Example #1
0
            /// <exception cref="System.IO.IOException"/>
            public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
                                                                         request)
            {
                UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();

                // Verify that the connection is kerberos authenticated
                if (!this.IsAllowedDelegationTokenOp())
                {
                    throw new IOException("Delegation Token can be issued only with kerberos authentication"
                                          );
                }
                GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
                                                                                            >();
                string user     = ugi.GetUserName();
                Text   owner    = new Text(user);
                Text   realUser = null;

                if (ugi.GetRealUser() != null)
                {
                    realUser = new Text(ugi.GetRealUser().GetUserName());
                }
                MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
                                                                                              , new Text(request.GetRenewer()), realUser);

                Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
                    new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
                                                                                             , this._enclosing.jhsDTSecretManager);
                Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
                                                                    .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
                                                                                 .GetPassword(), realJHSToken.GetService().ToString());
                response.SetDelegationToken(mrDToken);
                return(response);
            }
Example #2
0
        /// <exception cref="System.IO.IOException"/>
        public virtual void TestSecureProxyAuthParamsInUrl()
        {
            Configuration conf = new Configuration();

            // fake turning on security so api thinks it should use tokens
            SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
                                                 , conf);
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user");

            ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos);
            ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
            UserGroupInformation.SetLoginUser(ugi);
            WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
            Path   fsPath             = new Path("/");
            string tokenString        = webhdfs.GetDelegationToken().EncodeToUrlString();
            // send real+effective
            Uri getTokenUrl = webhdfs.ToUrl(GetOpParam.OP.Getdelegationtoken, fsPath);

            CheckQueryParams(new string[] { GetOpParam.OP.Getdelegationtoken.ToQueryString(),
                                            new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi
                                                                                                                          .GetShortUserName()).ToString() }, getTokenUrl);
            // send real+effective
            Uri renewTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Renewdelegationtoken, fsPath, new
                                              TokenArgumentParam(tokenString));

            CheckQueryParams(new string[] { PutOpParam.OP.Renewdelegationtoken.ToQueryString(
                                                ), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, renewTokenUrl);
            // send token
            Uri cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new
                                               TokenArgumentParam(tokenString));

            CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
                                                (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, cancelTokenUrl);
            // send token
            Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);

            CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
                                            DelegationParam(tokenString).ToString() }, fileStatusUrl);
            // wipe out internal token to simulate auth always required
            webhdfs.SetDelegationToken(null);
            // send real+effective
            cancelTokenUrl = webhdfs.ToUrl(PutOpParam.OP.Canceldelegationtoken, fsPath, new TokenArgumentParam
                                               (tokenString));
            CheckQueryParams(new string[] { PutOpParam.OP.Canceldelegationtoken.ToQueryString
                                                (), new UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam
                                                (ugi.GetShortUserName()).ToString(), new TokenArgumentParam(tokenString).ToString
                                                () }, cancelTokenUrl);
            // send real+effective
            fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);
            CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
                                            UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
                                                                                                                          ()).ToString() }, fileStatusUrl);
        }
Example #3
0
 private void CheckUgiFromToken(UserGroupInformation ugi)
 {
     if (ugi.GetRealUser() != null)
     {
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy,
                                         ugi.GetAuthenticationMethod());
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
                                         ugi.GetRealUser().GetAuthenticationMethod());
     }
     else
     {
         NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
                                         ugi.GetAuthenticationMethod());
     }
 }
Example #4
0
        public virtual void TestRefreshSuperUserGroups()
        {
            UserGroupInformation ugi       = Org.Mockito.Mockito.Mock <UserGroupInformation>();
            UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>();

            Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser);
            Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser");
            Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser");
            Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" }
                                                                     );
            Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser");
            // Set super user groups not to include groups of regularUser
            conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2");
            conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1");
            string[] args = new string[1];
            args[0] = "-refreshSuperUserGroupsConfiguration";
            hsAdminClient.Run(args);
            Exception th = null;

            try
            {
                ProxyUsers.Authorize(ugi, "127.0.0.1");
            }
            catch (Exception e)
            {
                th = e;
            }
            // Exception should be thrown
            NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
            // Now add regularUser group to superuser group but not execute
            // refreshSuperUserGroupMapping
            conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3");
            // Again,lets run ProxyUsers.authorize and see if regularUser can be
            // impersonated
            // resetting th
            th = null;
            try
            {
                ProxyUsers.Authorize(ugi, "127.0.0.1");
            }
            catch (Exception e)
            {
                th = e;
            }
            // Exception should be thrown again since we didn't refresh the configs
            NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
            // Lets refresh the config by running refreshSuperUserGroupsConfiguration
            hsAdminClient.Run(args);
            th = null;
            try
            {
                ProxyUsers.Authorize(ugi, "127.0.0.1");
            }
            catch (Exception e)
            {
                th = e;
            }
            // No exception thrown since regularUser can be impersonated.
            NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th);
        }
Example #5
0
        public virtual void TestProxyUserFromEnvironment()
        {
            string proxyUser = "******";

            Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser);
            UserGroupInformation ugi = UserGroupInformation.GetLoginUser();

            Assert.Equal(proxyUser, ugi.GetUserName());
            UserGroupInformation realUgi = ugi.GetRealUser();

            NUnit.Framework.Assert.IsNotNull(realUgi);
            // get the expected real user name
            SystemProcess  pp = Runtime.GetRuntime().Exec("whoami");
            BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream())
                                                   );
            string realUser = br.ReadLine().Trim();
            // On Windows domain joined machine, whoami returns the username
            // in the DOMAIN\\username format, so we trim the domain part before
            // the comparison. We don't have to special case for Windows
            // given that Unix systems do not allow slashes in usernames.
            int backslashIndex = realUser.IndexOf('\\');

            if (backslashIndex != -1)
            {
                realUser = Runtime.Substring(realUser, backslashIndex + 1);
            }
            Assert.Equal(realUser, realUgi.GetUserName());
        }
Example #6
0
 /// <summary>
 /// This method creates the connection context  using exactly the same logic
 /// as the old connection context as was done for writable where
 /// the effective and real users are set based on the auth method.
 /// </summary>
 public static IpcConnectionContextProtos.IpcConnectionContextProto MakeIpcConnectionContext
     (string protocol, UserGroupInformation ugi, SaslRpcServer.AuthMethod authMethod)
 {
     IpcConnectionContextProtos.IpcConnectionContextProto.Builder result = IpcConnectionContextProtos.IpcConnectionContextProto
                                                                           .NewBuilder();
     if (protocol != null)
     {
         result.SetProtocol(protocol);
     }
     IpcConnectionContextProtos.UserInformationProto.Builder ugiProto = IpcConnectionContextProtos.UserInformationProto
                                                                        .NewBuilder();
     if (ugi != null)
     {
         /*
          * In the connection context we send only additional user info that
          * is not derived from the authentication done during connection setup.
          */
         if (authMethod == SaslRpcServer.AuthMethod.Kerberos)
         {
             // Real user was established as part of the connection.
             // Send effective user only.
             ugiProto.SetEffectiveUser(ugi.GetUserName());
         }
         else
         {
             if (authMethod == SaslRpcServer.AuthMethod.Token)
             {
             }
             else
             {
                 // With token, the connection itself establishes
                 // both real and effective user. Hence send none in header.
                 // Simple authentication
                 // No user info is established as part of the connection.
                 // Send both effective user and real user
                 ugiProto.SetEffectiveUser(ugi.GetUserName());
                 if (ugi.GetRealUser() != null)
                 {
                     ugiProto.SetRealUser(ugi.GetRealUser().GetUserName());
                 }
             }
         }
     }
     result.SetUserInfo(ugiProto);
     return((IpcConnectionContextProtos.IpcConnectionContextProto)result.Build());
 }
        public virtual void TestGetUserWithOwnerAndReal()
        {
            Text owner    = new Text("owner");
            Text realUser = new Text("realUser");

            TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier
                                                                          (owner, null, realUser);
            UserGroupInformation ugi = ident.GetUser();

            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.IsNull(ugi.GetRealUser().GetRealUser());
            Assert.Equal("owner", ugi.GetUserName());
            Assert.Equal("realUser", ugi.GetRealUser().GetUserName());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
                         ugi.GetAuthenticationMethod());
            Assert.Equal(UserGroupInformation.AuthenticationMethod.Token,
                         ugi.GetRealUser().GetAuthenticationMethod());
        }
Example #8
0
                                                               > CreateToken(UserGroupInformation ugi, string renewer)
        {
            renewer = (renewer == null) ? ugi.GetShortUserName() : renewer;
            string user     = ugi.GetUserName();
            Text   owner    = new Text(user);
            Text   realUser = null;

            if (ugi.GetRealUser() != null)
            {
                realUser = new Text(ugi.GetRealUser().GetUserName());
            }
            AbstractDelegationTokenIdentifier tokenIdentifier = (AbstractDelegationTokenIdentifier
                                                                 )secretManager.CreateIdentifier();

            tokenIdentifier.SetOwner(owner);
            tokenIdentifier.SetRenewer(new Text(renewer));
            tokenIdentifier.SetRealUser(realUser);
            return(new Org.Apache.Hadoop.Security.Token.Token(tokenIdentifier, secretManager));
        }
Example #9
0
            /// <summary>
            /// Authorize a user (superuser) to impersonate another user (user1) if the
            /// superuser belongs to the group "sudo_user1" .
            /// </summary>
            /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
            public virtual void Authorize(UserGroupInformation user, string remoteAddress)
            {
                UserGroupInformation superUser = user.GetRealUser();
                string sudoGroupName           = "sudo_" + user.GetShortUserName();

                if (!Arrays.AsList(superUser.GetGroupNames()).Contains(sudoGroupName))
                {
                    throw new AuthorizationException("User: "******" is not allowed to impersonate "
                                                     + user.GetUserName());
                }
            }
Example #10
0
 /// <summary>Log details about the current Hadoop user at INFO.</summary>
 /// <remarks>
 /// Log details about the current Hadoop user at INFO.
 /// Robust against IOEs when trying to get the current user
 /// </remarks>
 public virtual void LogCurrentHadoopUser()
 {
     try
     {
         UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser();
         Log.Info("Current user = {}", currentUser);
         UserGroupInformation realUser = currentUser.GetRealUser();
         Log.Info("Real User = {}", realUser);
     }
     catch (IOException e)
     {
         Log.Warn("Failed to get current user {}, {}", e);
     }
 }
Example #11
0
        /// <exception cref="System.Exception"/>
        protected override void ServiceInit(Configuration conf)
        {
            UserGroupInformation ugi     = UserGroupInformation.GetCurrentUser();
            UserGroupInformation realUgi = ugi.GetRealUser();

            if (realUgi != null)
            {
                authUgi  = realUgi;
                doAsUser = ugi.GetShortUserName();
            }
            else
            {
                authUgi  = ugi;
                doAsUser = null;
            }
            ClientConfig cc = new DefaultClientConfig();

            cc.GetClasses().AddItem(typeof(YarnJacksonJaxbJsonProvider));
            connConfigurator = NewConnConfigurator(conf);
            if (UserGroupInformation.IsSecurityEnabled())
            {
                authenticator = new KerberosDelegationTokenAuthenticator();
            }
            else
            {
                authenticator = new PseudoDelegationTokenAuthenticator();
            }
            authenticator.SetConnectionConfigurator(connConfigurator);
            token           = new DelegationTokenAuthenticatedURL.Token();
            connectionRetry = new TimelineClientImpl.TimelineClientConnectionRetry(conf);
            client          = new Com.Sun.Jersey.Api.Client.Client(new URLConnectionClientHandler(new
                                                                                                  TimelineClientImpl.TimelineURLConnectionFactory(this)), cc);
            TimelineClientImpl.TimelineJerseyRetryFilter retryFilter = new TimelineClientImpl.TimelineJerseyRetryFilter
                                                                           (this);
            client.AddFilter(retryFilter);
            if (YarnConfiguration.UseHttps(conf))
            {
                resURI = URI.Create(Joiner.Join("https://", conf.Get(YarnConfiguration.TimelineServiceWebappHttpsAddress
                                                                     , YarnConfiguration.DefaultTimelineServiceWebappHttpsAddress), ResourceUriStr));
            }
            else
            {
                resURI = URI.Create(Joiner.Join("http://", conf.Get(YarnConfiguration.TimelineServiceWebappAddress
                                                                    , YarnConfiguration.DefaultTimelineServiceWebappAddress), ResourceUriStr));
            }
            Log.Info("Timeline service address: " + resURI);
            base.ServiceInit(conf);
        }
Example #12
0
        /// <exception cref="System.IO.IOException"/>
        public virtual void TestSimpleProxyAuthParamsInUrl()
        {
            Configuration        conf = new Configuration();
            UserGroupInformation ugi  = UserGroupInformation.CreateRemoteUser("test-user");

            ugi = UserGroupInformation.CreateProxyUser("test-proxy-user", ugi);
            UserGroupInformation.SetLoginUser(ugi);
            WebHdfsFileSystem webhdfs = GetWebHdfsFileSystem(ugi, conf);
            Path fsPath = new Path("/");
            // send real+effective
            Uri fileStatusUrl = webhdfs.ToUrl(GetOpParam.OP.Getfilestatus, fsPath);

            CheckQueryParams(new string[] { GetOpParam.OP.Getfilestatus.ToQueryString(), new
                                            UserParam(ugi.GetRealUser().GetShortUserName()).ToString(), new DoAsParam(ugi.GetShortUserName
                                                                                                                          ()).ToString() }, fileStatusUrl);
        }
Example #13
0
        public virtual void TestGetUserGroupInformation()
        {
            string userName    = "******";
            string currentUser = "******";
            UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser
                                                                                            , new string[0]);
            NfsConfiguration conf = new NfsConfiguration();

            conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost");
            DFSClientCache       cache     = new DFSClientCache(conf);
            UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
                                                                           );

            Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
            Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
            Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
                                                                         .Proxy));
        }
Example #14
0
        public virtual void TestGetUserGroupInformationSecure()
        {
            string               userName       = "******";
            string               currentUser    = "******";
            NfsConfiguration     conf           = new NfsConfiguration();
            UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser
                                                                                        );

            currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.
                                                   Kerberos);
            UserGroupInformation.SetLoginUser(currentUserUgi);
            DFSClientCache       cache     = new DFSClientCache(conf);
            UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
                                                                           );

            Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
            Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
            Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
                                                                         .Proxy));
        }
Example #15
0
            /// <exception cref="Javax.Servlet.ServletException"/>
            /// <exception cref="System.IO.IOException"/>
            protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
            {
                UserGroupInformation ugi = HttpUserGroupInformation.Get();

                if (ugi != null)
                {
                    string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName
                                     ();
                    if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy)
                    {
                        ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret;
                    }
                    resp.SetStatus(HttpServletResponse.ScOk);
                    resp.GetWriter().Write(ret);
                }
                else
                {
                    resp.SetStatus(HttpServletResponse.ScInternalServerError);
                }
            }
        /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
        public virtual void Authorize(UserGroupInformation user, string remoteAddress)
        {
            UserGroupInformation realUser = user.GetRealUser();

            if (realUser == null)
            {
                return;
            }
            AccessControlList acl = proxyUserAcl[configPrefix + realUser.GetShortUserName()];

            if (acl == null || !acl.IsUserAllowed(user))
            {
                throw new AuthorizationException("User: "******" is not allowed to impersonate "
                                                 + user.GetUserName());
            }
            MachineList MachineList = proxyHosts[GetProxySuperuserIpConfKey(realUser.GetShortUserName
                                                                                ())];

            if (MachineList == null || !MachineList.Includes(remoteAddress))
            {
                throw new AuthorizationException("Unauthorized connection for super-user: "******" from IP " + remoteAddress);
            }
        }
Example #17
0
        public virtual void TestRefreshSuperUserGroupsConfiguration()
        {
            string SuperUser = "******";

            string[] GroupNames1 = new string[] { "gr1", "gr2" };
            string[] GroupNames2 = new string[] { "gr3", "gr4" };
            //keys in conf
            string userKeyGroups = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
                                       (SuperUser);
            string userKeyHosts = DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                                      (SuperUser);

            config.Set(userKeyGroups, "gr3,gr4,gr5");
            // superuser can proxy for this group
            config.Set(userKeyHosts, "127.0.0.1");
            ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
            UserGroupInformation ugi1  = Org.Mockito.Mockito.Mock <UserGroupInformation>();
            UserGroupInformation ugi2  = Org.Mockito.Mockito.Mock <UserGroupInformation>();
            UserGroupInformation suUgi = Org.Mockito.Mockito.Mock <UserGroupInformation>();

            Org.Mockito.Mockito.When(ugi1.GetRealUser()).ThenReturn(suUgi);
            Org.Mockito.Mockito.When(ugi2.GetRealUser()).ThenReturn(suUgi);
            Org.Mockito.Mockito.When(suUgi.GetShortUserName()).ThenReturn(SuperUser);
            // super user
            Org.Mockito.Mockito.When(suUgi.GetUserName()).ThenReturn(SuperUser + "L");
            // super user
            Org.Mockito.Mockito.When(ugi1.GetShortUserName()).ThenReturn("user1");
            Org.Mockito.Mockito.When(ugi2.GetShortUserName()).ThenReturn("user2");
            Org.Mockito.Mockito.When(ugi1.GetUserName()).ThenReturn("userL1");
            Org.Mockito.Mockito.When(ugi2.GetUserName()).ThenReturn("userL2");
            // set groups for users
            Org.Mockito.Mockito.When(ugi1.GetGroupNames()).ThenReturn(GroupNames1);
            Org.Mockito.Mockito.When(ugi2.GetGroupNames()).ThenReturn(GroupNames2);
            // check before
            try
            {
                ProxyUsers.Authorize(ugi1, "127.0.0.1");
                NUnit.Framework.Assert.Fail("first auth for " + ugi1.GetShortUserName() + " should've failed "
                                            );
            }
            catch (AuthorizationException)
            {
                // expected
                System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " failed");
            }
            try
            {
                ProxyUsers.Authorize(ugi2, "127.0.0.1");
                System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " succeeded");
            }
            catch (AuthorizationException e)
            {
                // expected
                NUnit.Framework.Assert.Fail("first auth for " + ugi2.GetShortUserName() + " should've succeeded: "
                                            + e.GetLocalizedMessage());
            }
            // refresh will look at configuration on the server side
            // add additional resource with the new value
            // so the server side will pick it up
            string rsrc = "testGroupMappingRefresh_rsrc.xml";

            AddNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1");
            DFSAdmin admin = new DFSAdmin(config);

            string[] args = new string[] { "-refreshSuperUserGroupsConfiguration" };
            admin.Run(args);
            try
            {
                ProxyUsers.Authorize(ugi2, "127.0.0.1");
                NUnit.Framework.Assert.Fail("second auth for " + ugi2.GetShortUserName() + " should've failed "
                                            );
            }
            catch (AuthorizationException)
            {
                // expected
                System.Console.Error.WriteLine("auth for " + ugi2.GetUserName() + " failed");
            }
            try
            {
                ProxyUsers.Authorize(ugi1, "127.0.0.1");
                System.Console.Error.WriteLine("auth for " + ugi1.GetUserName() + " succeeded");
            }
            catch (AuthorizationException e)
            {
                // expected
                NUnit.Framework.Assert.Fail("second auth for " + ugi1.GetShortUserName() + " should've succeeded: "
                                            + e.GetLocalizedMessage());
            }
        }