Esempio n. 1
0
        public virtual void TestGetNonProxyUgi()
        {
            conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
            ServletContext context  = Org.Mockito.Mockito.Mock <ServletContext>();
            string         realUser = "******";
            string         user     = "******";

            conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi;
            HttpServletRequest   request;

            // have to be auth-ed with remote user
            request = GetMockRequest(null, null, null);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
                                                , ioe.Message);
            }
            request = GetMockRequest(null, realUser, null);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
                                                , ioe.Message);
            }
            // ugi for remote user
            request = GetMockRequest(realUser, null, null);
            ugi     = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), realUser);
            CheckUgiFromAuth(ugi);
            // ugi for remote user = real user
            request = GetMockRequest(realUser, realUser, null);
            ugi     = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), realUser);
            CheckUgiFromAuth(ugi);
            // ugi for remote user != real user
            request = GetMockRequest(realUser, user, null);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Usernames not matched: name=" + user + " != expected="
                                                + realUser, ioe.Message);
            }
        }
Esempio n. 2
0
        /// <exception cref="System.IO.IOException"/>
        private void VerifyServiceInToken(ServletContext context, HttpServletRequest request
                                          , string expected)
        {
            UserGroupInformation ugi = JspHelper.GetUGI(context, request, conf);

            Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> tokenInUgi = ugi.GetTokens
                                                                                      ().GetEnumerator().Next();
            NUnit.Framework.Assert.AreEqual(expected, tokenInUgi.GetService().ToString());
        }
Esempio n. 3
0
        private string GetRemoteAddr(string clientAddr, string proxyAddr, bool trusted)
        {
            HttpServletRequest req = Org.Mockito.Mockito.Mock <HttpServletRequest>();

            Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn("1.2.3.4");
            Configuration conf = new Configuration();

            if (proxyAddr == null)
            {
                Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(clientAddr);
            }
            else
            {
                Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(proxyAddr);
                Org.Mockito.Mockito.When(req.GetHeader("X-Forwarded-For")).ThenReturn(clientAddr);
                if (trusted)
                {
                    conf.Set(ProxyServers.ConfHadoopProxyservers, proxyAddr);
                }
            }
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            return(JspHelper.GetRemoteAddr(req));
        }
Esempio n. 4
0
        public virtual void TestGetProxyUgi()
        {
            conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
            ServletContext context  = Org.Mockito.Mockito.Mock <ServletContext>();
            string         realUser = "******";
            string         user     = "******";

            conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
                         (realUser), "*");
            conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
                         (realUser), "*");
            ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi;
            HttpServletRequest   request;

            // have to be auth-ed with remote user
            request = GetMockRequest(null, null, user);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
                                                , ioe.Message);
            }
            request = GetMockRequest(null, realUser, user);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
                                                , ioe.Message);
            }
            // proxy ugi for user via remote user
            request = GetMockRequest(realUser, null, user);
            ugi     = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromAuth(ugi);
            // proxy ugi for user vi a remote user = real user
            request = GetMockRequest(realUser, realUser, user);
            ugi     = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromAuth(ugi);
            // proxy ugi for user via remote user != real user
            request = GetMockRequest(realUser, user, user);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Usernames not matched: name=" + user + " != expected="
                                                + realUser, ioe.Message);
            }
            // try to get get a proxy user with unauthorized user
            try
            {
                request = GetMockRequest(user, null, realUser);
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad proxy request allowed");
            }
            catch (AuthorizationException ae)
            {
                NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
                                                + realUser, ae.Message);
            }
            try
            {
                request = GetMockRequest(user, user, realUser);
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad proxy request allowed");
            }
            catch (AuthorizationException ae)
            {
                NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
                                                + realUser, ae.Message);
            }
        }
Esempio n. 5
0
        public virtual void TestGetUgiFromToken()
        {
            conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
            ServletContext context  = Org.Mockito.Mockito.Mock <ServletContext>();
            string         realUser = "******";
            string         user     = "******";

            conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
            UserGroupInformation.SetConfiguration(conf);
            UserGroupInformation ugi;
            HttpServletRequest   request;
            Text ownerText = new Text(user);
            DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(ownerText, ownerText
                                                                           , new Text(realUser));

            Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
                                                                                       <DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0,
                                                                                                                                                              0));
            string tokenString = token.EncodeToUrlString();

            // token with no auth-ed user
            request = GetMockRequest(null, null, null);
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            ugi = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromToken(ugi);
            // token with auth-ed user
            request = GetMockRequest(realUser, null, null);
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            ugi = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromToken(ugi);
            // completely different user, token trumps auth
            request = GetMockRequest("rogue", null, null);
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            ugi = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromToken(ugi);
            // expected case
            request = GetMockRequest(null, user, null);
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            ugi = JspHelper.GetUGI(context, request, conf);
            NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
            NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
            NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
            CheckUgiFromToken(ugi);
            // can't proxy with a token!
            request = GetMockRequest(null, null, "rogue");
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
                                                + user, ioe.Message);
            }
            // can't proxy with a token!
            request = GetMockRequest(null, user, "rogue");
            Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
            .ThenReturn(tokenString);
            try
            {
                JspHelper.GetUGI(context, request, conf);
                NUnit.Framework.Assert.Fail("bad request allowed");
            }
            catch (IOException ioe)
            {
                NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
                                                + user, ioe.Message);
            }
        }