Framework.Assert.IsFalse(fs[j] == fs[i]); } } FileSystem.CloseAll(); } { try { RunTestCache(NameNode.DefaultPort); } catch (BindException be) { Log.Warn("Cannot test NameNode.DEFAULT_PORT (=" + NameNode.DefaultPort + ")", be); } RunTestCache(0); } }
/// <summary> /// Validate the netgroups, both group membership and ACL /// functionality /// Note: assumes a specific acl setup done by testNetgroups /// </summary> /// <param name="groups">group to user mapping service</param> /// <param name="acl">ACL set up in a specific way, see testNetgroups</param> /// <exception cref="System.Exception"/> private void ValidateNetgroups(Groups groups, AccessControlList acl) { // check that the netgroups are working IList <string> elvisGroups = groups.GetGroups("elvis"); Assert.True(elvisGroups.Contains("@lasVegas")); Assert.True(elvisGroups.Contains("@memphis")); IList <string> jerryLeeLewisGroups = groups.GetGroups("jerryLeeLewis"); Assert.True(jerryLeeLewisGroups.Contains("@memphis")); // allowed becuase his netgroup is in ACL UserGroupInformation elvis = UserGroupInformation.CreateRemoteUser("elvis"); AssertUserAllowed(elvis, acl); // allowed because he's in ACL UserGroupInformation carlPerkins = UserGroupInformation.CreateRemoteUser("carlPerkins" ); AssertUserAllowed(carlPerkins, acl); // not allowed because he's not in ACL and has no netgroups UserGroupInformation littleRichard = UserGroupInformation.CreateRemoteUser("littleRichard" ); AssertUserNotAllowed(littleRichard, acl); }
public virtual void TestHttpUGI() { Org.Mortbay.Jetty.Server jetty = CreateJettyServer(); Context context = new Context(); context.SetContextPath("/foo"); jetty.SetHandler(context); context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter) ), "/*", 0); context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UGIServlet)), "/bar"); try { jetty.Start(); Uri url = new Uri(GetJettyURL() + "/foo/bar"); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser); ugi.DoAs(new _PrivilegedExceptionAction_938(url)); } finally { // user foo // user ok-user via proxyuser foo jetty.Stop(); } }
/// <exception cref="System.Exception"/> public virtual RegisterApplicationMasterResponse RegisterAppAttempt(bool wait) { if (wait) { WaitForState(RMAppAttemptState.Launched); } responseId = 0; RegisterApplicationMasterRequest req = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord <RegisterApplicationMasterRequest>(); req.SetHost(string.Empty); req.SetRpcPort(1); req.SetTrackingUrl(string.Empty); if (ugi == null) { ugi = UserGroupInformation.CreateRemoteUser(attemptId.ToString()); Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> token = context.GetRMApps ()[attemptId.GetApplicationId()].GetRMAppAttempt(attemptId).GetAMRMToken(); ugi.AddTokenIdentifier(token.DecodeIdentifier()); } try { return(ugi.DoAs(new _PrivilegedExceptionAction_117(this, req))); } catch (UndeclaredThrowableException e) { throw (Exception)e.InnerException; } }
/// <exception cref="System.IO.IOException"/> internal static ClientDatanodeProtocolPB CreateClientDatanodeProtocolProxy(DatanodeID datanodeid, Configuration conf, int socketTimeout, bool connectToDnViaHostname, LocatedBlock locatedBlock) { string dnAddr = datanodeid.GetIpcAddr(connectToDnViaHostname); IPEndPoint addr = NetUtils.CreateSocketAddr(dnAddr); if (Log.IsDebugEnabled()) { Log.Debug("Connecting to datanode " + dnAddr + " addr=" + addr); } // Since we're creating a new UserGroupInformation here, we know that no // future RPC proxies will be able to re-use the same connection. And // usages of this proxy tend to be one-off calls. // // This is a temporary fix: callers should really achieve this by using // RPC.stopProxy() on the resulting object, but this is currently not // working in trunk. See the discussion on HDFS-1965. Configuration confWithNoIpcIdle = new Configuration(conf); confWithNoIpcIdle.SetInt(CommonConfigurationKeysPublic.IpcClientConnectionMaxidletimeKey , 0); UserGroupInformation ticket = UserGroupInformation.CreateRemoteUser(locatedBlock. GetBlock().GetLocalBlock().ToString()); ticket.AddToken(locatedBlock.GetBlockToken()); return(CreateClientDatanodeProtocolProxy(addr, ticket, confWithNoIpcIdle, NetUtils .GetDefaultSocketFactory(conf), socketTimeout)); }
public static void Setup() { RMStateStore store = RMStateStoreFactory.GetStore(conf); conf.SetBoolean(YarnConfiguration.YarnAclEnable, true); AccessControlList adminACL = new AccessControlList(string.Empty); adminACL.AddGroup(SuperGroup); conf.Set(YarnConfiguration.YarnAdminAcl, adminACL.GetAclString()); resourceManager = new _MockRM_105(conf); new _Thread_127().Start(); int waitCount = 0; while (resourceManager.GetServiceState() == Service.STATE.Inited && waitCount++ < 60) { Log.Info("Waiting for RM to start..."); Sharpen.Thread.Sleep(1500); } if (resourceManager.GetServiceState() != Service.STATE.Started) { // RM could have failed. throw new IOException("ResourceManager failed to start. Final state is " + resourceManager .GetServiceState()); } UserGroupInformation owner = UserGroupInformation.CreateRemoteUser(AppOwner); rmClient = owner.DoAs(new _PrivilegedExceptionAction_152()); }
/// <exception cref="System.Exception"/> public virtual void TestDecryptWithKeyVersionNameKeyMismatch() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo"); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt)); }
public static void LoadTest(string ipString, int testRange) { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ipString); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); long startTime = Runtime.NanoTime(); SecureRandom sr = new SecureRandom(); for (int i = 1; i < 1000000; i++) { try { ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange)); } catch (AuthorizationException) { } } long stopTime = Runtime.NanoTime(); long elapsedTime = stopTime - startTime; System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms"); }
/// <exception cref="System.IO.IOException"/> private static void CheckStat(FilePath f, string owner, string group, string expectedOwner , string expectedGroup) { bool success = true; if (expectedOwner != null && !expectedOwner.Equals(owner)) { if (Path.Windows) { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner); string adminsGroupString = "Administrators"; success = owner.Equals(adminsGroupString) && Arrays.AsList(ugi.GetGroupNames()).Contains (adminsGroupString); } else { success = false; } } if (!success) { throw new IOException("Owner '" + owner + "' for path " + f + " did not match " + "expected owner '" + expectedOwner + "'"); } }
public virtual void TestProxyUsersWithCustomPrefix() { Configuration conf = new Configuration(false); conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName ))); conf.Set("x." + RealUserName + ".hosts", ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x"); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , GroupNames); // From good IP AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestWildcardIP() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), "*"); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); // From either IP should be fine AssertAuthorized(proxyUserUgi, "1.2.3.4"); AssertAuthorized(proxyUserUgi, "1.2.3.5"); // Now set up an unallowed group realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , OtherGroupNames); // Neither IP should be OK AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestWildcardUser() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey (RealUserName), "*"); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a different user (just to make sure we aren't getting spill over // from the other test case!) realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , OtherGroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestProxyUsersWithUserConf() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , GroupNames); // From good IP AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
/// <exception cref="System.Exception"/> /// <exception cref="System.IO.IOException"/> private static DistributedFileSystem GetFileSystem(string user, URI uri, Configuration conf) { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user); return(ugi.DoAs(new _PrivilegedExceptionAction_343(uri, conf))); }
public virtual void TestRealUserGroupNotSpecified() { Configuration conf = new Configuration(); ConfigureSuperUserIPAddresses(conf, RealUserShortName); Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address) .SetPort(0).SetNumHandlers(2).SetVerbose(false).Build(); try { server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_359(this, addr, conf)); NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal); } catch (Exception e) { Runtime.PrintStackTrace(e); } finally { server.Stop(); if (proxy != null) { RPC.StopProxy(proxy); } } }
/// <summary> /// Get /// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/> /// and possibly the delegation token out of /// the request. /// </summary> /// <param name="context">the ServletContext that is serving this request.</param> /// <param name="request">the http request</param> /// <param name="conf">configuration</param> /// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param> /// <param name="tryUgiParameter">Should it try the ugi parameter?</param> /// <returns>a new user from the request</returns> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token /// </exception> /// <exception cref="System.IO.IOException"/> public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod , bool tryUgiParameter) { UserGroupInformation ugi = null; string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter); string doAsUserFromQuery = request.GetParameter(DoAsParam.Name); string remoteUser; if (UserGroupInformation.IsSecurityEnabled()) { remoteUser = request.GetRemoteUser(); string tokenString = request.GetParameter(DelegationParameterName); if (tokenString != null) { // Token-based connections need only verify the effective user, and // disallow proxying to different user. Proxy authorization checks // are not required since the checks apply to issuing a token. ugi = GetTokenUGI(context, request, tokenString, conf); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery); } else { if (remoteUser == null) { throw new IOException("Security enabled but user not authenticated by filter"); } } } else { // Security's not on, pull from url or use default web user remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery; } // not specified in request if (ugi == null) { // security is off, or there's no token ugi = UserGroupInformation.CreateRemoteUser(remoteUser); CheckUsername(ugi.GetShortUserName(), usernameFromQuery); if (UserGroupInformation.IsSecurityEnabled()) { // This is not necessarily true, could have been auth'ed by user-facing // filter ugi.SetAuthenticationMethod(secureAuthMethod); } if (doAsUserFromQuery != null) { // create and attempt to authorize a proxy user ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi); ProxyUsers.Authorize(ugi, GetRemoteAddr(request)); } } if (Log.IsDebugEnabled()) { Log.Debug("getUGI is returning: " + ugi.GetShortUserName()); } return(ugi); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSetLoginUser() { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); UserGroupInformation.SetLoginUser(ugi); Assert.Equal(ugi, UserGroupInformation.GetLoginUser()); }
public virtual void TestCacheForUgi <T>() where T : TokenIdentifier { Configuration conf = new Configuration(); conf.Set("fs.cachedfile.impl", FileSystem.GetFileSystemClass("file", null).FullName ); UserGroupInformation ugiA = UserGroupInformation.CreateRemoteUser("foo"); UserGroupInformation ugiB = UserGroupInformation.CreateRemoteUser("bar"); FileSystem fsA = ugiA.DoAs(new _PrivilegedExceptionAction_171(conf)); FileSystem fsA1 = ugiA.DoAs(new _PrivilegedExceptionAction_177(conf)); //Since the UGIs are the same, we should have the same filesystem for both NUnit.Framework.Assert.AreSame(fsA, fsA1); FileSystem fsB = ugiB.DoAs(new _PrivilegedExceptionAction_186(conf)); //Since the UGIs are different, we should end up with different filesystems //corresponding to the two UGIs NUnit.Framework.Assert.AreNotSame(fsA, fsB); Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); UserGroupInformation ugiA2 = UserGroupInformation.CreateRemoteUser("foo"); fsA = ugiA2.DoAs(new _PrivilegedExceptionAction_199(conf)); // Although the users in the UGI are same, they have different subjects // and so are different. NUnit.Framework.Assert.AreNotSame(fsA, fsA1); ugiA.AddToken(t1); fsA = ugiA.DoAs(new _PrivilegedExceptionAction_211(conf)); // Make sure that different UGI's with the same subject lead to the same // file system. NUnit.Framework.Assert.AreSame(fsA, fsA1); }
/// <exception cref="System.Exception"/> public virtual void TestAddCreds <T>() where T : TokenIdentifier { // from Mockito mocks UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone"); Text service = new Text("service"); Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service); Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2")); byte[] secret = new byte[] { }; Text secretKey = new Text("sshhh"); // fill credentials Credentials creds = new Credentials(); creds.AddToken(t1.GetService(), t1); creds.AddToken(t2.GetService(), t2); creds.AddSecretKey(secretKey, secret); // add creds to ugi, and check ugi ugi.AddCredentials(creds); CheckTokens(ugi, t1, t2); NUnit.Framework.Assert.AreSame(secret, ugi.GetCredentials().GetSecretKey(secretKey )); }
/// <exception cref="System.Exception"/> public virtual void TestGetCreds <T>() where T : TokenIdentifier { // from Mockito mocks UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone"); Text service = new Text("service"); Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service); Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2")); Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(service); // add token to ugi ugi.AddToken(t1); ugi.AddToken(t2); CheckTokens(ugi, t1, t2); Credentials creds = ugi.GetCredentials(); creds.AddToken(t3.GetService(), t3); NUnit.Framework.Assert.AreSame(t3, creds.GetToken(service)); // check that ugi wasn't modified CheckTokens(ugi, t1, t2); }
/// <exception cref="System.Exception"/> public virtual void TestAddToken <T>() where T : TokenIdentifier { // from Mockito mocks UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone"); Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); // add token to ugi ugi.AddToken(t1); CheckTokens(ugi, t1); // replace token t1 with t2 - with same key (null) ugi.AddToken(t2); CheckTokens(ugi, t2); // change t1 service and add token Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1")); ugi.AddToken(t1); CheckTokens(ugi, t1, t2); // overwrite t1 token with t3 - same key (!null) Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(new Text("t1")); ugi.AddToken(t3); CheckTokens(ugi, t2, t3); // just try to re-add with new name Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1.1")); ugi.AddToken(t1); CheckTokens(ugi, t1, t2, t3); // just try to re-add with new name again ugi.AddToken(t1); CheckTokens(ugi, t1, t2, t3); }
public virtual void TestUgi() { UserGroupInformation otherUser = UserGroupInformation.CreateRemoteUser("otherUser" ); FileContext newFc = otherUser.DoAs(new _PrivilegedExceptionAction_194()); Assert.Equal("otherUser", newFc.GetUgi().GetUserName()); }
public virtual void TestNonExistentUser() { string actualOutput = RunTool(conf, new string[] { "does-not-exist" }, true); Assert.Equal("Show the output for only the user given, with no groups" , GetExpectedOutput(UserGroupInformation.CreateRemoteUser("does-not-exist")), actualOutput ); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> private ApplicationClientProtocol GetRMClientForUser(string user) { UserGroupInformation userUGI = UserGroupInformation.CreateRemoteUser(user); ApplicationClientProtocol userClient = userUGI.DoAs(new _PrivilegedExceptionAction_257 (this)); return(userClient); }
/// <summary> /// <inheritDoc/> /// /// </summary> public override UserGroupInformation GetUser() { if (jobid == null || string.Empty.Equals(jobid.ToString())) { return(null); } return(UserGroupInformation.CreateRemoteUser(jobid.ToString())); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/> public static void StartContainer(NodeManager nm, ContainerId cId, FileContext localFS , FilePath scriptFileDir, FilePath processStartFile) { FilePath scriptFile = CreateUnhaltingScriptFile(cId, scriptFileDir, processStartFile ); ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext >(); NodeId nodeId = BuilderUtils.NewNodeId(Sharpen.Extensions.GetAddressByName("localhost" ).ToString(), 12345); URL localResourceUri = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new Path(scriptFile.GetAbsolutePath()))); LocalResource localResource = recordFactory.NewRecordInstance <LocalResource>(); localResource.SetResource(localResourceUri); localResource.SetSize(-1); localResource.SetVisibility(LocalResourceVisibility.Application); localResource.SetType(LocalResourceType.File); localResource.SetTimestamp(scriptFile.LastModified()); string destinationFile = "dest_file"; IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource >(); localResources[destinationFile] = localResource; containerLaunchContext.SetLocalResources(localResources); IList <string> commands = Arrays.AsList(Shell.GetRunScriptCommand(scriptFile)); containerLaunchContext.SetCommands(commands); IPEndPoint containerManagerBindAddress = NetUtils.CreateSocketAddrForHost("127.0.0.1" , 12345); UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(cId.ToString ()); Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> nmToken = ConverterUtils .ConvertFromYarn(nm.GetNMContext().GetNMTokenSecretManager().CreateNMToken(cId.GetApplicationAttemptId (), nodeId, user), containerManagerBindAddress); currentUser.AddToken(nmToken); ContainerManagementProtocol containerManager = currentUser.DoAs(new _PrivilegedAction_229 ()); StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext , TestContainerManager.CreateContainerToken(cId, 0, nodeId, user, nm.GetNMContext ().GetContainerTokenSecretManager())); IList <StartContainerRequest> list = new AList <StartContainerRequest>(); list.AddItem(scRequest); StartContainersRequest allRequests = StartContainersRequest.NewInstance(list); containerManager.StartContainers(allRequests); IList <ContainerId> containerIds = new AList <ContainerId>(); containerIds.AddItem(cId); GetContainerStatusesRequest request = GetContainerStatusesRequest.NewInstance(containerIds ); ContainerStatus containerStatus = containerManager.GetContainerStatuses(request). GetContainerStatuses()[0]; NUnit.Framework.Assert.AreEqual(ContainerState.Running, containerStatus.GetState( )); }
public virtual void TestOperationsWhileInSafeMode() { Path file1 = new Path("/file1"); NUnit.Framework.Assert.IsFalse(dfs.SetSafeMode(HdfsConstants.SafeModeAction.SafemodeGet )); DFSTestUtil.CreateFile(fs, file1, 1024, (short)1, 0); NUnit.Framework.Assert.IsTrue("Could not enter SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction .SafemodeEnter)); RunFsFun("Set quota while in SM", new _FSRun_319(file1)); RunFsFun("Set perm while in SM", new _FSRun_325(file1)); RunFsFun("Set owner while in SM", new _FSRun_331(file1)); RunFsFun("Set repl while in SM", new _FSRun_337(file1)); RunFsFun("Append file while in SM", new _FSRun_343(file1)); RunFsFun("Truncate file while in SM", new _FSRun_349(file1)); RunFsFun("Delete file while in SM", new _FSRun_355(file1)); RunFsFun("Rename file while in SM", new _FSRun_361(file1)); RunFsFun("Set time while in SM", new _FSRun_367(file1)); RunFsFun("modifyAclEntries while in SM", new _FSRun_373(file1)); RunFsFun("removeAclEntries while in SM", new _FSRun_379(file1)); RunFsFun("removeDefaultAcl while in SM", new _FSRun_385(file1)); RunFsFun("removeAcl while in SM", new _FSRun_391(file1)); RunFsFun("setAcl while in SM", new _FSRun_397(file1)); RunFsFun("setXAttr while in SM", new _FSRun_403(file1)); RunFsFun("removeXAttr while in SM", new _FSRun_409(file1)); try { DFSTestUtil.ReadFile(fs, file1); } catch (IOException) { NUnit.Framework.Assert.Fail("Set times failed while in SM"); } try { fs.GetAclStatus(file1); } catch (IOException) { NUnit.Framework.Assert.Fail("getAclStatus failed while in SM"); } // Test access UserGroupInformation ugiX = UserGroupInformation.CreateRemoteUser("userX"); FileSystem myfs = ugiX.DoAs(new _PrivilegedExceptionAction_429(this)); myfs.Access(file1, FsAction.Read); try { myfs.Access(file1, FsAction.Write); NUnit.Framework.Assert.Fail("The access call should have failed."); } catch (AccessControlException) { } // expected NUnit.Framework.Assert.IsFalse("Could not leave SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction .SafemodeLeave)); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSecureProxyAuthParamsInUrl() { Configuration conf = new Configuration(); // fake turning on security so api thinks it should use tokens SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , conf); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos); ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi); UserGroupInformation.SetLoginUser(ugi); WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf); Path fsPath = new Path("/"); string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString(); // send real+effective Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi .GetShortUserName()).ToString() }, getTokenUrl); // send real+effective Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString( ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, renewTokenUrl); // send token Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam(tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send token Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new DelegationParam(tokenString).ToString() }, fileStatusUrl); // wipe out internal token to simulate auth always required webhdfs.SetDelegationToken(null); // send real+effective cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam (tokenString)); CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString () }, cancelTokenUrl); // send real+effective fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath); CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName ()).ToString() }, fileStatusUrl); }