public virtual void TestAddRemoveWildCard() { AccessControlList acl = new AccessControlList("drwho tardis"); Exception th = null; try { acl.AddUser(" * "); } catch (Exception t) { th = t; } NUnit.Framework.Assert.IsNotNull(th); Assert.True(th is ArgumentException); th = null; try { acl.AddGroup(" * "); } catch (Exception t) { th = t; } NUnit.Framework.Assert.IsNotNull(th); Assert.True(th is ArgumentException); th = null; try { acl.RemoveUser(" * "); } catch (Exception t) { th = t; } NUnit.Framework.Assert.IsNotNull(th); Assert.True(th is ArgumentException); th = null; try { acl.RemoveGroup(" * "); } catch (Exception t) { th = t; } NUnit.Framework.Assert.IsNotNull(th); Assert.True(th is ArgumentException); }
public virtual void TestAccessControlList() { AccessControlList acl; ICollection <string> users; ICollection <string> groups; acl = new AccessControlList("drwho tardis"); users = acl.GetUsers(); Assert.Equal(users.Count, 1); Assert.Equal(users.GetEnumerator().Next(), "drwho"); groups = acl.GetGroups(); Assert.Equal(groups.Count, 1); Assert.Equal(groups.GetEnumerator().Next(), "tardis"); acl = new AccessControlList("drwho"); users = acl.GetUsers(); Assert.Equal(users.Count, 1); Assert.Equal(users.GetEnumerator().Next(), "drwho"); groups = acl.GetGroups(); Assert.Equal(groups.Count, 0); acl = new AccessControlList("drwho "); users = acl.GetUsers(); Assert.Equal(users.Count, 1); Assert.Equal(users.GetEnumerator().Next(), "drwho"); groups = acl.GetGroups(); Assert.Equal(groups.Count, 0); acl = new AccessControlList(" tardis"); users = acl.GetUsers(); Assert.Equal(users.Count, 0); groups = acl.GetGroups(); Assert.Equal(groups.Count, 1); Assert.Equal(groups.GetEnumerator().Next(), "tardis"); IEnumerator <string> iter; acl = new AccessControlList("drwho,joe tardis, users"); users = acl.GetUsers(); Assert.Equal(users.Count, 2); iter = users.GetEnumerator(); Assert.Equal(iter.Next(), "drwho"); Assert.Equal(iter.Next(), "joe"); groups = acl.GetGroups(); Assert.Equal(groups.Count, 2); iter = groups.GetEnumerator(); Assert.Equal(iter.Next(), "tardis"); Assert.Equal(iter.Next(), "users"); }
public virtual void TestIsUserAllowed() { AccessControlList acl; UserGroupInformation drwho = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "aliens", "humanoids", "timelord" }); UserGroupInformation susan = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "aliens", "humanoids", "timelord" }); UserGroupInformation barbara = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "humans", "teachers" }); UserGroupInformation ian = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "humans", "teachers" }); acl = new AccessControlList("drwho humanoids"); AssertUserAllowed(drwho, acl); AssertUserAllowed(susan, acl); AssertUserNotAllowed(barbara, acl); AssertUserNotAllowed(ian, acl); acl = new AccessControlList("drwho"); AssertUserAllowed(drwho, acl); AssertUserNotAllowed(susan, acl); AssertUserNotAllowed(barbara, acl); AssertUserNotAllowed(ian, acl); acl = new AccessControlList("drwho "); AssertUserAllowed(drwho, acl); AssertUserNotAllowed(susan, acl); AssertUserNotAllowed(barbara, acl); AssertUserNotAllowed(ian, acl); acl = new AccessControlList(" humanoids"); AssertUserAllowed(drwho, acl); AssertUserAllowed(susan, acl); AssertUserNotAllowed(barbara, acl); AssertUserNotAllowed(ian, acl); acl = new AccessControlList("drwho,ian aliens,teachers"); AssertUserAllowed(drwho, acl); AssertUserAllowed(susan, acl); AssertUserAllowed(barbara, acl); AssertUserAllowed(ian, acl); acl = new AccessControlList(string.Empty); UserGroupInformation spyUser = Org.Mockito.Mockito.Spy(drwho); acl.IsUserAllowed(spyUser); Org.Mockito.Mockito.Verify(spyUser, Org.Mockito.Mockito.Never()).GetGroupNames(); }
public virtual void TestNetgroups() { if (!NativeCodeLoader.IsNativeCodeLoaded()) { Log.Info("Not testing netgroups, " + "this test only runs when native code is compiled" ); return; } string groupMappingClassName = Runtime.GetProperty("TestAccessControlListGroupMapping" ); if (groupMappingClassName == null) { Log.Info("Not testing netgroups, no group mapping class specified, " + "use -DTestAccessControlListGroupMapping=$className to specify " + "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)" ); return; } Log.Info("Testing netgroups using: " + groupMappingClassName); Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityGroupMapping, groupMappingClassName ); Groups groups = Groups.GetUserToGroupsMappingService(conf); AccessControlList acl; // create these ACLs to populate groups cache acl = new AccessControlList("ja my"); // plain acl = new AccessControlList("sinatra ratpack,@lasVegas"); // netgroup acl = new AccessControlList(" somegroup,@someNetgroup"); // no user // this ACL will be used for testing ACLs acl = new AccessControlList("carlPerkins ratpack,@lasVegas"); acl.AddGroup("@memphis"); // validate the netgroups before and after rehresh to make // sure refresh works correctly ValidateNetgroups(groups, acl); groups.Refresh(); ValidateNetgroups(groups, acl); }
public virtual void RefreshWithLoadedConfiguration(Configuration conf, PolicyProvider provider) { IDictionary <Type, AccessControlList[]> newAcls = new IdentityHashMap <Type, AccessControlList []>(); IDictionary <Type, MachineList[]> newMachineLists = new IdentityHashMap <Type, MachineList []>(); string defaultAcl = conf.Get(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultAcl , AccessControlList.WildcardAclValue); string defaultBlockedAcl = conf.Get(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultBlockedAcl , string.Empty); string defaultServiceHostsKey = GetHostKey(CommonConfigurationKeys.HadoopSecurityServiceAuthorizationDefaultAcl ); string defaultMachineList = conf.Get(defaultServiceHostsKey, MachineList.WildcardValue ); string defaultBlockedMachineList = conf.Get(defaultServiceHostsKey + Blocked, string.Empty ); // Parse the config file Service[] services = provider.GetServices(); if (services != null) { foreach (Service service in services) { AccessControlList acl = new AccessControlList(conf.Get(service.GetServiceKey(), defaultAcl )); AccessControlList blockedAcl = new AccessControlList(conf.Get(service.GetServiceKey () + Blocked, defaultBlockedAcl)); newAcls[service.GetProtocol()] = new AccessControlList[] { acl, blockedAcl }; string serviceHostsKey = GetHostKey(service.GetServiceKey()); MachineList machineList = new MachineList(conf.Get(serviceHostsKey, defaultMachineList )); MachineList blockedMachineList = new MachineList(conf.Get(serviceHostsKey + Blocked , defaultBlockedMachineList)); newMachineLists[service.GetProtocol()] = new MachineList[] { machineList, blockedMachineList }; } } // Flip to the newly parsed permissions protocolToAcls = newAcls; protocolToMachineLists = newMachineLists; }
public virtual void TestAddRemoveToWildCardACL() { AccessControlList acl = new AccessControlList(" * "); Assert.True(acl.IsAllAllowed()); UserGroupInformation drwho = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "aliens" }); UserGroupInformation drwho2 = UserGroupInformation.CreateUserForTesting("*****@*****.**" , new string[] { "tardis" }); acl.AddUser("drwho"); Assert.True(acl.IsAllAllowed()); NUnit.Framework.Assert.IsFalse(acl.GetAclString().Contains("drwho")); acl.AddGroup("tardis"); Assert.True(acl.IsAllAllowed()); NUnit.Framework.Assert.IsFalse(acl.GetAclString().Contains("tardis")); acl.RemoveUser("drwho"); Assert.True(acl.IsAllAllowed()); AssertUserAllowed(drwho, acl); acl.RemoveGroup("tardis"); Assert.True(acl.IsAllAllowed()); AssertUserAllowed(drwho2, acl); }
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, string remoteAddress) { UserGroupInformation realUser = user.GetRealUser(); if (realUser == null) { return; } AccessControlList acl = proxyUserAcl[configPrefix + realUser.GetShortUserName()]; if (acl == null || !acl.IsUserAllowed(user)) { throw new AuthorizationException("User: "******" is not allowed to impersonate " + user.GetUserName()); } MachineList MachineList = proxyHosts[GetProxySuperuserIpConfKey(realUser.GetShortUserName ())]; if (MachineList == null || !MachineList.Includes(remoteAddress)) { throw new AuthorizationException("Unauthorized connection for super-user: "******" from IP " + remoteAddress); } }
private void AssertUserNotAllowed(UserGroupInformation ugi, AccessControlList acl ) { NUnit.Framework.Assert.IsFalse("User " + ugi + " is incorrectly granted the access-control!!" , acl.IsUserAllowed(ugi)); }
private void AssertUserAllowed(UserGroupInformation ugi, AccessControlList acl) { Assert.True("User " + ugi + " is not granted the access-control!!" , acl.IsUserAllowed(ugi)); }
// Validates if getAclString() is working as expected. i.e. if we can build // a new ACL instance from the value returned by getAclString(). private void ValidateGetAclString(AccessControlList acl) { Assert.True(acl.ToString().Equals(new AccessControlList(acl.GetAclString ()).ToString())); }