/// <exception cref="System.Exception"/> public virtual void TestNameRules() { KerberosName kn = new KerberosName(KerberosTestUtils.GetServerPrincipal()); Assert.Equal(KerberosTestUtils.GetRealm(), kn.GetRealm()); //destroy handler created in setUp() handler.Destroy(); KerberosName.SetRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = GetNewAuthenticationHandler(); Properties props = GetDefaultProperties(); props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT" ); try { handler.Init(props); } catch (Exception) { } kn = new KerberosName("bar@BAR"); Assert.Equal("bar", kn.GetShortName()); kn = new KerberosName("bar@FOO"); try { kn.GetShortName(); NUnit.Framework.Assert.Fail(); } catch (Exception) { } }
internal virtual string GetServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth authType) { KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); Log.Debug("Get kerberos info proto:" + protocol + " info:" + krbInfo); if (krbInfo == null) { // protocol has no support for kerberos return(null); } string serverKey = krbInfo.ServerPrincipal(); if (serverKey == null) { throw new ArgumentException("Can't obtain server Kerberos config key from protocol=" + protocol.GetCanonicalName()); } // construct server advertised principal for comparision string serverPrincipal = new KerberosPrincipal(authType.GetProtocol() + "/" + authType .GetServerId(), KerberosPrincipal.KrbNtSrvHst).GetName(); bool isPrincipalValid = false; // use the pattern if defined string serverKeyPattern = conf.Get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.IsEmpty()) { Pattern pattern = GlobPattern.Compile(serverKeyPattern); isPrincipalValid = pattern.Matcher(serverPrincipal).Matches(); } else { // check that the server advertised principal matches our conf string confPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(serverKey), serverAddr .Address); if (Log.IsDebugEnabled()) { Log.Debug("getting serverKey: " + serverKey + " conf value: " + conf.Get(serverKey ) + " principal: " + confPrincipal); } if (confPrincipal == null || confPrincipal.IsEmpty()) { throw new ArgumentException("Failed to specify server's Kerberos principal name"); } KerberosName name = new KerberosName(confPrincipal); if (name.GetHostName() == null) { throw new ArgumentException("Kerberos principal name does NOT have the expected hostname part: " + confPrincipal); } isPrincipalValid = serverPrincipal.Equals(confPrincipal); } if (!isPrincipalValid) { throw new ArgumentException("Server has invalid Kerberos principal: " + serverPrincipal ); } return(serverPrincipal); }
public virtual void TestKerberosRulesValid() { NUnit.Framework.Assert.IsTrue("!KerberosName.hasRulesBeenSet()", KerberosName.HasRulesBeenSet ()); string rules = KerberosName.GetRules(); NUnit.Framework.Assert.AreEqual(kerberosRule, rules); Log.Info(rules); }
/// <exception cref="System.Exception"/> public AuthenticationToken Run() { AuthenticationToken token = null; GSSContext gssContext = null; GSSCredential gssCreds = null; try { gssCreds = this._enclosing.gssManager.CreateCredential(this._enclosing.gssManager .CreateName(KerberosUtil.GetServicePrincipal("HTTP", serverName), KerberosUtil.GetOidInstance ("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.IndefiniteLifetime, new Oid[] { KerberosUtil .GetOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.GetOidInstance("GSS_KRB5_MECH_OID" ) }, GSSCredential.AcceptOnly); gssContext = this._enclosing.gssManager.CreateContext(gssCreds); byte[] serverToken = gssContext.AcceptSecContext(clientToken, 0, clientToken.Length ); if (serverToken != null && serverToken.Length > 0) { string authenticate = base64.EncodeToString(serverToken); response.SetHeader(KerberosAuthenticator.WwwAuthenticate, KerberosAuthenticator.Negotiate + " " + authenticate); } if (!gssContext.IsEstablished()) { response.SetStatus(HttpServletResponse.ScUnauthorized); KerberosAuthenticationHandler.Log.Trace("SPNEGO in progress"); } else { string clientPrincipal = gssContext.GetSrcName().ToString(); KerberosName kerberosName = new KerberosName(clientPrincipal); string userName = kerberosName.GetShortName(); token = new AuthenticationToken(userName, clientPrincipal, this._enclosing.GetType ()); response.SetStatus(HttpServletResponse.ScOk); KerberosAuthenticationHandler.Log.Trace("SPNEGO completed for principal [{}]", clientPrincipal ); } } finally { if (gssContext != null) { gssContext.Dispose(); } if (gssCreds != null) { gssCreds.Dispose(); } } return(token); }
/// <exception cref="System.IO.IOException"/> public virtual void TestEnsureInitWithRules() { string rules = "RULE:[1:RULE1]"; // trigger implicit init, rules should init UserGroupInformation.Reset(); NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet()); UserGroupInformation.CreateUserForTesting("someone", new string[0]); Assert.True(KerberosName.HasRulesBeenSet()); // set a rule, trigger implicit init, rule should not change UserGroupInformation.Reset(); KerberosName.SetRules(rules); Assert.True(KerberosName.HasRulesBeenSet()); Assert.Equal(rules, KerberosName.GetRules()); UserGroupInformation.CreateUserForTesting("someone", new string[0]); Assert.Equal(rules, KerberosName.GetRules()); }
public virtual void TestIsValidRequestor() { Configuration conf = new HdfsConfiguration(); KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]"); // Set up generic HA configs. conf.Set(DFSConfigKeys.DfsNameservices, "ns1"); conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsHaNamenodesKeyPrefix, "ns1"), "nn1,nn2" ); // Set up NN1 HA configs. conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn1" ), "host1:1234"); conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1" , "nn1"), "hdfs/[email protected]"); // Set up NN2 HA configs. conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn2" ), "host2:1234"); conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1" , "nn2"), "hdfs/[email protected]"); // Initialize this conf object as though we're running on NN1. NameNode.InitializeGenericKeys(conf, "ns1", "nn1"); AccessControlList acls = Org.Mockito.Mockito.Mock <AccessControlList>(); Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.Any <UserGroupInformation >())).ThenReturn(false); ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>(); Org.Mockito.Mockito.When(context.GetAttribute(HttpServer2.AdminsAcl)).ThenReturn( acls); // Make sure that NN2 is considered a valid fsimage/edits requestor. NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]" , conf)); // Mark atm as an admin. Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.ArgThat(new _ArgumentMatcher_76 ()))).ThenReturn(true); // Make sure that NN2 is still considered a valid requestor. NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]" , conf)); // Make sure an admin is considered a valid requestor. NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "*****@*****.**" , conf)); // Make sure other users are *not* considered valid requestors. NUnit.Framework.Assert.IsFalse(ImageServlet.IsValidRequestor(context, "*****@*****.**" , conf)); }
/// <summary>Expected user name should be a short name.</summary> /// <exception cref="System.IO.IOException"/> public static void CheckUsername(string expected, string name) { if (expected == null && name != null) { throw new IOException("Usernames not matched: expecting null but name=" + name); } if (name == null) { //name is optional, null is okay return; } KerberosName u = new KerberosName(name); string shortName = u.GetShortName(); if (!shortName.Equals(expected)) { throw new IOException("Usernames not matched: name=" + shortName + " != expected=" + expected); } }
public virtual void TestSetConfigWithRules() { string[] rules = new string[] { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" }; // explicitly set a rule UserGroupInformation.Reset(); NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet()); KerberosName.SetRules(rules[0]); Assert.True(KerberosName.HasRulesBeenSet()); Assert.Equal(rules[0], KerberosName.GetRules()); // implicit init should honor rules already being set UserGroupInformation.CreateUserForTesting("someone", new string[0]); Assert.Equal(rules[0], KerberosName.GetRules()); // set conf, should override conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[1]); UserGroupInformation.SetConfiguration(conf); Assert.Equal(rules[1], KerberosName.GetRules()); // set conf, should again override conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[2]); UserGroupInformation.SetConfiguration(conf); Assert.Equal(rules[2], KerberosName.GetRules()); // implicit init should honor rules already being set UserGroupInformation.CreateUserForTesting("someone", new string[0]); Assert.Equal(rules[2], KerberosName.GetRules()); }
// /// <summary>Init hadoop security by setting up the UGI config</summary> public static void InitHadoopSecurity() { UserGroupInformation.SetConfiguration(Conf); KerberosName.SetRules(kerberosRule); }
/// <summary>Initializes the authentication handler instance.</summary> /// <remarks> /// Initializes the authentication handler instance. /// <p> /// It creates a Kerberos context using the principal and keytab specified in the configuration. /// <p> /// This method is invoked by the /// <see cref="AuthenticationFilter.Init(Javax.Servlet.FilterConfig)"/> /// method. /// </remarks> /// <param name="config">configuration properties to initialize the handler.</param> /// <exception cref="Javax.Servlet.ServletException">thrown if the handler could not be initialized. /// </exception> public override void Init(Properties config) { try { string principal = config.GetProperty(Principal); if (principal == null || principal.Trim().Length == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.GetProperty(Keytab, keytab); if (keytab == null || keytab.Trim().Length == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new FilePath(keytab).Exists()) { throw new ServletException("Keytab does not exist: " + keytab); } // use all SPNEGO principals in the keytab if a principal isn't // specifically configured string[] spnegoPrincipals; if (principal.Equals("*")) { spnegoPrincipals = KerberosUtil.GetPrincipalNames(keytab, Pattern.Compile ("HTTP/.*")); if (spnegoPrincipals.Length == 0) { throw new ServletException("Principals do not exist in the keytab"); } } else { spnegoPrincipals = new string[] { principal }; } string nameRules = config.GetProperty(NameRules, null); if (nameRules != null) { KerberosName.SetRules(nameRules); } foreach (string spnegoPrincipal in spnegoPrincipals) { Log.Info("Login using keytab {}, for principal {}", keytab, spnegoPrincipal); KerberosAuthenticationHandler.KerberosConfiguration kerberosConfiguration = new KerberosAuthenticationHandler.KerberosConfiguration (keytab, spnegoPrincipal); LoginContext loginContext = new LoginContext(string.Empty, serverSubject, null, kerberosConfiguration ); try { loginContext.Login(); } catch (LoginException le) { Log.Warn("Failed to login as [{}]", spnegoPrincipal, le); throw new AuthenticationException(le); } loginContexts.AddItem(loginContext); } try { gssManager = Subject.DoAs(serverSubject, new _PrivilegedExceptionAction_229()); } catch (PrivilegedActionException ex) { throw ex.GetException(); } } catch (Exception ex) { throw new ServletException(ex); } }
public virtual void TestRecovery() { Configuration conf = new Configuration(); HistoryServerStateStoreService store = new HistoryServerMemStateStoreService(); store.Init(conf); store.Start(); TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest(store ); mgr.StartThreads(); MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner" ), new Text("tokenRenewer"), new Text("tokenUser")); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token1 = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId1, mgr ); MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner" ), new Text("tokenRenewer"), new Text("tokenUser")); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token2 = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId2, mgr ); DelegationKey[] keys = mgr.GetAllKeys(); long tokenRenewDate1 = mgr.GetAllTokens()[tokenId1].GetRenewDate(); long tokenRenewDate2 = mgr.GetAllTokens()[tokenId2].GetRenewDate(); mgr.StopThreads(); mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest (store); mgr.Recover(store.LoadState()); IList <DelegationKey> recoveredKeys = Arrays.AsList(mgr.GetAllKeys()); foreach (DelegationKey key in keys) { NUnit.Framework.Assert.IsTrue("key missing after recovery", recoveredKeys.Contains (key)); } NUnit.Framework.Assert.IsTrue("token1 missing", mgr.GetAllTokens().Contains(tokenId1 )); NUnit.Framework.Assert.AreEqual("token1 renew date", tokenRenewDate1, mgr.GetAllTokens ()[tokenId1].GetRenewDate()); NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2 )); NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens ()[tokenId2].GetRenewDate()); mgr.StartThreads(); mgr.VerifyToken(tokenId1, token1.GetPassword()); mgr.VerifyToken(tokenId2, token2.GetPassword()); MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner" ), new Text("tokenRenewer"), new Text("tokenUser")); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token3 = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId3, mgr ); NUnit.Framework.Assert.AreEqual("sequence number restore", tokenId2.GetSequenceNumber () + 1, tokenId3.GetSequenceNumber()); mgr.CancelToken(token1, "tokenOwner"); // Testing with full principal name MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text ("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser" )); KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]"); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> tokenFull = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdFull, mgr); // Negative test try { mgr.CancelToken(tokenFull, "tokenOwner"); } catch (AccessControlException ace) { NUnit.Framework.Assert.IsTrue(ace.Message.Contains("is not authorized to cancel the token" )); } // Succeed to cancel with full principal mgr.CancelToken(tokenFull, tokenIdFull.GetOwner().ToString()); long tokenRenewDate3 = mgr.GetAllTokens()[tokenId3].GetRenewDate(); mgr.StopThreads(); mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest (store); mgr.Recover(store.LoadState()); NUnit.Framework.Assert.IsFalse("token1 should be missing", mgr.GetAllTokens().Contains (tokenId1)); NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2 )); NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens ()[tokenId2].GetRenewDate()); NUnit.Framework.Assert.IsTrue("token3 missing", mgr.GetAllTokens().Contains(tokenId3 )); NUnit.Framework.Assert.AreEqual("token3 renew date", tokenRenewDate3, mgr.GetAllTokens ()[tokenId3].GetRenewDate()); mgr.StartThreads(); mgr.VerifyToken(tokenId2, token2.GetPassword()); mgr.VerifyToken(tokenId3, token3.GetPassword()); mgr.StopThreads(); }