/// <exception cref="Javax.Servlet.ServletException"/>
public override void Init(FilterConfig filterConfig)
{
base.Init(filterConfig);
AuthenticationHandler handler = GetAuthenticationHandler();
AbstractDelegationTokenSecretManager dtSecretManager = (AbstractDelegationTokenSecretManager
)filterConfig.GetServletContext().GetAttribute(DelegationTokenSecretManagerAttr);
if (dtSecretManager != null && handler is DelegationTokenAuthenticationHandler)
{
DelegationTokenAuthenticationHandler dtHandler = (DelegationTokenAuthenticationHandler
)GetAuthenticationHandler();
dtHandler.SetExternalDelegationTokenSecretManager(dtSecretManager);
}
if (handler is PseudoAuthenticationHandler || handler is PseudoDelegationTokenAuthenticationHandler)
{
SetHandlerAuthMethod(SaslRpcServer.AuthMethod.Simple);
}
if (handler is KerberosAuthenticationHandler || handler is KerberosDelegationTokenAuthenticationHandler)
{
SetHandlerAuthMethod(SaslRpcServer.AuthMethod.Kerberos);
}
// proxyuser configuration
Configuration conf = GetProxyuserConfiguration(filterConfig);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, ProxyuserPrefix);
}
public virtual void TestProxyUserConfiguration()
{
MockRM rm = null;
try
{
rm = new MockRM(conf);
rm.Start();
// wait for web server starting
Sharpen.Thread.Sleep(10000);
UserGroupInformation proxyUser = UserGroupInformation.CreateProxyUser(BarUser.GetShortUserName
(), FooUser);
try
{
ProxyUsers.GetDefaultImpersonationProvider().Authorize(proxyUser, ipAddress);
}
catch (AuthorizationException)
{
// Exception is not expected
NUnit.Framework.Assert.Fail();
}
}
finally
{
if (rm != null)
{
rm.Stop();
rm.Close();
}
}
}
public virtual void TestRefreshSuperUserGroups()
{
UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser);
Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" }
);
Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser");
// Set super user groups not to include groups of regularUser
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2");
conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1");
string[] args = new string[1];
args[0] = "-refreshSuperUserGroupsConfiguration";
hsAdminClient.Run(args);
Exception th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Now add regularUser group to superuser group but not execute
// refreshSuperUserGroupMapping
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3");
// Again,lets run ProxyUsers.authorize and see if regularUser can be
// impersonated
// resetting th
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown again since we didn't refresh the configs
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Lets refresh the config by running refreshSuperUserGroupsConfiguration
hsAdminClient.Run(args);
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// No exception thrown since regularUser can be impersonated.
NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th);
}
/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
public static void Setup()
{
string currentUser = Runtime.GetProperty("user.name");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(currentUser), "*");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(currentUser), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
cluster = new MiniDFSCluster.Builder(config).NumDataNodes(1).Build();
cluster.WaitActive();
hdfs = cluster.GetFileSystem();
nn = cluster.GetNameNode();
// Use emphral port in case tests are running in parallel
config.SetInt("nfs3.mountd.port", 0);
config.SetInt("nfs3.server.port", 0);
// Start nfs
Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3 nfs3 = new Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3
(config);
nfs3.StartServiceInternal(false);
nfsd = (RpcProgramNfs3)nfs3.GetRpcProgram();
securityHandler = Org.Mockito.Mockito.Mock <SecurityHandler>();
Org.Mockito.Mockito.When(securityHandler.GetUser()).ThenReturn(Runtime.GetProperty
("user.name"));
}
/// <exception cref="System.IO.IOException"/>
public virtual void RefreshSuperUserGroupsConfiguration()
{
UserGroupInformation user = CheckAcls("refreshSuperUserGroupsConfiguration");
ProxyUsers.RefreshSuperUserGroupsConfiguration(CreateConf());
HSAuditLogger.LogSuccess(user.GetShortUserName(), "refreshSuperUserGroupsConfiguration"
, HistoryAdminServer);
}
public virtual void Setup()
{
TestAuditLogger.DummyAuditLogger.initialized = false;
TestAuditLogger.DummyAuditLogger.logCount = 0;
TestAuditLogger.DummyAuditLogger.remoteAddr = null;
Configuration conf = new HdfsConfiguration();
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
}
public virtual void TestWebHdfsAuditLogger()
{
Configuration conf = new HdfsConfiguration();
conf.Set(DFSConfigKeys.DfsNamenodeAuditLoggersKey, typeof(TestAuditLogger.DummyAuditLogger
).FullName);
MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).Build();
GetOpParam.OP op = GetOpParam.OP.Getfilestatus;
try
{
cluster.WaitClusterUp();
NUnit.Framework.Assert.IsTrue(TestAuditLogger.DummyAuditLogger.initialized);
URI uri = new URI("http", NetUtils.GetHostPortString(cluster.GetNameNode().GetHttpAddress
()), "/webhdfs/v1/", op.ToQueryString(), null);
// non-proxy request
HttpURLConnection conn = (HttpURLConnection)uri.ToURL().OpenConnection();
conn.SetRequestMethod(op.GetType().ToString());
conn.Connect();
NUnit.Framework.Assert.AreEqual(200, conn.GetResponseCode());
conn.Disconnect();
NUnit.Framework.Assert.AreEqual(1, TestAuditLogger.DummyAuditLogger.logCount);
NUnit.Framework.Assert.AreEqual("127.0.0.1", TestAuditLogger.DummyAuditLogger.remoteAddr
);
// non-trusted proxied request
conn = (HttpURLConnection)uri.ToURL().OpenConnection();
conn.SetRequestMethod(op.GetType().ToString());
conn.SetRequestProperty("X-Forwarded-For", "1.1.1.1");
conn.Connect();
NUnit.Framework.Assert.AreEqual(200, conn.GetResponseCode());
conn.Disconnect();
NUnit.Framework.Assert.AreEqual(2, TestAuditLogger.DummyAuditLogger.logCount);
NUnit.Framework.Assert.AreEqual("127.0.0.1", TestAuditLogger.DummyAuditLogger.remoteAddr
);
// trusted proxied request
conf.Set(ProxyServers.ConfHadoopProxyservers, "127.0.0.1");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
conn = (HttpURLConnection)uri.ToURL().OpenConnection();
conn.SetRequestMethod(op.GetType().ToString());
conn.SetRequestProperty("X-Forwarded-For", "1.1.1.1");
conn.Connect();
NUnit.Framework.Assert.AreEqual(200, conn.GetResponseCode());
conn.Disconnect();
NUnit.Framework.Assert.AreEqual(3, TestAuditLogger.DummyAuditLogger.logCount);
NUnit.Framework.Assert.AreEqual("1.1.1.1", TestAuditLogger.DummyAuditLogger.remoteAddr
);
}
finally
{
cluster.Shutdown();
}
}
public virtual void TestRefreshSuperUserGroupsWithFileSystemBasedConfigurationProvider
()
{
configuration.Set(YarnConfiguration.RmConfigurationProviderClass, "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider"
);
//upload default configurations
UploadDefaultConfiguration();
try
{
rm = new MockRM(configuration);
rm.Init(configuration);
rm.Start();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("Should not get any exceptions");
}
Configuration coreConf = new Configuration(false);
coreConf.Set("hadoop.proxyuser.test.groups", "test_groups");
coreConf.Set("hadoop.proxyuser.test.hosts", "test_hosts");
UploadConfiguration(coreConf, "core-site.xml");
rm.adminService.RefreshSuperUserGroupsConfiguration(RefreshSuperUserGroupsConfigurationRequest
.NewInstance());
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Contains("test_groups"));
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Contains("test_hosts"));
Configuration yarnConf = new Configuration(false);
yarnConf.Set("yarn.resourcemanager.proxyuser.test.groups", "test_groups_1");
yarnConf.Set("yarn.resourcemanager.proxyuser.test.hosts", "test_hosts_1");
UploadConfiguration(yarnConf, "yarn-site.xml");
// RM specific configs will overwrite the common ones
rm.adminService.RefreshSuperUserGroupsConfiguration(RefreshSuperUserGroupsConfigurationRequest
.NewInstance());
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Contains("test_groups_1"));
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Contains("test_hosts_1"));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Javax.Servlet.ServletException"/>
protected override void DoFilter(FilterChain filterChain, HttpServletRequest request
, HttpServletResponse response)
{
bool requestCompleted = false;
UserGroupInformation ugi = null;
AuthenticationToken authToken = (AuthenticationToken)request.GetUserPrincipal();
if (authToken != null && authToken != AuthenticationToken.Anonymous)
{
// if the request was authenticated because of a delegation token,
// then we ignore proxyuser (this is the same as the RPC behavior).
ugi = (UserGroupInformation)request.GetAttribute(DelegationTokenAuthenticationHandler
.DelegationTokenUgiAttribute);
if (ugi == null)
{
string realUser = request.GetUserPrincipal().GetName();
ugi = UserGroupInformation.CreateRemoteUser(realUser, handlerAuthMethod);
string doAsUser = GetDoAs(request);
if (doAsUser != null)
{
ugi = UserGroupInformation.CreateProxyUser(doAsUser, ugi);
try
{
ProxyUsers.Authorize(ugi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
requestCompleted = true;
}
}
}
UgiTl.Set(ugi);
}
if (!requestCompleted)
{
UserGroupInformation ugiF = ugi;
try
{
request = new _HttpServletRequestWrapper_269(this, ugiF, request);
base.DoFilter(filterChain, request, response);
}
finally
{
UgiTl.Remove();
}
}
}
/// <exception cref="System.Exception"/>
protected override void SetUp()
{
base.SetUp();
if (Runtime.GetProperty("hadoop.log.dir") == null)
{
Runtime.SetProperty("hadoop.log.dir", "/tmp");
}
int taskTrackers = 2;
int dataNodes = 2;
string proxyUser = Runtime.GetProperty("user.name");
string proxyGroup = "g";
StringBuilder sb = new StringBuilder();
sb.Append("127.0.0.1,localhost");
foreach (IPAddress i in IPAddress.GetAllByName(Sharpen.Runtime.GetLocalHost().GetHostName
()))
{
sb.Append(",").Append(i.ToString());
}
JobConf conf = new JobConf();
conf.Set("dfs.block.access.token.enable", "false");
conf.Set("dfs.permissions", "true");
conf.Set("hadoop.security.authentication", "simple");
conf.Set("hadoop.proxyuser." + proxyUser + ".hosts", sb.ToString());
conf.Set("hadoop.proxyuser." + proxyUser + ".groups", proxyGroup);
string[] userGroups = new string[] { proxyGroup };
UserGroupInformation.CreateUserForTesting(proxyUser, userGroups);
UserGroupInformation.CreateUserForTesting("u1", userGroups);
UserGroupInformation.CreateUserForTesting("u2", new string[] { "gg" });
dfsCluster = new MiniDFSCluster.Builder(conf).NumDataNodes(dataNodes).Build();
FileSystem fileSystem = dfsCluster.GetFileSystem();
fileSystem.Mkdirs(new Path("/tmp"));
fileSystem.Mkdirs(new Path("/user"));
fileSystem.Mkdirs(new Path("/hadoop/mapred/system"));
fileSystem.SetPermission(new Path("/tmp"), FsPermission.ValueOf("-rwxrwxrwx"));
fileSystem.SetPermission(new Path("/user"), FsPermission.ValueOf("-rwxrwxrwx"));
fileSystem.SetPermission(new Path("/hadoop/mapred/system"), FsPermission.ValueOf(
"-rwx------"));
string nnURI = fileSystem.GetUri().ToString();
int numDirs = 1;
string[] racks = null;
string[] hosts = null;
mrCluster = new MiniMRCluster(0, 0, taskTrackers, nnURI, numDirs, racks, hosts, null
, conf);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
}
public static void SetUp()
{
config = new HdfsConfiguration();
config.SetBoolean(DFSConfigKeys.DfsWebhdfsEnabledKey, true);
config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeKey, 10000);
config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenRenewIntervalKey, 5000);
config.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUser), "group1");
config.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true);
ConfigureSuperUserIPAddresses(config, RealUser);
FileSystem.SetDefaultUri(config, "hdfs://localhost:" + "0");
cluster = new MiniDFSCluster.Builder(config).Build();
cluster.WaitActive();
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
ugi = UserGroupInformation.CreateRemoteUser(RealUser);
proxyUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUser, ugi, GroupNames
);
}
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
/// <exception cref="System.IO.IOException"/>
public virtual RefreshSuperUserGroupsConfigurationResponse RefreshSuperUserGroupsConfiguration
(RefreshSuperUserGroupsConfigurationRequest request)
{
string argName = "refreshSuperUserGroupsConfiguration";
UserGroupInformation user = CheckAcls(argName);
CheckRMStatus(user.GetShortUserName(), argName, "refresh super-user-groups.");
// Accept hadoop common configs in core-site.xml as well as RM specific
// configurations in yarn-site.xml
Configuration conf = GetConfiguration(new Configuration(false), YarnConfiguration
.CoreSiteConfigurationFile, YarnConfiguration.YarnSiteConfigurationFile);
RMServerUtils.ProcessRMProxyUsersConf(conf);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
RMAuditLogger.LogSuccess(user.GetShortUserName(), argName, "AdminService");
return(recordFactory.NewRecordInstance <RefreshSuperUserGroupsConfigurationResponse
>());
}
public static void Setup()
{
string currentUser = Runtime.GetProperty("user.name");
config.Set("fs.permissions.umask-mode", "u=rwx,g=,o=");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(currentUser), "*");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(currentUser), "*");
fsHelper = new FileSystemTestHelper();
// Set up java key store
string testRoot = fsHelper.GetTestRootDir();
testRootDir = new FilePath(testRoot).GetAbsoluteFile();
Path jksPath = new Path(testRootDir.ToString(), "test.jks");
config.Set(DFSConfigKeys.DfsEncryptionKeyProviderUri, JavaKeyStoreProvider.SchemeName
+ "://file" + jksPath.ToUri());
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
cluster = new MiniDFSCluster.Builder(config).NumDataNodes(1).Build();
cluster.WaitActive();
hdfs = cluster.GetFileSystem();
nn = cluster.GetNameNode();
dfsAdmin = new HdfsAdmin(cluster.GetURI(), config);
// Use ephemeral ports in case tests are running in parallel
config.SetInt("nfs3.mountd.port", 0);
config.SetInt("nfs3.server.port", 0);
// Start NFS with allowed.hosts set to "* rw"
config.Set("dfs.nfs.exports.allowed.hosts", "* rw");
nfs = new Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3(config);
nfs.StartServiceInternal(false);
nfsd = (RpcProgramNfs3)nfs.GetRpcProgram();
hdfs.GetClient().SetKeyProvider(nn.GetNamesystem().GetProvider());
DFSTestUtil.CreateKey(TestKey, cluster, config);
// Mock SecurityHandler which returns system user.name
securityHandler = Org.Mockito.Mockito.Mock <SecurityHandler>();
Org.Mockito.Mockito.When(securityHandler.GetUser()).ThenReturn(currentUser);
// Mock SecurityHandler which returns a dummy username "harry"
securityHandlerUnpriviledged = Org.Mockito.Mockito.Mock <SecurityHandler>();
Org.Mockito.Mockito.When(securityHandlerUnpriviledged.GetUser()).ThenReturn("harry"
);
}
private string GetRemoteAddr(string clientAddr, string proxyAddr, bool trusted)
{
HttpServletRequest req = Org.Mockito.Mockito.Mock <HttpServletRequest>();
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn("1.2.3.4");
Configuration conf = new Configuration();
if (proxyAddr == null)
{
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(clientAddr);
}
else
{
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(proxyAddr);
Org.Mockito.Mockito.When(req.GetHeader("X-Forwarded-For")).ThenReturn(clientAddr);
if (trusted)
{
conf.Set(ProxyServers.ConfHadoopProxyservers, proxyAddr);
}
}
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
return(JspHelper.GetRemoteAddr(req));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// "/>
public override bool ManagementOperation(AuthenticationToken token, HttpServletRequest
request, HttpServletResponse response)
{
bool requestContinues = true;
string op = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.OpParam);
op = (op != null) ? StringUtils.ToUpperCase(op) : null;
if (DelegationTokenOps.Contains(op) && !request.GetMethod().Equals("OPTIONS"))
{
DelegationTokenAuthenticator.DelegationTokenOperation dtOp = DelegationTokenAuthenticator.DelegationTokenOperation
.ValueOf(op);
if (dtOp.GetHttpMethod().Equals(request.GetMethod()))
{
bool doManagement;
if (dtOp.RequiresKerberosCredentials() && token == null)
{
token = Authenticate(request, response);
if (token == null)
{
requestContinues = false;
doManagement = false;
}
else
{
doManagement = true;
}
}
else
{
doManagement = true;
}
if (doManagement)
{
UserGroupInformation requestUgi = (token != null) ? UserGroupInformation.CreateRemoteUser
(token.GetUserName()) : null;
// Create the proxy user if doAsUser exists
string doAsUser = DelegationTokenAuthenticationFilter.GetDoAs(request);
if (requestUgi != null && doAsUser != null)
{
requestUgi = UserGroupInformation.CreateProxyUser(doAsUser, requestUgi);
try
{
ProxyUsers.Authorize(requestUgi, request.GetRemoteHost());
}
catch (AuthorizationException ex)
{
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, ex);
return(false);
}
}
IDictionary map = null;
switch (dtOp)
{
case DelegationTokenAuthenticator.DelegationTokenOperation.Getdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string renewer = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.RenewerParam);
try
{
Org.Apache.Hadoop.Security.Token.Token <object> dToken = tokenManager.CreateToken(
requestUgi, renewer);
map = DelegationTokenToJSON(dToken);
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Renewdelegationtoken:
{
if (requestUgi == null)
{
throw new InvalidOperationException("request UGI cannot be NULL");
}
string tokenToRenew = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToRenew == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToRenew);
long expirationTime = tokenManager.RenewToken(dt, requestUgi.GetShortUserName());
map = new Hashtable();
map["long"] = expirationTime;
}
catch (IOException ex)
{
throw new AuthenticationException(ex.ToString(), ex);
}
}
break;
}
case DelegationTokenAuthenticator.DelegationTokenOperation.Canceldelegationtoken:
{
string tokenToCancel = ServletUtils.GetParameter(request, KerberosDelegationTokenAuthenticator
.TokenParam);
if (tokenToCancel == null)
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Operation [{0}] requires the parameter [{1}]"
, dtOp, KerberosDelegationTokenAuthenticator.TokenParam));
requestContinues = false;
}
else
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
try
{
dt.DecodeFromUrlString(tokenToCancel);
tokenManager.CancelToken(dt, (requestUgi != null) ? requestUgi.GetShortUserName()
: null);
}
catch (IOException)
{
response.SendError(HttpServletResponse.ScNotFound, "Invalid delegation token, cannot cancel"
);
requestContinues = false;
}
}
break;
}
}
if (requestContinues)
{
response.SetStatus(HttpServletResponse.ScOk);
if (map != null)
{
response.SetContentType(MediaType.ApplicationJson);
TextWriter writer = response.GetWriter();
ObjectMapper jsonMapper = new ObjectMapper();
jsonMapper.WriteValue(writer, map);
writer.Write(Enter);
writer.Flush();
}
requestContinues = false;
}
}
}
else
{
response.SendError(HttpServletResponse.ScBadRequest, MessageFormat.Format("Wrong HTTP method [{0}] for operation [{1}], it should be "
+ "[{2}]", request.GetMethod(), dtOp, dtOp.GetHttpMethod()));
requestContinues = false;
}
}
return(requestContinues);
}
public virtual void TestWriteStableHow()
{
NfsConfiguration config = new NfsConfiguration();
DFSClient client = null;
MiniDFSCluster cluster = null;
RpcProgramNfs3 nfsd;
SecurityHandler securityHandler = Org.Mockito.Mockito.Mock <SecurityHandler>();
Org.Mockito.Mockito.When(securityHandler.GetUser()).ThenReturn(Runtime.GetProperty
("user.name"));
string currentUser = Runtime.GetProperty("user.name");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(currentUser), "*");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(currentUser), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
try
{
cluster = new MiniDFSCluster.Builder(config).NumDataNodes(1).Build();
cluster.WaitActive();
client = new DFSClient(NameNode.GetAddress(config), config);
// Use emphral port in case tests are running in parallel
config.SetInt("nfs3.mountd.port", 0);
config.SetInt("nfs3.server.port", 0);
// Start nfs
Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3 nfs3 = new Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3
(config);
nfs3.StartServiceInternal(false);
nfsd = (RpcProgramNfs3)nfs3.GetRpcProgram();
HdfsFileStatus status = client.GetFileInfo("/");
FileHandle rootHandle = new FileHandle(status.GetFileId());
// Create file1
CREATE3Request createReq = new CREATE3Request(rootHandle, "file1", Nfs3Constant.CreateUnchecked
, new SetAttr3(), 0);
XDR createXdr = new XDR();
createReq.Serialize(createXdr);
CREATE3Response createRsp = nfsd.Create(createXdr.AsReadOnlyWrap(), securityHandler
, new IPEndPoint("localhost", 1234));
FileHandle handle = createRsp.GetObjHandle();
// Test DATA_SYNC
byte[] buffer = new byte[10];
for (int i = 0; i < 10; i++)
{
buffer[i] = unchecked ((byte)i);
}
WRITE3Request writeReq = new WRITE3Request(handle, 0, 10, Nfs3Constant.WriteStableHow
.DataSync, ByteBuffer.Wrap(buffer));
XDR writeXdr = new XDR();
writeReq.Serialize(writeXdr);
nfsd.Write(writeXdr.AsReadOnlyWrap(), null, 1, securityHandler, new IPEndPoint("localhost"
, 1234));
WaitWrite(nfsd, handle, 60000);
// Readback
READ3Request readReq = new READ3Request(handle, 0, 10);
XDR readXdr = new XDR();
readReq.Serialize(readXdr);
READ3Response readRsp = nfsd.Read(readXdr.AsReadOnlyWrap(), securityHandler, new
IPEndPoint("localhost", 1234));
NUnit.Framework.Assert.IsTrue(Arrays.Equals(buffer, ((byte[])readRsp.GetData().Array
())));
// Test FILE_SYNC
// Create file2
CREATE3Request createReq2 = new CREATE3Request(rootHandle, "file2", Nfs3Constant.
CreateUnchecked, new SetAttr3(), 0);
XDR createXdr2 = new XDR();
createReq2.Serialize(createXdr2);
CREATE3Response createRsp2 = nfsd.Create(createXdr2.AsReadOnlyWrap(), securityHandler
, new IPEndPoint("localhost", 1234));
FileHandle handle2 = createRsp2.GetObjHandle();
WRITE3Request writeReq2 = new WRITE3Request(handle2, 0, 10, Nfs3Constant.WriteStableHow
.FileSync, ByteBuffer.Wrap(buffer));
XDR writeXdr2 = new XDR();
writeReq2.Serialize(writeXdr2);
nfsd.Write(writeXdr2.AsReadOnlyWrap(), null, 1, securityHandler, new IPEndPoint("localhost"
, 1234));
WaitWrite(nfsd, handle2, 60000);
// Readback
READ3Request readReq2 = new READ3Request(handle2, 0, 10);
XDR readXdr2 = new XDR();
readReq2.Serialize(readXdr2);
READ3Response readRsp2 = nfsd.Read(readXdr2.AsReadOnlyWrap(), securityHandler, new
IPEndPoint("localhost", 1234));
NUnit.Framework.Assert.IsTrue(Arrays.Equals(buffer, ((byte[])readRsp2.GetData().Array
())));
// FILE_SYNC should sync the file size
status = client.GetFileInfo("/file2");
NUnit.Framework.Assert.IsTrue(status.GetLen() == 10);
}
finally
{
if (cluster != null)
{
cluster.Shutdown();
}
}
}
public virtual void TestOOOWrites()
{
NfsConfiguration config = new NfsConfiguration();
MiniDFSCluster cluster = null;
RpcProgramNfs3 nfsd;
int bufSize = 32;
int numOOO = 3;
SecurityHandler securityHandler = Org.Mockito.Mockito.Mock <SecurityHandler>();
Org.Mockito.Mockito.When(securityHandler.GetUser()).ThenReturn(Runtime.GetProperty
("user.name"));
string currentUser = Runtime.GetProperty("user.name");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(currentUser), "*");
config.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(currentUser), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
// Use emphral port in case tests are running in parallel
config.SetInt("nfs3.mountd.port", 0);
config.SetInt("nfs3.server.port", 0);
try
{
cluster = new MiniDFSCluster.Builder(config).NumDataNodes(1).Build();
cluster.WaitActive();
Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3 nfs3 = new Org.Apache.Hadoop.Hdfs.Nfs.Nfs3.Nfs3
(config);
nfs3.StartServiceInternal(false);
nfsd = (RpcProgramNfs3)nfs3.GetRpcProgram();
DFSClient dfsClient = new DFSClient(NameNode.GetAddress(config), config);
HdfsFileStatus status = dfsClient.GetFileInfo("/");
FileHandle rootHandle = new FileHandle(status.GetFileId());
CREATE3Request createReq = new CREATE3Request(rootHandle, "out-of-order-write" +
Runtime.CurrentTimeMillis(), Nfs3Constant.CreateUnchecked, new SetAttr3(), 0);
XDR createXdr = new XDR();
createReq.Serialize(createXdr);
CREATE3Response createRsp = nfsd.Create(createXdr.AsReadOnlyWrap(), securityHandler
, new IPEndPoint("localhost", 1234));
FileHandle handle = createRsp.GetObjHandle();
byte[][] oooBuf = new byte[][] { new byte[bufSize], new byte[bufSize], new byte[bufSize
] };
for (int i = 0; i < numOOO; i++)
{
Arrays.Fill(oooBuf[i], unchecked ((byte)i));
}
for (int i_1 = 0; i_1 < numOOO; i_1++)
{
long offset = (numOOO - 1 - i_1) * bufSize;
WRITE3Request writeReq = new WRITE3Request(handle, offset, bufSize, Nfs3Constant.WriteStableHow
.Unstable, ByteBuffer.Wrap(oooBuf[i_1]));
XDR writeXdr = new XDR();
writeReq.Serialize(writeXdr);
nfsd.Write(writeXdr.AsReadOnlyWrap(), null, 1, securityHandler, new IPEndPoint("localhost"
, 1234));
}
WaitWrite(nfsd, handle, 60000);
READ3Request readReq = new READ3Request(handle, bufSize, bufSize);
XDR readXdr = new XDR();
readReq.Serialize(readXdr);
READ3Response readRsp = nfsd.Read(readXdr.AsReadOnlyWrap(), securityHandler, new
IPEndPoint("localhost", config.GetInt(NfsConfigKeys.DfsNfsServerPortKey, NfsConfigKeys
.DfsNfsServerPortDefault)));
NUnit.Framework.Assert.IsTrue(Arrays.Equals(oooBuf[1], ((byte[])readRsp.GetData()
.Array())));
}
finally
{
if (cluster != null)
{
cluster.Shutdown();
}
}
}
//
/// <exception cref="System.IO.IOException"/>
private void RefreshConf(Configuration conf)
{
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
}
public virtual void TestGetProxyUgi()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string realUser = "******";
string user = "******";
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(realUser), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(realUser), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
// have to be auth-ed with remote user
request = GetMockRequest(null, null, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
request = GetMockRequest(null, realUser, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
// proxy ugi for user via remote user
request = GetMockRequest(realUser, null, user);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromAuth(ugi);
// proxy ugi for user vi a remote user = real user
request = GetMockRequest(realUser, realUser, user);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromAuth(ugi);
// proxy ugi for user via remote user != real user
request = GetMockRequest(realUser, user, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=" + user + " != expected="
+ realUser, ioe.Message);
}
// try to get get a proxy user with unauthorized user
try
{
request = GetMockRequest(user, null, realUser);
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad proxy request allowed");
}
catch (AuthorizationException ae)
{
NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
+ realUser, ae.Message);
}
try
{
request = GetMockRequest(user, user, realUser);
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad proxy request allowed");
}
catch (AuthorizationException ae)
{
NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
+ realUser, ae.Message);
}
}
public virtual void TestRefreshSuperUserGroupsConfiguration()
{
string SuperUser = "******";
string[] GroupNames1 = new string[] { "gr1", "gr2" };
string[] GroupNames2 = new string[] { "gr3", "gr4" };
//keys in conf
string userKeyGroups = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(SuperUser);
string userKeyHosts = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(SuperUser);
config.Set(userKeyGroups, "gr3,gr4,gr5");
// superuser can proxy for this group
config.Set(userKeyHosts, "127.0.0.1");
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
UserGroupInformation ugi1 = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation ugi2 = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation suUgi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi1.GetRealUser()).ThenReturn(suUgi);
Org.Mockito.Mockito.When(ugi2.GetRealUser()).ThenReturn(suUgi);
Org.Mockito.Mockito.When(suUgi.GetShortUserName()).ThenReturn(SuperUser);
// super user
Org.Mockito.Mockito.When(suUgi.GetUserName()).ThenReturn(SuperUser + "L");
// super user
Org.Mockito.Mockito.When(ugi1.GetShortUserName()).ThenReturn("user1");
Org.Mockito.Mockito.When(ugi2.GetShortUserName()).ThenReturn("user2");
Org.Mockito.Mockito.When(ugi1.GetUserName()).ThenReturn("userL1");
Org.Mockito.Mockito.When(ugi2.GetUserName()).ThenReturn("userL2");
// set groups for users
Org.Mockito.Mockito.When(ugi1.GetGroupNames()).ThenReturn(GroupNames1);
Org.Mockito.Mockito.When(ugi2.GetGroupNames()).ThenReturn(GroupNames2);
// check before
try
{
ProxyUsers.Authorize(ugi1, "127.0.0.1");
NUnit.Framework.Assert.Fail("first auth for " + ugi1.GetShortUserName() + " should've failed "
);
}
catch (AuthorizationException)
{
// expected
System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " failed");
}
try
{
ProxyUsers.Authorize(ugi2, "127.0.0.1");
System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " succeeded");
}
catch (AuthorizationException e)
{
// expected
NUnit.Framework.Assert.Fail("first auth for " + ugi2.GetShortUserName() + " should've succeeded: "
+ e.GetLocalizedMessage());
}
// refresh will look at configuration on the server side
// add additional resource with the new value
// so the server side will pick it up
string rsrc = "testGroupMappingRefresh_rsrc.xml";
AddNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1");
DFSAdmin admin = new DFSAdmin(config);
string[] args = new string[] { "-refreshSuperUserGroupsConfiguration" };
admin.Run(args);
try
{
ProxyUsers.Authorize(ugi2, "127.0.0.1");
NUnit.Framework.Assert.Fail("second auth for " + ugi2.GetShortUserName() + " should've failed "
);
}
catch (AuthorizationException)
{
// expected
System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " failed");
}
try
{
ProxyUsers.Authorize(ugi1, "127.0.0.1");
System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " succeeded");
}
catch (AuthorizationException e)
{
// expected
NUnit.Framework.Assert.Fail("second auth for " + ugi1.GetShortUserName() + " should've succeeded: "
+ e.GetLocalizedMessage());
}
}
public virtual void TestRMInitialsWithFileSystemBasedConfigurationProvider()
{
configuration.Set(YarnConfiguration.RmConfigurationProviderClass, "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider"
);
// upload configurations
FilePath excludeHostsFile = new FilePath(tmpDir.ToString(), "excludeHosts");
if (excludeHostsFile.Exists())
{
excludeHostsFile.Delete();
}
if (!excludeHostsFile.CreateNewFile())
{
NUnit.Framework.Assert.Fail("Can not create " + "excludeHosts");
}
PrintWriter fileWriter = new PrintWriter(excludeHostsFile);
fileWriter.Write("0.0.0.0:123");
fileWriter.Close();
UploadToRemoteFileSystem(new Path(excludeHostsFile.GetAbsolutePath()));
YarnConfiguration yarnConf = new YarnConfiguration();
yarnConf.Set(YarnConfiguration.YarnAdminAcl, "world:anyone:rwcda");
yarnConf.Set(YarnConfiguration.RmNodesExcludeFilePath, this.workingPath + "/excludeHosts"
);
UploadConfiguration(yarnConf, "yarn-site.xml");
CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
csConf.Set("yarn.scheduler.capacity.maximum-applications", "5000");
UploadConfiguration(csConf, "capacity-scheduler.xml");
string aclsString = "alice,bob users,wheel";
Configuration newConf = new Configuration();
newConf.Set("security.applicationclient.protocol.acl", aclsString);
UploadConfiguration(newConf, "hadoop-policy.xml");
Configuration conf = new Configuration();
conf.SetBoolean(CommonConfigurationKeysPublic.HadoopSecurityAuthorization, true);
conf.Set("hadoop.proxyuser.test.groups", "test_groups");
conf.Set("hadoop.proxyuser.test.hosts", "test_hosts");
conf.SetClass(CommonConfigurationKeys.HadoopSecurityGroupMapping, typeof(TestRMAdminService.MockUnixGroupsMapping
), typeof(GroupMappingServiceProvider));
UploadConfiguration(conf, "core-site.xml");
// update the groups
TestRMAdminService.MockUnixGroupsMapping.UpdateGroups();
ResourceManager resourceManager = null;
try
{
try
{
resourceManager = new ResourceManager();
resourceManager.Init(configuration);
resourceManager.Start();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("Should not get any exceptions");
}
// validate values for excludeHosts
ICollection <string> excludeHosts = resourceManager.GetRMContext().GetNodesListManager
().GetHostsReader().GetExcludedHosts();
NUnit.Framework.Assert.IsTrue(excludeHosts.Count == 1);
NUnit.Framework.Assert.IsTrue(excludeHosts.Contains("0.0.0.0:123"));
// validate values for admin-acls
string aclStringAfter = resourceManager.adminService.GetAccessControlList().GetAclString
().Trim();
NUnit.Framework.Assert.AreEqual(aclStringAfter, "world:anyone:rwcda," + UserGroupInformation
.GetCurrentUser().GetShortUserName());
// validate values for queue configuration
CapacityScheduler cs = (CapacityScheduler)resourceManager.GetRMContext().GetScheduler
();
int maxAppsAfter = cs.GetConfiguration().GetMaximumSystemApplications();
NUnit.Framework.Assert.AreEqual(maxAppsAfter, 5000);
// verify service Acls for AdminService
ServiceAuthorizationManager adminServiceServiceManager = resourceManager.adminService
.GetServer().GetServiceAuthorizationManager();
VerifyServiceACLsRefresh(adminServiceServiceManager, typeof(ApplicationClientProtocolPB
), aclsString);
// verify service ACLs for ClientRMService
ServiceAuthorizationManager clientRMServiceServiceManager = resourceManager.GetRMContext
().GetClientRMService().GetServer().GetServiceAuthorizationManager();
VerifyServiceACLsRefresh(clientRMServiceServiceManager, typeof(ApplicationClientProtocolPB
), aclsString);
// verify service ACLs for ApplicationMasterService
ServiceAuthorizationManager appMasterService = resourceManager.GetRMContext().GetApplicationMasterService
().GetServer().GetServiceAuthorizationManager();
VerifyServiceACLsRefresh(appMasterService, typeof(ApplicationClientProtocolPB), aclsString
);
// verify service ACLs for ResourceTrackerService
ServiceAuthorizationManager RTService = resourceManager.GetRMContext().GetResourceTrackerService
().GetServer().GetServiceAuthorizationManager();
VerifyServiceACLsRefresh(RTService, typeof(ApplicationClientProtocolPB), aclsString
);
// verify ProxyUsers and ProxyHosts
ProxyUsers.RefreshSuperUserGroupsConfiguration(configuration);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyGroups
()["hadoop.proxyuser.test.groups"].Contains("test_groups"));
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Count == 1);
NUnit.Framework.Assert.IsTrue(ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()["hadoop.proxyuser.test.hosts"].Contains("test_hosts"));
// verify UserToGroupsMappings
IList <string> groupAfter = Groups.GetUserToGroupsMappingService(configuration).GetGroups
(UserGroupInformation.GetCurrentUser().GetUserName());
NUnit.Framework.Assert.IsTrue(groupAfter.Contains("test_group_D") && groupAfter.Contains
("test_group_E") && groupAfter.Contains("test_group_F") && groupAfter.Count == 3
);
}
finally
{
if (resourceManager != null)
{
resourceManager.Stop();
}
}
}