public virtual void TestAddRemoveWildCard()
{
AccessControlList acl = new AccessControlList("drwho tardis");
Exception th = null;
try
{
acl.AddUser(" * ");
}
catch (Exception t)
{
th = t;
}
NUnit.Framework.Assert.IsNotNull(th);
Assert.True(th is ArgumentException);
th = null;
try
{
acl.AddGroup(" * ");
}
catch (Exception t)
{
th = t;
}
NUnit.Framework.Assert.IsNotNull(th);
Assert.True(th is ArgumentException);
th = null;
try
{
acl.RemoveUser(" * ");
}
catch (Exception t)
{
th = t;
}
NUnit.Framework.Assert.IsNotNull(th);
Assert.True(th is ArgumentException);
th = null;
try
{
acl.RemoveGroup(" * ");
}
catch (Exception t)
{
th = t;
}
NUnit.Framework.Assert.IsNotNull(th);
Assert.True(th is ArgumentException);
}
public virtual void TestAccessControlList()
{
AccessControlList acl;
ICollection <string> users;
ICollection <string> groups;
acl = new AccessControlList("drwho tardis");
users = acl.GetUsers();
Assert.Equal(users.Count, 1);
Assert.Equal(users.GetEnumerator().Next(), "drwho");
groups = acl.GetGroups();
Assert.Equal(groups.Count, 1);
Assert.Equal(groups.GetEnumerator().Next(), "tardis");
acl = new AccessControlList("drwho");
users = acl.GetUsers();
Assert.Equal(users.Count, 1);
Assert.Equal(users.GetEnumerator().Next(), "drwho");
groups = acl.GetGroups();
Assert.Equal(groups.Count, 0);
acl = new AccessControlList("drwho ");
users = acl.GetUsers();
Assert.Equal(users.Count, 1);
Assert.Equal(users.GetEnumerator().Next(), "drwho");
groups = acl.GetGroups();
Assert.Equal(groups.Count, 0);
acl = new AccessControlList(" tardis");
users = acl.GetUsers();
Assert.Equal(users.Count, 0);
groups = acl.GetGroups();
Assert.Equal(groups.Count, 1);
Assert.Equal(groups.GetEnumerator().Next(), "tardis");
IEnumerator <string> iter;
acl = new AccessControlList("drwho,joe tardis, users");
users = acl.GetUsers();
Assert.Equal(users.Count, 2);
iter = users.GetEnumerator();
Assert.Equal(iter.Next(), "drwho");
Assert.Equal(iter.Next(), "joe");
groups = acl.GetGroups();
Assert.Equal(groups.Count, 2);
iter = groups.GetEnumerator();
Assert.Equal(iter.Next(), "tardis");
Assert.Equal(iter.Next(), "users");
}
public virtual void TestIsUserAllowed()
{
AccessControlList acl;
UserGroupInformation drwho = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "aliens", "humanoids", "timelord" });
UserGroupInformation susan = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "aliens", "humanoids", "timelord" });
UserGroupInformation barbara = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "humans", "teachers" });
UserGroupInformation ian = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "humans", "teachers" });
acl = new AccessControlList("drwho humanoids");
AssertUserAllowed(drwho, acl);
AssertUserAllowed(susan, acl);
AssertUserNotAllowed(barbara, acl);
AssertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho");
AssertUserAllowed(drwho, acl);
AssertUserNotAllowed(susan, acl);
AssertUserNotAllowed(barbara, acl);
AssertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho ");
AssertUserAllowed(drwho, acl);
AssertUserNotAllowed(susan, acl);
AssertUserNotAllowed(barbara, acl);
AssertUserNotAllowed(ian, acl);
acl = new AccessControlList(" humanoids");
AssertUserAllowed(drwho, acl);
AssertUserAllowed(susan, acl);
AssertUserNotAllowed(barbara, acl);
AssertUserNotAllowed(ian, acl);
acl = new AccessControlList("drwho,ian aliens,teachers");
AssertUserAllowed(drwho, acl);
AssertUserAllowed(susan, acl);
AssertUserAllowed(barbara, acl);
AssertUserAllowed(ian, acl);
acl = new AccessControlList(string.Empty);
UserGroupInformation spyUser = Org.Mockito.Mockito.Spy(drwho);
acl.IsUserAllowed(spyUser);
Org.Mockito.Mockito.Verify(spyUser, Org.Mockito.Mockito.Never()).GetGroupNames();
}
public virtual void TestNetgroups()
{
if (!NativeCodeLoader.IsNativeCodeLoaded())
{
Log.Info("Not testing netgroups, " + "this test only runs when native code is compiled"
);
return;
}
string groupMappingClassName = Runtime.GetProperty("TestAccessControlListGroupMapping"
);
if (groupMappingClassName == null)
{
Log.Info("Not testing netgroups, no group mapping class specified, " + "use -DTestAccessControlListGroupMapping=$className to specify "
+ "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)"
);
return;
}
Log.Info("Testing netgroups using: " + groupMappingClassName);
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityGroupMapping, groupMappingClassName
);
Groups groups = Groups.GetUserToGroupsMappingService(conf);
AccessControlList acl;
// create these ACLs to populate groups cache
acl = new AccessControlList("ja my");
// plain
acl = new AccessControlList("sinatra ratpack,@lasVegas");
// netgroup
acl = new AccessControlList(" somegroup,@someNetgroup");
// no user
// this ACL will be used for testing ACLs
acl = new AccessControlList("carlPerkins ratpack,@lasVegas");
acl.AddGroup("@memphis");
// validate the netgroups before and after rehresh to make
// sure refresh works correctly
ValidateNetgroups(groups, acl);
groups.Refresh();
ValidateNetgroups(groups, acl);
}
public virtual void RefreshWithLoadedConfiguration(Configuration conf, PolicyProvider
provider)
{
IDictionary <Type, AccessControlList[]> newAcls = new IdentityHashMap <Type, AccessControlList
[]>();
IDictionary <Type, MachineList[]> newMachineLists = new IdentityHashMap <Type, MachineList
[]>();
string defaultAcl = conf.Get(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultAcl
, AccessControlList.WildcardAclValue);
string defaultBlockedAcl = conf.Get(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultBlockedAcl
, string.Empty);
string defaultServiceHostsKey = GetHostKey(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultAcl
);
string defaultMachineList = conf.Get(defaultServiceHostsKey, MachineList.WildcardValue
);
string defaultBlockedMachineList = conf.Get(defaultServiceHostsKey + Blocked, string.Empty
);
// Parse the config file
Service[] services = provider.GetServices();
if (services != null)
{
foreach (Service service in services)
{
AccessControlList acl = new AccessControlList(conf.Get(service.GetServiceKey(), defaultAcl
));
AccessControlList blockedAcl = new AccessControlList(conf.Get(service.GetServiceKey
() + Blocked, defaultBlockedAcl));
newAcls[service.GetProtocol()] = new AccessControlList[] { acl, blockedAcl };
string serviceHostsKey = GetHostKey(service.GetServiceKey());
MachineList machineList = new MachineList(conf.Get(serviceHostsKey, defaultMachineList
));
MachineList blockedMachineList = new MachineList(conf.Get(serviceHostsKey + Blocked
, defaultBlockedMachineList));
newMachineLists[service.GetProtocol()] = new MachineList[] { machineList, blockedMachineList };
}
}
// Flip to the newly parsed permissions
protocolToAcls = newAcls;
protocolToMachineLists = newMachineLists;
}
public virtual void TestAddRemoveToWildCardACL()
{
AccessControlList acl = new AccessControlList(" * ");
Assert.True(acl.IsAllAllowed());
UserGroupInformation drwho = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "aliens" });
UserGroupInformation drwho2 = UserGroupInformation.CreateUserForTesting("*****@*****.**"
, new string[] { "tardis" });
acl.AddUser("drwho");
Assert.True(acl.IsAllAllowed());
NUnit.Framework.Assert.IsFalse(acl.GetAclString().Contains("drwho"));
acl.AddGroup("tardis");
Assert.True(acl.IsAllAllowed());
NUnit.Framework.Assert.IsFalse(acl.GetAclString().Contains("tardis"));
acl.RemoveUser("drwho");
Assert.True(acl.IsAllAllowed());
AssertUserAllowed(drwho, acl);
acl.RemoveGroup("tardis");
Assert.True(acl.IsAllAllowed());
AssertUserAllowed(drwho2, acl);
}
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, string remoteAddress)
{
UserGroupInformation realUser = user.GetRealUser();
if (realUser == null)
{
return;
}
AccessControlList acl = proxyUserAcl[configPrefix + realUser.GetShortUserName()];
if (acl == null || !acl.IsUserAllowed(user))
{
throw new AuthorizationException("User: "******" is not allowed to impersonate "
+ user.GetUserName());
}
MachineList MachineList = proxyHosts[GetProxySuperuserIpConfKey(realUser.GetShortUserName
())];
if (MachineList == null || !MachineList.Includes(remoteAddress))
{
throw new AuthorizationException("Unauthorized connection for super-user: "******" from IP " + remoteAddress);
}
}
private void AssertUserNotAllowed(UserGroupInformation ugi, AccessControlList acl
)
{
NUnit.Framework.Assert.IsFalse("User " + ugi + " is incorrectly granted the access-control!!"
, acl.IsUserAllowed(ugi));
}
private void AssertUserAllowed(UserGroupInformation ugi, AccessControlList acl)
{
Assert.True("User " + ugi + " is not granted the access-control!!"
, acl.IsUserAllowed(ugi));
}
// Validates if getAclString() is working as expected. i.e. if we can build
// a new ACL instance from the value returned by getAclString().
private void ValidateGetAclString(AccessControlList acl)
{
Assert.True(acl.ToString().Equals(new AccessControlList(acl.GetAclString
()).ToString()));
}
