/// <exception cref="System.Exception"/>
public virtual void TestFstat()
{
FileOutputStream fos = new FileOutputStream(new FilePath(TestDir, "testfstat"));
NativeIO.POSIX.Stat stat = NativeIO.POSIX.GetFstat(fos.GetFD());
fos.Close();
Log.Info("Stat: " + stat.ToString());
string owner = stat.GetOwner();
string expectedOwner = Runtime.GetProperty("user.name");
if (Path.Windows)
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner);
string adminsGroupString = "Administrators";
if (Arrays.AsList(ugi.GetGroupNames()).Contains(adminsGroupString))
{
expectedOwner = adminsGroupString;
}
}
Assert.Equal(expectedOwner, owner);
NUnit.Framework.Assert.IsNotNull(stat.GetGroup());
Assert.True(!stat.GetGroup().IsEmpty());
Assert.Equal("Stat mode field should indicate a regular file",
NativeIO.POSIX.Stat.SIfreg, stat.GetMode() & NativeIO.POSIX.Stat.SIfmt);
}
public virtual void TestCheckAccessWithNullACLS()
{
Configuration conf = new Configuration();
conf.SetBoolean(YarnConfiguration.YarnAclEnable, true);
conf.Set(YarnConfiguration.YarnAdminAcl, AdminUser);
ApplicationACLsManager aclManager = new ApplicationACLsManager(conf);
UserGroupInformation appOwner = UserGroupInformation.CreateRemoteUser(AppOwner);
ApplicationId appId = ApplicationId.NewInstance(1, 1);
//Application ACL is not added
//Application Owner should have all access even if Application ACL is not added
NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType
.ModifyApp, AppOwner, appId));
NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(appOwner, ApplicationAccessType
.ViewApp, AppOwner, appId));
//Admin should have all access
UserGroupInformation adminUser = UserGroupInformation.CreateRemoteUser(AdminUser);
NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType
.ViewApp, AppOwner, appId));
NUnit.Framework.Assert.IsTrue(aclManager.CheckAccess(adminUser, ApplicationAccessType
.ModifyApp, AppOwner, appId));
// A regular user should Not have access
UserGroupInformation testUser1 = UserGroupInformation.CreateRemoteUser(Testuser1);
NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType
.ViewApp, AppOwner, appId));
NUnit.Framework.Assert.IsFalse(aclManager.CheckAccess(testUser1, ApplicationAccessType
.ModifyApp, AppOwner, appId));
}
/// <exception cref="System.Exception"/>
public virtual void TestFsCache()
{
{
long now = Runtime.CurrentTimeMillis();
string[] users = new string[] { "foo", "bar" };
Configuration conf = new Configuration();
FileSystem[] fs = new FileSystem[users.Length];
for (int i = 0; i < users.Length; i++)
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(users[i]);
fs[i] = ugi.DoAs(new _PrivilegedExceptionAction_500(conf));
for (int j = 0; j < i; j++)
{
NUnit.Framework.Assert.IsFalse(fs[j] == fs[i]);
}
}
FileSystem.CloseAll();
}
{
try
{
RunTestCache(NameNode.DefaultPort);
}
catch (BindException be)
{
Log.Warn("Cannot test NameNode.DEFAULT_PORT (=" + NameNode.DefaultPort + ")", be);
}
RunTestCache(0);
}
}
/// <summary>
/// Validate the netgroups, both group membership and ACL
/// functionality
/// Note: assumes a specific acl setup done by testNetgroups
/// </summary>
/// <param name="groups">group to user mapping service</param>
/// <param name="acl">ACL set up in a specific way, see testNetgroups</param>
/// <exception cref="System.Exception"/>
private void ValidateNetgroups(Groups groups, AccessControlList acl)
{
// check that the netgroups are working
IList <string> elvisGroups = groups.GetGroups("elvis");
Assert.True(elvisGroups.Contains("@lasVegas"));
Assert.True(elvisGroups.Contains("@memphis"));
IList <string> jerryLeeLewisGroups = groups.GetGroups("jerryLeeLewis");
Assert.True(jerryLeeLewisGroups.Contains("@memphis"));
// allowed becuase his netgroup is in ACL
UserGroupInformation elvis = UserGroupInformation.CreateRemoteUser("elvis");
AssertUserAllowed(elvis, acl);
// allowed because he's in ACL
UserGroupInformation carlPerkins = UserGroupInformation.CreateRemoteUser("carlPerkins"
);
AssertUserAllowed(carlPerkins, acl);
// not allowed because he's not in ACL and has no netgroups
UserGroupInformation littleRichard = UserGroupInformation.CreateRemoteUser("littleRichard"
);
AssertUserNotAllowed(littleRichard, acl);
}
public virtual void TestHttpUGI()
{
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.PseudoDTAFilter)
), "/*", 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UGIServlet)),
"/bar");
try
{
jetty.Start();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(FooUser);
ugi.DoAs(new _PrivilegedExceptionAction_938(url));
}
finally
{
// user foo
// user ok-user via proxyuser foo
jetty.Stop();
}
}
/// <exception cref="System.Exception"/>
public virtual RegisterApplicationMasterResponse RegisterAppAttempt(bool wait)
{
if (wait)
{
WaitForState(RMAppAttemptState.Launched);
}
responseId = 0;
RegisterApplicationMasterRequest req = Org.Apache.Hadoop.Yarn.Util.Records.NewRecord
<RegisterApplicationMasterRequest>();
req.SetHost(string.Empty);
req.SetRpcPort(1);
req.SetTrackingUrl(string.Empty);
if (ugi == null)
{
ugi = UserGroupInformation.CreateRemoteUser(attemptId.ToString());
Org.Apache.Hadoop.Security.Token.Token <AMRMTokenIdentifier> token = context.GetRMApps
()[attemptId.GetApplicationId()].GetRMAppAttempt(attemptId).GetAMRMToken();
ugi.AddTokenIdentifier(token.DecodeIdentifier());
}
try
{
return(ugi.DoAs(new _PrivilegedExceptionAction_117(this, req)));
}
catch (UndeclaredThrowableException e)
{
throw (Exception)e.InnerException;
}
}
/// <exception cref="System.IO.IOException"/>
internal static ClientDatanodeProtocolPB CreateClientDatanodeProtocolProxy(DatanodeID
datanodeid, Configuration conf, int socketTimeout, bool connectToDnViaHostname,
LocatedBlock locatedBlock)
{
string dnAddr = datanodeid.GetIpcAddr(connectToDnViaHostname);
IPEndPoint addr = NetUtils.CreateSocketAddr(dnAddr);
if (Log.IsDebugEnabled())
{
Log.Debug("Connecting to datanode " + dnAddr + " addr=" + addr);
}
// Since we're creating a new UserGroupInformation here, we know that no
// future RPC proxies will be able to re-use the same connection. And
// usages of this proxy tend to be one-off calls.
//
// This is a temporary fix: callers should really achieve this by using
// RPC.stopProxy() on the resulting object, but this is currently not
// working in trunk. See the discussion on HDFS-1965.
Configuration confWithNoIpcIdle = new Configuration(conf);
confWithNoIpcIdle.SetInt(CommonConfigurationKeysPublic.IpcClientConnectionMaxidletimeKey
, 0);
UserGroupInformation ticket = UserGroupInformation.CreateRemoteUser(locatedBlock.
GetBlock().GetLocalBlock().ToString());
ticket.AddToken(locatedBlock.GetBlockToken());
return(CreateClientDatanodeProtocolProxy(addr, ticket, confWithNoIpcIdle, NetUtils
.GetDefaultSocketFactory(conf), socketTimeout));
}
public static void Setup()
{
RMStateStore store = RMStateStoreFactory.GetStore(conf);
conf.SetBoolean(YarnConfiguration.YarnAclEnable, true);
AccessControlList adminACL = new AccessControlList(string.Empty);
adminACL.AddGroup(SuperGroup);
conf.Set(YarnConfiguration.YarnAdminAcl, adminACL.GetAclString());
resourceManager = new _MockRM_105(conf);
new _Thread_127().Start();
int waitCount = 0;
while (resourceManager.GetServiceState() == Service.STATE.Inited && waitCount++ <
60)
{
Log.Info("Waiting for RM to start...");
Sharpen.Thread.Sleep(1500);
}
if (resourceManager.GetServiceState() != Service.STATE.Started)
{
// RM could have failed.
throw new IOException("ResourceManager failed to start. Final state is " + resourceManager
.GetServiceState());
}
UserGroupInformation owner = UserGroupInformation.CreateRemoteUser(AppOwner);
rmClient = owner.DoAs(new _PrivilegedExceptionAction_152());
}
/// <exception cref="System.Exception"/>
public virtual void TestDecryptWithKeyVersionNameKeyMismatch()
{
Configuration conf = new Configuration();
KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf
);
KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs
>();
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1");
UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2");
UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3");
UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo");
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType
.Management)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType
.GenerateEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType
.DecryptEek)).ThenReturn(true);
Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType
.All)).ThenReturn(true);
KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension
.CreateKeyProviderCryptoExtension(kp), mock);
sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt));
}
public static void LoadTest(string ipString, int testRange)
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ipString);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
long startTime = Runtime.NanoTime();
SecureRandom sr = new SecureRandom();
for (int i = 1; i < 1000000; i++)
{
try
{
ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange));
}
catch (AuthorizationException)
{
}
}
long stopTime = Runtime.NanoTime();
long elapsedTime = stopTime - startTime;
System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms");
}
/// <exception cref="System.IO.IOException"/>
private static void CheckStat(FilePath f, string owner, string group, string expectedOwner
, string expectedGroup)
{
bool success = true;
if (expectedOwner != null && !expectedOwner.Equals(owner))
{
if (Path.Windows)
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(expectedOwner);
string adminsGroupString = "Administrators";
success = owner.Equals(adminsGroupString) && Arrays.AsList(ugi.GetGroupNames()).Contains
(adminsGroupString);
}
else
{
success = false;
}
}
if (!success)
{
throw new IOException("Owner '" + owner + "' for path " + f + " did not match " +
"expected owner '" + expectedOwner + "'");
}
}
public virtual void TestProxyUsersWithCustomPrefix()
{
Configuration conf = new Configuration(false);
conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
)));
conf.Set("x." + RealUserName + ".hosts", ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x");
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardIP()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From either IP should be fine
AssertAuthorized(proxyUserUgi, "1.2.3.4");
AssertAuthorized(proxyUserUgi, "1.2.3.5");
// Now set up an unallowed group
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// Neither IP should be OK
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardUser()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a different user (just to make sure we aren't getting spill over
// from the other test case!)
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestProxyUsersWithUserConf()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
/// <exception cref="System.Exception"/>
/// <exception cref="System.IO.IOException"/>
private static DistributedFileSystem GetFileSystem(string user, URI uri, Configuration
conf)
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser(user);
return(ugi.DoAs(new _PrivilegedExceptionAction_343(uri, conf)));
}
public virtual void TestRealUserGroupNotSpecified()
{
Configuration conf = new Configuration();
ConfigureSuperUserIPAddresses(conf, RealUserShortName);
Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
)).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
.SetPort(0).SetNumHandlers(2).SetVerbose(false).Build();
try
{
server.Start();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_359(this, addr,
conf));
NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal);
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
}
finally
{
server.Stop();
if (proxy != null)
{
RPC.StopProxy(proxy);
}
}
}
/// <summary>
/// Get
/// <see cref="Org.Apache.Hadoop.Security.UserGroupInformation"/>
/// and possibly the delegation token out of
/// the request.
/// </summary>
/// <param name="context">the ServletContext that is serving this request.</param>
/// <param name="request">the http request</param>
/// <param name="conf">configuration</param>
/// <param name="secureAuthMethod">the AuthenticationMethod used in secure mode.</param>
/// <param name="tryUgiParameter">Should it try the ugi parameter?</param>
/// <returns>a new user from the request</returns>
/// <exception cref="Org.Apache.Hadoop.Security.AccessControlException">if the request has no token
/// </exception>
/// <exception cref="System.IO.IOException"/>
public static UserGroupInformation GetUGI(ServletContext context, HttpServletRequest
request, Configuration conf, UserGroupInformation.AuthenticationMethod secureAuthMethod
, bool tryUgiParameter)
{
UserGroupInformation ugi = null;
string usernameFromQuery = GetUsernameFromQuery(request, tryUgiParameter);
string doAsUserFromQuery = request.GetParameter(DoAsParam.Name);
string remoteUser;
if (UserGroupInformation.IsSecurityEnabled())
{
remoteUser = request.GetRemoteUser();
string tokenString = request.GetParameter(DelegationParameterName);
if (tokenString != null)
{
// Token-based connections need only verify the effective user, and
// disallow proxying to different user. Proxy authorization checks
// are not required since the checks apply to issuing a token.
ugi = GetTokenUGI(context, request, tokenString, conf);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
CheckUsername(ugi.GetShortUserName(), doAsUserFromQuery);
}
else
{
if (remoteUser == null)
{
throw new IOException("Security enabled but user not authenticated by filter");
}
}
}
else
{
// Security's not on, pull from url or use default web user
remoteUser = (usernameFromQuery == null) ? GetDefaultWebUserName(conf) : usernameFromQuery;
}
// not specified in request
if (ugi == null)
{
// security is off, or there's no token
ugi = UserGroupInformation.CreateRemoteUser(remoteUser);
CheckUsername(ugi.GetShortUserName(), usernameFromQuery);
if (UserGroupInformation.IsSecurityEnabled())
{
// This is not necessarily true, could have been auth'ed by user-facing
// filter
ugi.SetAuthenticationMethod(secureAuthMethod);
}
if (doAsUserFromQuery != null)
{
// create and attempt to authorize a proxy user
ugi = UserGroupInformation.CreateProxyUser(doAsUserFromQuery, ugi);
ProxyUsers.Authorize(ugi, GetRemoteAddr(request));
}
}
if (Log.IsDebugEnabled())
{
Log.Debug("getUGI is returning: " + ugi.GetShortUserName());
}
return(ugi);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSetLoginUser()
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
UserGroupInformation.SetLoginUser(ugi);
Assert.Equal(ugi, UserGroupInformation.GetLoginUser());
}
public virtual void TestCacheForUgi <T>()
where T : TokenIdentifier
{
Configuration conf = new Configuration();
conf.Set("fs.cachedfile.impl", FileSystem.GetFileSystemClass("file", null).FullName
);
UserGroupInformation ugiA = UserGroupInformation.CreateRemoteUser("foo");
UserGroupInformation ugiB = UserGroupInformation.CreateRemoteUser("bar");
FileSystem fsA = ugiA.DoAs(new _PrivilegedExceptionAction_171(conf));
FileSystem fsA1 = ugiA.DoAs(new _PrivilegedExceptionAction_177(conf));
//Since the UGIs are the same, we should have the same filesystem for both
NUnit.Framework.Assert.AreSame(fsA, fsA1);
FileSystem fsB = ugiB.DoAs(new _PrivilegedExceptionAction_186(conf));
//Since the UGIs are different, we should end up with different filesystems
//corresponding to the two UGIs
NUnit.Framework.Assert.AreNotSame(fsA, fsB);
Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
UserGroupInformation ugiA2 = UserGroupInformation.CreateRemoteUser("foo");
fsA = ugiA2.DoAs(new _PrivilegedExceptionAction_199(conf));
// Although the users in the UGI are same, they have different subjects
// and so are different.
NUnit.Framework.Assert.AreNotSame(fsA, fsA1);
ugiA.AddToken(t1);
fsA = ugiA.DoAs(new _PrivilegedExceptionAction_211(conf));
// Make sure that different UGI's with the same subject lead to the same
// file system.
NUnit.Framework.Assert.AreSame(fsA, fsA1);
}
/// <exception cref="System.Exception"/>
public virtual void TestAddCreds <T>()
where T : TokenIdentifier
{
// from Mockito mocks
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
Text service = new Text("service");
Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service);
Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2"));
byte[] secret = new byte[] { };
Text secretKey = new Text("sshhh");
// fill credentials
Credentials creds = new Credentials();
creds.AddToken(t1.GetService(), t1);
creds.AddToken(t2.GetService(), t2);
creds.AddSecretKey(secretKey, secret);
// add creds to ugi, and check ugi
ugi.AddCredentials(creds);
CheckTokens(ugi, t1, t2);
NUnit.Framework.Assert.AreSame(secret, ugi.GetCredentials().GetSecretKey(secretKey
));
}
/// <exception cref="System.Exception"/>
public virtual void TestGetCreds <T>()
where T : TokenIdentifier
{
// from Mockito mocks
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
Text service = new Text("service");
Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(service);
Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Mockito.Mockito.When(t2.GetService()).ThenReturn(new Text("service2"));
Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(service);
// add token to ugi
ugi.AddToken(t1);
ugi.AddToken(t2);
CheckTokens(ugi, t1, t2);
Credentials creds = ugi.GetCredentials();
creds.AddToken(t3.GetService(), t3);
NUnit.Framework.Assert.AreSame(t3, creds.GetToken(service));
// check that ugi wasn't modified
CheckTokens(ugi, t1, t2);
}
/// <exception cref="System.Exception"/>
public virtual void TestAddToken <T>()
where T : TokenIdentifier
{
// from Mockito mocks
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("someone");
Org.Apache.Hadoop.Security.Token.Token <T> t1 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Apache.Hadoop.Security.Token.Token <T> t2 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
Org.Apache.Hadoop.Security.Token.Token <T> t3 = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token
>();
// add token to ugi
ugi.AddToken(t1);
CheckTokens(ugi, t1);
// replace token t1 with t2 - with same key (null)
ugi.AddToken(t2);
CheckTokens(ugi, t2);
// change t1 service and add token
Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1"));
ugi.AddToken(t1);
CheckTokens(ugi, t1, t2);
// overwrite t1 token with t3 - same key (!null)
Org.Mockito.Mockito.When(t3.GetService()).ThenReturn(new Text("t1"));
ugi.AddToken(t3);
CheckTokens(ugi, t2, t3);
// just try to re-add with new name
Org.Mockito.Mockito.When(t1.GetService()).ThenReturn(new Text("t1.1"));
ugi.AddToken(t1);
CheckTokens(ugi, t1, t2, t3);
// just try to re-add with new name again
ugi.AddToken(t1);
CheckTokens(ugi, t1, t2, t3);
}
public virtual void TestUgi()
{
UserGroupInformation otherUser = UserGroupInformation.CreateRemoteUser("otherUser"
);
FileContext newFc = otherUser.DoAs(new _PrivilegedExceptionAction_194());
Assert.Equal("otherUser", newFc.GetUgi().GetUserName());
}
public virtual void TestNonExistentUser()
{
string actualOutput = RunTool(conf, new string[] { "does-not-exist" }, true);
Assert.Equal("Show the output for only the user given, with no groups"
, GetExpectedOutput(UserGroupInformation.CreateRemoteUser("does-not-exist")), actualOutput
);
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
private ApplicationClientProtocol GetRMClientForUser(string user)
{
UserGroupInformation userUGI = UserGroupInformation.CreateRemoteUser(user);
ApplicationClientProtocol userClient = userUGI.DoAs(new _PrivilegedExceptionAction_257
(this));
return(userClient);
}
/// <summary>
/// <inheritDoc/>
///
/// </summary>
public override UserGroupInformation GetUser()
{
if (jobid == null || string.Empty.Equals(jobid.ToString()))
{
return(null);
}
return(UserGroupInformation.CreateRemoteUser(jobid.ToString()));
}
/// <exception cref="System.IO.IOException"/>
/// <exception cref="Org.Apache.Hadoop.Yarn.Exceptions.YarnException"/>
public static void StartContainer(NodeManager nm, ContainerId cId, FileContext localFS
, FilePath scriptFileDir, FilePath processStartFile)
{
FilePath scriptFile = CreateUnhaltingScriptFile(cId, scriptFileDir, processStartFile
);
ContainerLaunchContext containerLaunchContext = recordFactory.NewRecordInstance <ContainerLaunchContext
>();
NodeId nodeId = BuilderUtils.NewNodeId(Sharpen.Extensions.GetAddressByName("localhost"
).ToString(), 12345);
URL localResourceUri = ConverterUtils.GetYarnUrlFromPath(localFS.MakeQualified(new
Path(scriptFile.GetAbsolutePath())));
LocalResource localResource = recordFactory.NewRecordInstance <LocalResource>();
localResource.SetResource(localResourceUri);
localResource.SetSize(-1);
localResource.SetVisibility(LocalResourceVisibility.Application);
localResource.SetType(LocalResourceType.File);
localResource.SetTimestamp(scriptFile.LastModified());
string destinationFile = "dest_file";
IDictionary <string, LocalResource> localResources = new Dictionary <string, LocalResource
>();
localResources[destinationFile] = localResource;
containerLaunchContext.SetLocalResources(localResources);
IList <string> commands = Arrays.AsList(Shell.GetRunScriptCommand(scriptFile));
containerLaunchContext.SetCommands(commands);
IPEndPoint containerManagerBindAddress = NetUtils.CreateSocketAddrForHost("127.0.0.1"
, 12345);
UserGroupInformation currentUser = UserGroupInformation.CreateRemoteUser(cId.ToString
());
Org.Apache.Hadoop.Security.Token.Token <NMTokenIdentifier> nmToken = ConverterUtils
.ConvertFromYarn(nm.GetNMContext().GetNMTokenSecretManager().CreateNMToken(cId.GetApplicationAttemptId
(), nodeId, user), containerManagerBindAddress);
currentUser.AddToken(nmToken);
ContainerManagementProtocol containerManager = currentUser.DoAs(new _PrivilegedAction_229
());
StartContainerRequest scRequest = StartContainerRequest.NewInstance(containerLaunchContext
, TestContainerManager.CreateContainerToken(cId, 0, nodeId, user, nm.GetNMContext
().GetContainerTokenSecretManager()));
IList <StartContainerRequest> list = new AList <StartContainerRequest>();
list.AddItem(scRequest);
StartContainersRequest allRequests = StartContainersRequest.NewInstance(list);
containerManager.StartContainers(allRequests);
IList <ContainerId> containerIds = new AList <ContainerId>();
containerIds.AddItem(cId);
GetContainerStatusesRequest request = GetContainerStatusesRequest.NewInstance(containerIds
);
ContainerStatus containerStatus = containerManager.GetContainerStatuses(request).
GetContainerStatuses()[0];
NUnit.Framework.Assert.AreEqual(ContainerState.Running, containerStatus.GetState(
));
}
public virtual void TestOperationsWhileInSafeMode()
{
Path file1 = new Path("/file1");
NUnit.Framework.Assert.IsFalse(dfs.SetSafeMode(HdfsConstants.SafeModeAction.SafemodeGet
));
DFSTestUtil.CreateFile(fs, file1, 1024, (short)1, 0);
NUnit.Framework.Assert.IsTrue("Could not enter SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction
.SafemodeEnter));
RunFsFun("Set quota while in SM", new _FSRun_319(file1));
RunFsFun("Set perm while in SM", new _FSRun_325(file1));
RunFsFun("Set owner while in SM", new _FSRun_331(file1));
RunFsFun("Set repl while in SM", new _FSRun_337(file1));
RunFsFun("Append file while in SM", new _FSRun_343(file1));
RunFsFun("Truncate file while in SM", new _FSRun_349(file1));
RunFsFun("Delete file while in SM", new _FSRun_355(file1));
RunFsFun("Rename file while in SM", new _FSRun_361(file1));
RunFsFun("Set time while in SM", new _FSRun_367(file1));
RunFsFun("modifyAclEntries while in SM", new _FSRun_373(file1));
RunFsFun("removeAclEntries while in SM", new _FSRun_379(file1));
RunFsFun("removeDefaultAcl while in SM", new _FSRun_385(file1));
RunFsFun("removeAcl while in SM", new _FSRun_391(file1));
RunFsFun("setAcl while in SM", new _FSRun_397(file1));
RunFsFun("setXAttr while in SM", new _FSRun_403(file1));
RunFsFun("removeXAttr while in SM", new _FSRun_409(file1));
try
{
DFSTestUtil.ReadFile(fs, file1);
}
catch (IOException)
{
NUnit.Framework.Assert.Fail("Set times failed while in SM");
}
try
{
fs.GetAclStatus(file1);
}
catch (IOException)
{
NUnit.Framework.Assert.Fail("getAclStatus failed while in SM");
}
// Test access
UserGroupInformation ugiX = UserGroupInformation.CreateRemoteUser("userX");
FileSystem myfs = ugiX.DoAs(new _PrivilegedExceptionAction_429(this));
myfs.Access(file1, FsAction.Read);
try
{
myfs.Access(file1, FsAction.Write);
NUnit.Framework.Assert.Fail("The access call should have failed.");
}
catch (AccessControlException)
{
}
// expected
NUnit.Framework.Assert.IsFalse("Could not leave SM", dfs.SetSafeMode(HdfsConstants.SafeModeAction
.SafemodeLeave));
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestSecureProxyAuthParamsInUrl()
{
Configuration conf = new Configuration();
// fake turning on security so api thinks it should use tokens
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
UserGroupInformation.SetLoginUser(ugi);
WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
Path fsPath = new Path("/");
string tokenString = webhdfs.GetDelegationToken().EncodeToUrlString();
// send real+effective
Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
.GetShortUserName()).ToString() }, getTokenUrl);
// send real+effective
Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, renewTokenUrl);
// send token
Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
TokenArgumentParam(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send token
Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
DelegationParam(tokenString).ToString() }, fileStatusUrl);
// wipe out internal token to simulate auth always required
webhdfs.SetDelegationToken(null);
// send real+effective
cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
(tokenString));
CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
(), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
(ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
() }, cancelTokenUrl);
// send real+effective
fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
()).ToString() }, fileStatusUrl);
}