public static void LoadTest(string ipString, int testRange) { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ipString); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); long startTime = Runtime.NanoTime(); SecureRandom sr = new SecureRandom(); for (int i = 1; i < 1000000; i++) { try { ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange)); } catch (AuthorizationException) { } } long stopTime = Runtime.NanoTime(); long elapsedTime = stopTime - startTime; System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms"); }
public virtual void TestRealUserGroupNotSpecified() { Configuration conf = new Configuration(); ConfigureSuperUserIPAddresses(conf, RealUserShortName); Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address) .SetPort(0).SetNumHandlers(2).SetVerbose(false).Build(); try { server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_359(this, addr, conf)); NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal); } catch (Exception e) { Runtime.PrintStackTrace(e); } finally { server.Stop(); if (proxy != null) { RPC.StopProxy(proxy); } } }
public virtual void TestProxyUsersWithCustomPrefix() { Configuration conf = new Configuration(false); conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName ))); conf.Set("x." + RealUserName + ".hosts", ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x"); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , GroupNames); // From good IP AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestProxyUsersWithProviderOverride() { Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityImpersonationProviderClass, "org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider" ); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName , SudoGroupNames); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a group that's not allowed realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName, GroupNames); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , GroupNames); // From good IP AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestWildcardIP() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), "*"); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); // From either IP should be fine AssertAuthorized(proxyUserUgi, "1.2.3.4"); AssertAuthorized(proxyUserUgi, "1.2.3.5"); // Now set up an unallowed group realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , OtherGroupNames); // Neither IP should be OK AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestWildcardUser() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey (RealUserName), "*"); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a different user (just to make sure we aren't getting spill over // from the other test case!) realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , OtherGroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestProxyUsersWithUserConf() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a user that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); // Now try proxying a user that's not allowed realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName); proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi , GroupNames); // From good IP AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); // From bad IP AssertNotAuthorized(proxyUserUgi, "1.2.3.5"); }
public virtual void TestNoHostsForUsers() { Configuration conf = new Configuration(false); conf.Set("y." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName ))); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "y"); UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (AuthorizedProxyUserName, realUserUgi, GroupNames); // IP doesn't matter AssertNotAuthorized(proxyUserUgi, "1.2.3.4"); }
public static void SetUp() { config = new HdfsConfiguration(); config.SetBoolean(DFSConfigKeys.DfsWebhdfsEnabledKey, true); config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeKey, 10000); config.SetLong(DFSConfigKeys.DfsNamenodeDelegationTokenRenewIntervalKey, 5000); config.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUser), "group1"); config.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true); ConfigureSuperUserIPAddresses(config, RealUser); FileSystem.SetDefaultUri(config, "hdfs://localhost:" + "0"); cluster = new MiniDFSCluster.Builder(config).Build(); cluster.WaitActive(); ProxyUsers.RefreshSuperUserGroupsConfiguration(config); ugi = UserGroupInformation.CreateRemoteUser(RealUser); proxyUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUser, ugi, GroupNames ); }
public virtual void TestIPRange() { Configuration conf = new Configuration(); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), "*"); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIpRange); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); // First try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); // From good IP AssertAuthorized(proxyUserUgi, "10.222.0.0"); // From bad IP AssertNotAuthorized(proxyUserUgi, "10.221.0.0"); }
public virtual void TestRealUserIPAuthorizationFailure() { Configuration conf = new Configuration(); conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserShortName), "20.20.20.20"); //Authorized IP address conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserShortName), "group1"); Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address) .SetPort(0).SetNumHandlers(2).SetVerbose(false).Build(); RefreshConf(conf); try { server.Start(); IPEndPoint addr = NetUtils.GetConnectAddress(server); UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_276(this, addr, conf)); NUnit.Framework.Assert.Fail("The RPC must have failed " + retVal); } catch (Exception e) { Runtime.PrintStackTrace(e); } finally { server.Stop(); if (proxy != null) { RPC.StopProxy(proxy); } } }
/// <exception cref="System.IO.IOException"/> internal virtual void ConnectToServerAndGetDelegationToken(Configuration conf, IPEndPoint addr) { MiniRPCBenchmark.MiniProtocol client = null; try { UserGroupInformation current = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (MiniUser, current, GroupNames); try { client = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_212(this, addr, conf)); } catch (Exception e) { NUnit.Framework.Assert.Fail(Arrays.ToString(e.GetStackTrace())); } } finally { RPC.StopProxy(client); } }
public virtual void TestNetgroups() { if (!NativeCodeLoader.IsNativeCodeLoaded()) { Log.Info("Not testing netgroups, " + "this test only runs when native code is compiled" ); return; } string groupMappingClassName = Runtime.GetProperty("TestProxyUsersGroupMapping"); if (groupMappingClassName == null) { Log.Info("Not testing netgroups, no group mapping class specified, " + "use -DTestProxyUsersGroupMapping=$className to specify " + "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)" ); return; } Log.Info("Testing netgroups using: " + groupMappingClassName); Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeysPublic.HadoopSecurityGroupMapping, groupMappingClassName ); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserName), StringUtils.Join(",", Arrays.AsList(NetgroupNames))); conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey (RealUserName), ProxyIp); ProxyUsers.RefreshSuperUserGroupsConfiguration(conf); Groups groups = Groups.GetUserToGroupsMappingService(conf); // try proxying a group that's allowed UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, Collections.ToArray(groups.GetGroups(ProxyUserName ), new string[groups.GetGroups(ProxyUserName).Count])); AssertAuthorized(proxyUserUgi, ProxyIp); }
public virtual void TestProxyWithToken() { Configuration conf = new Configuration(masterConf); TestSaslRPC.TestTokenSecretManager sm = new TestSaslRPC.TestTokenSecretManager(); SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , conf); UserGroupInformation.SetConfiguration(conf); Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address) .SetPort(0).SetNumHandlers(5).SetVerbose(true).SetSecretManager(sm).Build(); server.Start(); UserGroupInformation current = UserGroupInformation.CreateRemoteUser(RealUserName ); IPEndPoint addr = NetUtils.GetConnectAddress(server); TestSaslRPC.TestTokenIdentifier tokenId = new TestSaslRPC.TestTokenIdentifier(new Org.Apache.Hadoop.IO.Text(current.GetUserName()), new Org.Apache.Hadoop.IO.Text( "SomeSuperUser")); Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <TestSaslRPC.TestTokenIdentifier>(tokenId, sm); SecurityUtil.SetTokenService(token, addr); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, current, GroupNames); proxyUserUgi.AddToken(token); RefreshConf(conf); string retVal = proxyUserUgi.DoAs(new _PrivilegedExceptionAction_457(this, addr, conf, server)); //The user returned by server must be the one in the token. Assert.Equal(RealUserName + " (auth:TOKEN) via SomeSuperUser (auth:SIMPLE)" , retVal); }
/// <exception cref="System.IO.IOException"/> public virtual void TestRealUserAuthorizationSuccess() { Configuration conf = new Configuration(); ConfigureSuperUserIPAddresses(conf, RealUserShortName); conf.SetStrings(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey (RealUserShortName), "group1"); Server server = new RPC.Builder(conf).SetProtocol(typeof(TestDoAsEffectiveUser.TestProtocol )).SetInstance(new TestDoAsEffectiveUser.TestImpl(this)).SetBindAddress(Address) .SetPort(0).SetNumHandlers(2).SetVerbose(false).Build(); RefreshConf(conf); try { server.Start(); UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName ); CheckRemoteUgi(server, realUserUgi, conf); UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting (ProxyUserName, realUserUgi, GroupNames); CheckRemoteUgi(server, proxyUserUgi, conf); } catch (Exception e) { Runtime.PrintStackTrace(e); NUnit.Framework.Assert.Fail(); } finally { server.Stop(); if (proxy != null) { RPC.StopProxy(proxy); } } }