public static void LoadTest(string ipString, int testRange)
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ipString);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
long startTime = Runtime.NanoTime();
SecureRandom sr = new SecureRandom();
for (int i = 1; i < 1000000; i++)
{
try
{
ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange));
}
catch (AuthorizationException)
{
}
}
long stopTime = Runtime.NanoTime();
long elapsedTime = stopTime - startTime;
System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms");
}
public virtual void TestRealUserGroupNotSpecified()
{
Configuration conf = new Configuration();
ConfigureSuperUserIPAddresses(conf, RealUserShortName);
Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
)).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
.SetPort(0).SetNumHandlers(2).SetVerbose(false).Build();
try
{
server.Start();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_359(this, addr,
conf));
NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal);
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
}
finally
{
server.Stop();
if (proxy != null)
{
RPC.StopProxy(proxy);
}
}
}
public virtual void TestProxyUsersWithCustomPrefix()
{
Configuration conf = new Configuration(false);
conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
)));
conf.Set("x." + RealUserName + ".hosts", ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x");
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestProxyUsersWithProviderOverride()
{
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityImpersonationProviderClass,
"org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"
);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName
, SudoGroupNames);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a group that's not allowed
realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName, GroupNames);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardIP()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From either IP should be fine
AssertAuthorized(proxyUserUgi, "1.2.3.4");
AssertAuthorized(proxyUserUgi, "1.2.3.5");
// Now set up an unallowed group
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// Neither IP should be OK
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardUser()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a different user (just to make sure we aren't getting spill over
// from the other test case!)
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestProxyUsersWithUserConf()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestNoHostsForUsers()
{
Configuration conf = new Configuration(false);
conf.Set("y." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
)));
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "y");
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// IP doesn't matter
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
}
public static void SetUp()
{
config = new HdfsConfiguration();
config.SetBoolean(DFSConfigKeys.DfsWebhdfsEnabledKey, true);
config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeKey, 10000);
config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenRenewIntervalKey, 5000);
config.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUser), "group1");
config.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true);
ConfigureSuperUserIPAddresses(config, RealUser);
FileSystem.SetDefaultUri(config, "hdfs://localhost:" + "0");
cluster = new MiniDFSCluster.Builder(config).Build();
cluster.WaitActive();
ProxyUsers.RefreshSuperUserGroupsConfiguration(config);
ugi = UserGroupInformation.CreateRemoteUser(RealUser);
proxyUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUser, ugi, GroupNames
);
}
public virtual void TestIPRange()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIpRange);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "10.222.0.0");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "10.221.0.0");
}
public virtual void TestRealUserIPAuthorizationFailure()
{
Configuration conf = new Configuration();
conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserShortName), "20.20.20.20");
//Authorized IP address
conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserShortName), "group1");
Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
)).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
.SetPort(0).SetNumHandlers(2).SetVerbose(false).Build();
RefreshConf(conf);
try
{
server.Start();
IPEndPoint addr = NetUtils.GetConnectAddress(server);
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_276(this, addr,
conf));
NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal);
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
}
finally
{
server.Stop();
if (proxy != null)
{
RPC.StopProxy(proxy);
}
}
}
/// <exception cref="System.IO.IOException"/>
internal virtual void ConnectToServerAndGetDelegationToken(Configuration conf, IPEndPoint
addr)
{
MiniRPCBenchmark.MiniProtocol client = null;
try
{
UserGroupInformation current = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(MiniUser, current, GroupNames);
try
{
client = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_212(this, addr, conf));
}
catch (Exception e)
{
NUnit.Framework.Assert.Fail(Arrays.ToString(e.GetStackTrace()));
}
}
finally
{
RPC.StopProxy(client);
}
}
public virtual void TestNetgroups()
{
if (!NativeCodeLoader.IsNativeCodeLoaded())
{
Log.Info("Not testing netgroups, " + "this test only runs when native code is compiled"
);
return;
}
string groupMappingClassName = Runtime.GetProperty("TestProxyUsersGroupMapping");
if (groupMappingClassName == null)
{
Log.Info("Not testing netgroups, no group mapping class specified, " + "use -DTestProxyUsersGroupMapping=$className to specify "
+ "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)"
);
return;
}
Log.Info("Testing netgroups using: " + groupMappingClassName);
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityGroupMapping, groupMappingClassName
);
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(NetgroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
Groups groups = Groups.GetUserToGroupsMappingService(conf);
// try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, Collections.ToArray(groups.GetGroups(ProxyUserName
), new string[groups.GetGroups(ProxyUserName).Count]));
AssertAuthorized(proxyUserUgi, ProxyIp);
}
public virtual void TestProxyWithToken()
{
Configuration conf = new Configuration(masterConf);
TestSaslRPC.TestTokenSecretManager sm = new TestSaslRPC.TestTokenSecretManager();
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, conf);
UserGroupInformation.SetConfiguration(conf);
Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
)).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
.SetPort(0).SetNumHandlers(5).SetVerbose(true).SetSecretManager(sm).Build();
server.Start();
UserGroupInformation current = UserGroupInformation.CreateRemoteUser(RealUserName
);
IPEndPoint addr = NetUtils.GetConnectAddress(server);
TestSaslRPC.TestTokenIdentifier tokenId = new TestSaslRPC.TestTokenIdentifier(new
Org.Apache.Hadoop.IO.Text(current.GetUserName()), new Org.Apache.Hadoop.IO.Text(
"SomeSuperUser"));
Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier> token = new
Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier>(tokenId,
sm);
SecurityUtil.SetTokenService(token, addr);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, current, GroupNames);
proxyUserUgi.AddToken(token);
RefreshConf(conf);
string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_457(this, addr,
conf, server));
//The user returned by server must be the one in the token.
Assert.Equal(RealUserName + " (auth:TOKEN) via SomeSuperUser (auth:SIMPLE)"
, retVal);
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestRealUserAuthorizationSuccess()
{
Configuration conf = new Configuration();
ConfigureSuperUserIPAddresses(conf, RealUserShortName);
conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserShortName), "group1");
Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol
)).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address)
.SetPort(0).SetNumHandlers(2).SetVerbose(false).Build();
RefreshConf(conf);
try
{
server.Start();
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
CheckRemoteUgi(server, realUserUgi, conf);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
CheckRemoteUgi(server, proxyUserUgi, conf);
}
catch (Exception e)
{
Runtime.PrintStackTrace(e);
NUnit.Framework.Assert.Fail();
}
finally
{
server.Stop();
if (proxy != null)
{
RPC.StopProxy(proxy);
}
}
}
