/// <exception cref="System.Exception"/>
private static void UploadEmptyContainerLogIntoRemoteDir(UserGroupInformation ugi
, Configuration configuration, IList <string> rootLogDirs, NodeId nodeId, ContainerId
containerId, Path appDir, FileSystem fs)
{
Path path = new Path(appDir, LogAggregationUtils.GetNodeString(nodeId) + Runtime.
CurrentTimeMillis());
AggregatedLogFormat.LogWriter writer = new AggregatedLogFormat.LogWriter(configuration
, path, ugi);
writer.WriteApplicationOwner(ugi.GetUserName());
IDictionary <ApplicationAccessType, string> appAcls = new Dictionary <ApplicationAccessType
, string>();
appAcls[ApplicationAccessType.ViewApp] = ugi.GetUserName();
writer.WriteApplicationACLs(appAcls);
DataOutputStream @out = writer.GetWriter().PrepareAppendKey(-1);
new AggregatedLogFormat.LogKey(containerId).Write(@out);
@out.Close();
@out = writer.GetWriter().PrepareAppendValue(-1);
new AggregatedLogFormat.LogValue(rootLogDirs, containerId, UserGroupInformation.GetCurrentUser
().GetShortUserName()).Write(@out, new HashSet <FilePath>());
@out.Close();
writer.Close();
}
/// <exception cref="System.Exception"/>
private void WriteLog(Configuration configuration, string user)
{
ApplicationId appId = ApplicationIdPBImpl.NewInstance(0, 1);
ApplicationAttemptId appAttemptId = ApplicationAttemptIdPBImpl.NewInstance(appId,
1);
ContainerId containerId = ContainerIdPBImpl.NewContainerId(appAttemptId, 1);
string path = "target/logs/" + user + "/logs/application_0_0001/localhost_1234";
FilePath f = new FilePath(path);
if (!f.GetParentFile().Exists())
{
NUnit.Framework.Assert.IsTrue(f.GetParentFile().Mkdirs());
}
IList <string> rootLogDirs = Arrays.AsList("target/logs/logs");
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
AggregatedLogFormat.LogWriter writer = new AggregatedLogFormat.LogWriter(configuration
, new Path(path), ugi);
writer.WriteApplicationOwner(ugi.GetUserName());
IDictionary <ApplicationAccessType, string> appAcls = new Dictionary <ApplicationAccessType
, string>();
appAcls[ApplicationAccessType.ViewApp] = ugi.GetUserName();
writer.WriteApplicationACLs(appAcls);
writer.Append(new AggregatedLogFormat.LogKey("container_0_0001_01_000001"), new AggregatedLogFormat.LogValue
(rootLogDirs, containerId, UserGroupInformation.GetCurrentUser().GetShortUserName
()));
writer.Close();
}
/// <exception cref="System.IO.IOException"/>
public override FileStatus GetFileStatus(Path f)
{
CheckPathIsSlash(f);
return(new FileStatus(0, true, 0, 0, creationTime, creationTime, Constants.Permission555
, ugi.GetUserName(), ugi.GetGroupNames()[0], new Path(theInternalDir.fullPath).MakeQualified
(myUri, RootPath)));
}
public virtual void TestExistingUser()
{
string actualOutput = RunTool(conf, new string[] { testUser1.GetUserName() }, true
);
Assert.Equal("Show only the output of the user given", GetExpectedOutput
(testUser1), actualOutput);
}
//@Test (timeout = 60000)
/// <exception cref="System.IO.IOException"/>
/// <exception cref="System.Exception"/>
/// <exception cref="System.TypeLoadException"/>
public virtual void TestSleepJobWithSecurityOn()
{
Log.Info("\n\n\nStarting testSleepJobWithSecurityOn().");
if (!(new FilePath(MiniMRYarnCluster.Appjar)).Exists())
{
return;
}
mrCluster.GetConfig().Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication
, "kerberos");
mrCluster.GetConfig().Set(YarnConfiguration.RmKeytab, "/etc/krb5.keytab");
mrCluster.GetConfig().Set(YarnConfiguration.NmKeytab, "/etc/krb5.keytab");
mrCluster.GetConfig().Set(YarnConfiguration.RmPrincipal, "rm/sightbusy-lx@LOCALHOST"
);
mrCluster.GetConfig().Set(YarnConfiguration.NmPrincipal, "nm/sightbusy-lx@LOCALHOST"
);
UserGroupInformation.SetConfiguration(mrCluster.GetConfig());
// Keep it in here instead of after RM/NM as multiple user logins happen in
// the same JVM.
UserGroupInformation user = UserGroupInformation.GetCurrentUser();
Log.Info("User name is " + user.GetUserName());
foreach (Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> str in user.GetTokens
())
{
Log.Info("Token is " + str.EncodeToUrlString());
}
user.DoAs(new _PrivilegedExceptionAction_552());
}
public virtual void TestProxyUserFromEnvironment()
{
string proxyUser = "******";
Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser);
UserGroupInformation ugi = UserGroupInformation.GetLoginUser();
Assert.Equal(proxyUser, ugi.GetUserName());
UserGroupInformation realUgi = ugi.GetRealUser();
NUnit.Framework.Assert.IsNotNull(realUgi);
// get the expected real user name
SystemProcess pp = Runtime.GetRuntime().Exec("whoami");
BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream())
);
string realUser = br.ReadLine().Trim();
// On Windows domain joined machine, whoami returns the username
// in the DOMAIN\\username format, so we trim the domain part before
// the comparison. We don't have to special case for Windows
// given that Unix systems do not allow slashes in usernames.
int backslashIndex = realUser.IndexOf('\\');
if (backslashIndex != -1)
{
realUser = Runtime.Substring(realUser, backslashIndex + 1);
}
Assert.Equal(realUser, realUgi.GetUserName());
}
public virtual void TestJobTokenRpc()
{
TaskUmbilicalProtocol mockTT = Org.Mockito.Mockito.Mock <TaskUmbilicalProtocol>();
Org.Mockito.Mockito.DoReturn(TaskUmbilicalProtocol.versionID).When(mockTT).GetProtocolVersion
(Matchers.AnyString(), Matchers.AnyLong());
Org.Mockito.Mockito.DoReturn(ProtocolSignature.GetProtocolSignature(mockTT, typeof(
TaskUmbilicalProtocol).FullName, TaskUmbilicalProtocol.versionID, 0)).When(mockTT
).GetProtocolSignature(Matchers.AnyString(), Matchers.AnyLong(), Matchers.AnyInt
());
JobTokenSecretManager sm = new JobTokenSecretManager();
Server server = new RPC.Builder(conf).SetProtocol(typeof(TaskUmbilicalProtocol)).
SetInstance(mockTT).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose
(true).SetSecretManager(sm).Build();
server.Start();
UserGroupInformation current = UserGroupInformation.GetCurrentUser();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
string jobId = current.GetUserName();
JobTokenIdentifier tokenId = new JobTokenIdentifier(new Text(jobId));
Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<JobTokenIdentifier>(tokenId, sm);
sm.AddTokenForJob(jobId, token);
SecurityUtil.SetTokenService(token, addr);
Log.Info("Service address for token is " + token.GetService());
current.AddToken(token);
current.DoAs(new _PrivilegedExceptionAction_110(addr, server));
}
public virtual void TestRefreshSuperUserGroups()
{
UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser);
Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser");
Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" }
);
Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser");
// Set super user groups not to include groups of regularUser
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2");
conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1");
string[] args = new string[1];
args[0] = "-refreshSuperUserGroupsConfiguration";
hsAdminClient.Run(args);
Exception th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Now add regularUser group to superuser group but not execute
// refreshSuperUserGroupMapping
conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3");
// Again,lets run ProxyUsers.authorize and see if regularUser can be
// impersonated
// resetting th
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// Exception should be thrown again since we didn't refresh the configs
NUnit.Framework.Assert.IsTrue(th is AuthorizationException);
// Lets refresh the config by running refreshSuperUserGroupsConfiguration
hsAdminClient.Run(args);
th = null;
try
{
ProxyUsers.Authorize(ugi, "127.0.0.1");
}
catch (Exception e)
{
th = e;
}
// No exception thrown since regularUser can be impersonated.
NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th);
}
/// <exception cref="System.IO.IOException"/>
public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest
request)
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// Verify that the connection is kerberos authenticated
if (!this.IsAllowedDelegationTokenOp())
{
throw new IOException("Delegation Token can be issued only with kerberos authentication"
);
}
GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse
>();
string user = ugi.GetUserName();
Text owner = new Text(user);
Text realUser = null;
if (ugi.GetRealUser() != null)
{
realUser = new Text(ugi.GetRealUser().GetUserName());
}
MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner
, new Text(request.GetRenewer()), realUser);
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken =
new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier
, this._enclosing.jhsDTSecretManager);
Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token
.NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken
.GetPassword(), realJHSToken.GetService().ToString());
response.SetDelegationToken(mrDToken);
return(response);
}
public virtual void TestDelegationTokenRpc()
{
ClientProtocol mockNN = Org.Mockito.Mockito.Mock <ClientProtocol>();
FSNamesystem mockNameSys = Org.Mockito.Mockito.Mock <FSNamesystem>();
DelegationTokenSecretManager sm = new DelegationTokenSecretManager(DFSConfigKeys.
DfsNamenodeDelegationKeyUpdateIntervalDefault, DFSConfigKeys.DfsNamenodeDelegationKeyUpdateIntervalDefault
, DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeDefault, 3600000, mockNameSys
);
sm.StartThreads();
Org.Apache.Hadoop.Ipc.Server server = new RPC.Builder(conf).SetProtocol(typeof(ClientProtocol
)).SetInstance(mockNN).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose
(true).SetSecretManager(sm).Build();
server.Start();
UserGroupInformation current = UserGroupInformation.GetCurrentUser();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
string user = current.GetUserName();
Text owner = new Text(user);
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null
);
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>(dtId, sm);
SecurityUtil.SetTokenService(token, addr);
Log.Info("Service for token is " + token.GetService());
current.AddToken(token);
current.DoAs(new _PrivilegedExceptionAction_100(addr, server));
}
/// <summary>
/// Authenticates a request looking for the <code>delegation</code>
/// query-string parameter and verifying it is a valid token.
/// </summary>
/// <remarks>
/// Authenticates a request looking for the <code>delegation</code>
/// query-string parameter and verifying it is a valid token. If there is not
/// <code>delegation</code> query-string parameter, it delegates the
/// authentication to the
/// <see cref="Org.Apache.Hadoop.Security.Authentication.Server.KerberosAuthenticationHandler
/// "/>
/// unless it is
/// disabled.
/// </remarks>
/// <param name="request">the HTTP client request.</param>
/// <param name="response">the HTTP client response.</param>
/// <returns>the authentication token for the authenticated request.</returns>
/// <exception cref="System.IO.IOException">thrown if an IO error occurred.</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException
/// ">thrown if the authentication failed.</exception>
public override AuthenticationToken Authenticate(HttpServletRequest request, HttpServletResponse
response)
{
AuthenticationToken token;
string delegationParam = GetDelegationToken(request);
if (delegationParam != null)
{
try
{
Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new
Org.Apache.Hadoop.Security.Token.Token();
dt.DecodeFromUrlString(delegationParam);
UserGroupInformation ugi = tokenManager.VerifyToken(dt);
string shortName = ugi.GetShortUserName();
// creating a ephemeral token
token = new AuthenticationToken(shortName, ugi.GetUserName(), GetType());
token.SetExpires(0);
request.SetAttribute(DelegationTokenUgiAttribute, ugi);
}
catch (Exception ex)
{
token = null;
HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden
, new AuthenticationException(ex));
}
}
else
{
token = authHandler.Authenticate(request, response);
}
return(token);
}
/// <summary>
/// This method creates the connection context using exactly the same logic
/// as the old connection context as was done for writable where
/// the effective and real users are set based on the auth method.
/// </summary>
public static IpcConnectionContextProtos.IpcConnectionContextProto MakeIpcConnectionContext
(string protocol, UserGroupInformation ugi, SaslRpcServer.AuthMethod authMethod)
{
IpcConnectionContextProtos.IpcConnectionContextProto.Builder result = IpcConnectionContextProtos.IpcConnectionContextProto
.NewBuilder();
if (protocol != null)
{
result.SetProtocol(protocol);
}
IpcConnectionContextProtos.UserInformationProto.Builder ugiProto = IpcConnectionContextProtos.UserInformationProto
.NewBuilder();
if (ugi != null)
{
/*
* In the connection context we send only additional user info that
* is not derived from the authentication done during connection setup.
*/
if (authMethod == SaslRpcServer.AuthMethod.Kerberos)
{
// Real user was established as part of the connection.
// Send effective user only.
ugiProto.SetEffectiveUser(ugi.GetUserName());
}
else
{
if (authMethod == SaslRpcServer.AuthMethod.Token)
{
}
else
{
// With token, the connection itself establishes
// both real and effective user. Hence send none in header.
// Simple authentication
// No user info is established as part of the connection.
// Send both effective user and real user
ugiProto.SetEffectiveUser(ugi.GetUserName());
if (ugi.GetRealUser() != null)
{
ugiProto.SetRealUser(ugi.GetRealUser().GetUserName());
}
}
}
}
result.SetUserInfo(ugiProto);
return((IpcConnectionContextProtos.IpcConnectionContextProto)result.Build());
}
/// <exception cref="System.Exception"/>
public virtual void TestGettingGroups()
{
UserGroupInformation uugi = UserGroupInformation.CreateUserForTesting(UserName, GroupNames
);
Assert.Equal(UserName, uugi.GetUserName());
Assert.AssertArrayEquals(new string[] { Group1Name, Group2Name, Group3Name }, uugi
.GetGroupNames());
}
private void TestConstructorSuccess(string principal, string shortName)
{
UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(principal, GroupNames
);
// make sure the short and full user names are correct
Assert.Equal(principal, ugi.GetUserName());
Assert.Equal(shortName, ugi.GetShortUserName());
}
private Schedulable MockCall(string id)
{
Schedulable mockCall = Org.Mockito.Mockito.Mock <Schedulable>();
UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>();
Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn(id);
Org.Mockito.Mockito.When(mockCall.GetUserGroupInformation()).ThenReturn(ugi);
return(mockCall);
}
private static string GetExpectedOutput(UserGroupInformation user)
{
string expectedOutput = user.GetUserName() + " :";
foreach (string group in user.GetGroupNames())
{
expectedOutput += " " + group;
}
return(expectedOutput + Runtime.GetProperty("line.separator"));
}
public virtual string MakeIdentity(Schedulable obj)
{
UserGroupInformation ugi = obj.GetUserGroupInformation();
if (ugi == null)
{
return(null);
}
return(ugi.GetUserName());
}
public virtual SaslServer Create(Server.Connection connection, IDictionary <string
, object> saslProperties, SecretManager <TokenIdentifier> secretManager)
{
UserGroupInformation ugi = null;
CallbackHandler callback;
switch (authMethod)
{
case SaslRpcServer.AuthMethod.Token:
{
callback = new SaslRpcServer.SaslDigestCallbackHandler(secretManager, connection);
break;
}
case SaslRpcServer.AuthMethod.Kerberos:
{
ugi = UserGroupInformation.GetCurrentUser();
if (serverId.IsEmpty())
{
throw new AccessControlException("Kerberos principal name does NOT have the expected "
+ "hostname part: " + ugi.GetUserName());
}
callback = new SaslRpcServer.SaslGssCallbackHandler();
break;
}
default:
{
// we should never be able to get here
throw new AccessControlException("Server does not support SASL " + authMethod);
}
}
SaslServer saslServer;
if (ugi != null)
{
saslServer = ugi.DoAs(new _PrivilegedExceptionAction_159(this, saslProperties, callback
));
}
else
{
saslServer = saslFactory.CreateSaslServer(mechanism, protocol, serverId, saslProperties
, callback);
}
if (saslServer == null)
{
throw new AccessControlException("Unable to find SASL server implementation for "
+ mechanism);
}
if (Log.IsDebugEnabled())
{
Log.Debug("Created SASL server with mechanism = " + mechanism);
}
return(saslServer);
}
public virtual void TestGetUserWithOwner()
{
TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier
(new Text("owner"), null, null);
UserGroupInformation ugi = ident.GetUser();
NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
Assert.Equal("owner", ugi.GetUserName());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetAuthenticationMethod());
}
/// <summary>
/// Authorize a user (superuser) to impersonate another user (user1) if the
/// superuser belongs to the group "sudo_user1" .
/// </summary>
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, string remoteAddress)
{
UserGroupInformation superUser = user.GetRealUser();
string sudoGroupName = "sudo_" + user.GetShortUserName();
if (!Arrays.AsList(superUser.GetGroupNames()).Contains(sudoGroupName))
{
throw new AuthorizationException("User: "******" is not allowed to impersonate "
+ user.GetUserName());
}
}
public virtual void TestUserIdentityProvider()
{
UserIdentityProvider uip = new UserIdentityProvider();
string identity = uip.MakeIdentity(new TestIdentityProviders.FakeSchedulable(this
));
// Get our username
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
string username = ugi.GetUserName();
Assert.Equal(username, identity);
}
public virtual void TestRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider
()
{
configuration.Set(YarnConfiguration.RmConfigurationProviderClass, "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider"
);
string[] defaultTestUserGroups = new string[] { "dummy_group1", "dummy_group2" };
UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting("dummyUser",
defaultTestUserGroups);
string user = ugi.GetUserName();
IList <string> groupWithInit = new AList <string>(2);
for (int i = 0; i < ugi.GetGroupNames().Length; i++)
{
groupWithInit.AddItem(ugi.GetGroupNames()[i]);
}
// upload default configurations
UploadDefaultConfiguration();
Configuration conf = new Configuration();
conf.SetClass(CommonConfigurationKeys.HadoopSecurityGroupMapping, typeof(TestRMAdminService.MockUnixGroupsMapping
), typeof(GroupMappingServiceProvider));
UploadConfiguration(conf, "core-site.xml");
try
{
rm = new MockRM(configuration);
rm.Init(configuration);
rm.Start();
}
catch (Exception)
{
NUnit.Framework.Assert.Fail("Should not get any exceptions");
}
// Make sure RM will use the updated GroupMappingServiceProvider
IList <string> groupBefore = new AList <string>(Groups.GetUserToGroupsMappingService
(configuration).GetGroups(user));
NUnit.Framework.Assert.IsTrue(groupBefore.Contains("test_group_A") && groupBefore
.Contains("test_group_B") && groupBefore.Contains("test_group_C") && groupBefore
.Count == 3);
NUnit.Framework.Assert.IsTrue(groupWithInit.Count != groupBefore.Count);
NUnit.Framework.Assert.IsFalse(groupWithInit.Contains("test_group_A") || groupWithInit
.Contains("test_group_B") || groupWithInit.Contains("test_group_C"));
// update the groups
TestRMAdminService.MockUnixGroupsMapping.UpdateGroups();
rm.adminService.RefreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest.NewInstance
());
IList <string> groupAfter = Groups.GetUserToGroupsMappingService(configuration).GetGroups
(user);
// should get the updated groups
NUnit.Framework.Assert.IsTrue(groupAfter.Contains("test_group_D") && groupAfter.Contains
("test_group_E") && groupAfter.Contains("test_group_F") && groupAfter.Count == 3
);
}
/// <exception cref="System.Exception"/>
public virtual void TestGetUGIFromSubject()
{
KerberosPrincipal p = new KerberosPrincipal("guest");
Subject subject = new Subject();
subject.GetPrincipals().AddItem(p);
UserGroupInformation ugi = UserGroupInformation.GetUGIFromSubject(subject);
NUnit.Framework.Assert.IsNotNull(ugi);
Assert.Equal("*****@*****.**", ugi.GetUserName());
}
public virtual void TestInternalGetAclStatus()
{
UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser();
AclStatus aclStatus = fsView.GetAclStatus(new Path("/internalDir"));
Assert.Equal(aclStatus.GetOwner(), currentUser.GetUserName());
Assert.Equal(aclStatus.GetGroup(), currentUser.GetGroupNames()
[0]);
Assert.Equal(aclStatus.GetEntries(), AclUtil.GetMinimalAcl(Constants
.Permission555));
NUnit.Framework.Assert.IsFalse(aclStatus.IsStickyBit());
}
public virtual void SetUpUsers()
{
// Make sure the current user's info is in the list of test users.
UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser();
UserGroupInformation.CreateUserForTesting(currentUser.GetUserName(), currentUser.
GetGroupNames());
testUser1 = UserGroupInformation.CreateUserForTesting("foo", new string[] { "bar"
, "baz" });
testUser2 = UserGroupInformation.CreateUserForTesting("fiz", new string[] { "buz"
, "boz" });
}
// Expected
/// <exception cref="System.IO.IOException"/>
public virtual void TestDanglingLink()
{
Assume.AssumeTrue(!Path.Windows);
Path fileAbs = new Path(TestBaseDir1() + "/file");
Path fileQual = new Path(TestURI().ToString(), fileAbs);
Path link = new Path(TestBaseDir1() + "/linkToFile");
Path linkQual = new Path(TestURI().ToString(), link.ToString());
wrapper.CreateSymlink(fileAbs, link, false);
// Deleting the link using FileContext currently fails because
// resolve looks up LocalFs rather than RawLocalFs for the path
// so we call ChecksumFs delete (which doesn't delete dangling
// links) instead of delegating to delete in RawLocalFileSystem
// which deletes via fullyDelete. testDeleteLink above works
// because the link is not dangling.
//assertTrue(fc.delete(link, false));
FileUtil.FullyDelete(new FilePath(link.ToUri().GetPath()));
wrapper.CreateSymlink(fileAbs, link, false);
try
{
wrapper.GetFileStatus(link);
NUnit.Framework.Assert.Fail("Got FileStatus for dangling link");
}
catch (FileNotFoundException)
{
}
// Expected. File's exists method returns false for dangling links
// We can stat a dangling link
UserGroupInformation user = UserGroupInformation.GetCurrentUser();
FileStatus fsd = wrapper.GetFileLinkStatus(link);
Assert.Equal(fileQual, fsd.GetSymlink());
Assert.True(fsd.IsSymlink());
NUnit.Framework.Assert.IsFalse(fsd.IsDirectory());
Assert.Equal(user.GetUserName(), fsd.GetOwner());
// Compare against user's primary group
Assert.Equal(user.GetGroupNames()[0], fsd.GetGroup());
Assert.Equal(linkQual, fsd.GetPath());
// Accessing the link
try
{
ReadFile(link);
NUnit.Framework.Assert.Fail("Got FileStatus for dangling link");
}
catch (FileNotFoundException)
{
}
// Ditto.
// Creating the file makes the link work
CreateAndWriteFile(fileAbs);
wrapper.GetFileStatus(link);
}
// For each class, first ACL in the array specifies the allowed entries
// and second ACL specifies blocked entries.
// For each class, first MachineList in the array specifies the allowed entries
// and second MachineList specifies blocked entries.
/// <summary>Authorize the user to access the protocol being used.</summary>
/// <param name="user">user accessing the service</param>
/// <param name="protocol">service being accessed</param>
/// <param name="conf">configuration to use</param>
/// <param name="addr">InetAddress of the client</param>
/// <exception cref="AuthorizationException">on authorization failure</exception>
/// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/>
public virtual void Authorize(UserGroupInformation user, Type protocol, Configuration
conf, IPAddress addr)
{
AccessControlList[] acls = protocolToAcls[protocol];
MachineList[] hosts = protocolToMachineLists[protocol];
if (acls == null || hosts == null)
{
throw new AuthorizationException("Protocol " + protocol + " is not known.");
}
// get client principal key to verify (if available)
KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf);
string clientPrincipal = null;
if (krbInfo != null)
{
string clientKey = krbInfo.ClientPrincipal();
if (clientKey != null && !clientKey.IsEmpty())
{
try
{
clientPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(clientKey), addr);
}
catch (IOException e)
{
throw (AuthorizationException)Extensions.InitCause(new AuthorizationException
("Can't figure out Kerberos principal name for connection from " + addr + " for user="******" protocol=" + protocol), e);
}
}
}
if ((clientPrincipal != null && !clientPrincipal.Equals(user.GetUserName())) || acls
.Length != 2 || !acls[0].IsUserAllowed(user) || acls[1].IsUserAllowed(user))
{
Auditlog.Warn(AuthzFailedFor + user + " for protocol=" + protocol + ", expected client Kerberos principal is "
+ clientPrincipal);
throw new AuthorizationException("User " + user + " is not authorized for protocol "
+ protocol + ", expected client Kerberos principal is " + clientPrincipal);
}
if (addr != null)
{
string hostAddress = addr.GetHostAddress();
if (hosts.Length != 2 || !hosts[0].Includes(hostAddress) || hosts[1].Includes(hostAddress
))
{
Auditlog.Warn(AuthzFailedFor + " for protocol=" + protocol + " from host = " + hostAddress
);
throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol "
+ protocol);
}
}
Auditlog.Info(AuthzSuccessfulFor + user + " for protocol=" + protocol);
}
/// <summary>Create an ACL For a user.</summary>
/// <param name="ugi">User identity</param>
/// <returns>
/// the ACL For the specified user. Ifthe username doesn't end
/// in "@" then the realm is added
/// </returns>
public virtual ACL CreateACLForUser(UserGroupInformation ugi, int perms)
{
if (Log.IsDebugEnabled())
{
Log.Debug("Creating ACL For ", new RegistrySecurity.UgiInfo(ugi));
}
if (!secureRegistry)
{
return(AllReadwriteAccess);
}
else
{
return(CreateACLfromUsername(ugi.GetUserName(), perms));
}
}
public override string ToString()
{
if (ugi == null)
{
return("(null ugi)");
}
StringBuilder builder = new StringBuilder();
builder.Append(ugi.GetUserName()).Append(": ");
builder.Append(ugi.ToString());
builder.Append(" hasKerberosCredentials=").Append(ugi.HasKerberosCredentials());
builder.Append(" isFromKeytab=").Append(ugi.IsFromKeytab());
builder.Append(" kerberos is enabled in Hadoop =").Append(UserGroupInformation.IsSecurityEnabled
());
return(builder.ToString());
}
public virtual void TestGetUserGroupInformation()
{
string userName = "******";
string currentUser = "******";
UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser
, new string[0]);
NfsConfiguration conf = new NfsConfiguration();
conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost");
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}