/// <exception cref="System.Exception"/> private static void UploadEmptyContainerLogIntoRemoteDir(UserGroupInformation ugi , Configuration configuration, IList <string> rootLogDirs, NodeId nodeId, ContainerId containerId, Path appDir, FileSystem fs) { Path path = new Path(appDir, LogAggregationUtils.GetNodeString(nodeId) + Runtime. CurrentTimeMillis()); AggregatedLogFormat.LogWriter writer = new AggregatedLogFormat.LogWriter(configuration , path, ugi); writer.WriteApplicationOwner(ugi.GetUserName()); IDictionary <ApplicationAccessType, string> appAcls = new Dictionary <ApplicationAccessType , string>(); appAcls[ApplicationAccessType.ViewApp] = ugi.GetUserName(); writer.WriteApplicationACLs(appAcls); DataOutputStream @out = writer.GetWriter().PrepareAppendKey(-1); new AggregatedLogFormat.LogKey(containerId).Write(@out); @out.Close(); @out = writer.GetWriter().PrepareAppendValue(-1); new AggregatedLogFormat.LogValue(rootLogDirs, containerId, UserGroupInformation.GetCurrentUser ().GetShortUserName()).Write(@out, new HashSet <FilePath>()); @out.Close(); writer.Close(); }
/// <exception cref="System.Exception"/> private void WriteLog(Configuration configuration, string user) { ApplicationId appId = ApplicationIdPBImpl.NewInstance(0, 1); ApplicationAttemptId appAttemptId = ApplicationAttemptIdPBImpl.NewInstance(appId, 1); ContainerId containerId = ContainerIdPBImpl.NewContainerId(appAttemptId, 1); string path = "target/logs/" + user + "/logs/application_0_0001/localhost_1234"; FilePath f = new FilePath(path); if (!f.GetParentFile().Exists()) { NUnit.Framework.Assert.IsTrue(f.GetParentFile().Mkdirs()); } IList <string> rootLogDirs = Arrays.AsList("target/logs/logs"); UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); AggregatedLogFormat.LogWriter writer = new AggregatedLogFormat.LogWriter(configuration , new Path(path), ugi); writer.WriteApplicationOwner(ugi.GetUserName()); IDictionary <ApplicationAccessType, string> appAcls = new Dictionary <ApplicationAccessType , string>(); appAcls[ApplicationAccessType.ViewApp] = ugi.GetUserName(); writer.WriteApplicationACLs(appAcls); writer.Append(new AggregatedLogFormat.LogKey("container_0_0001_01_000001"), new AggregatedLogFormat.LogValue (rootLogDirs, containerId, UserGroupInformation.GetCurrentUser().GetShortUserName ())); writer.Close(); }
/// <exception cref="System.IO.IOException"/> public override FileStatus GetFileStatus(Path f) { CheckPathIsSlash(f); return(new FileStatus(0, true, 0, 0, creationTime, creationTime, Constants.Permission555 , ugi.GetUserName(), ugi.GetGroupNames()[0], new Path(theInternalDir.fullPath).MakeQualified (myUri, RootPath))); }
public virtual void TestExistingUser() { string actualOutput = RunTool(conf, new string[] { testUser1.GetUserName() }, true ); Assert.Equal("Show only the output of the user given", GetExpectedOutput (testUser1), actualOutput); }
//@Test (timeout = 60000) /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> /// <exception cref="System.TypeLoadException"/> public virtual void TestSleepJobWithSecurityOn() { Log.Info("\n\n\nStarting testSleepJobWithSecurityOn()."); if (!(new FilePath(MiniMRYarnCluster.Appjar)).Exists()) { return; } mrCluster.GetConfig().Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication , "kerberos"); mrCluster.GetConfig().Set(YarnConfiguration.RmKeytab, "/etc/krb5.keytab"); mrCluster.GetConfig().Set(YarnConfiguration.NmKeytab, "/etc/krb5.keytab"); mrCluster.GetConfig().Set(YarnConfiguration.RmPrincipal, "rm/sightbusy-lx@LOCALHOST" ); mrCluster.GetConfig().Set(YarnConfiguration.NmPrincipal, "nm/sightbusy-lx@LOCALHOST" ); UserGroupInformation.SetConfiguration(mrCluster.GetConfig()); // Keep it in here instead of after RM/NM as multiple user logins happen in // the same JVM. UserGroupInformation user = UserGroupInformation.GetCurrentUser(); Log.Info("User name is " + user.GetUserName()); foreach (Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> str in user.GetTokens ()) { Log.Info("Token is " + str.EncodeToUrlString()); } user.DoAs(new _PrivilegedExceptionAction_552()); }
public virtual void TestProxyUserFromEnvironment() { string proxyUser = "******"; Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser); UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); Assert.Equal(proxyUser, ugi.GetUserName()); UserGroupInformation realUgi = ugi.GetRealUser(); NUnit.Framework.Assert.IsNotNull(realUgi); // get the expected real user name SystemProcess pp = Runtime.GetRuntime().Exec("whoami"); BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream()) ); string realUser = br.ReadLine().Trim(); // On Windows domain joined machine, whoami returns the username // in the DOMAIN\\username format, so we trim the domain part before // the comparison. We don't have to special case for Windows // given that Unix systems do not allow slashes in usernames. int backslashIndex = realUser.IndexOf('\\'); if (backslashIndex != -1) { realUser = Runtime.Substring(realUser, backslashIndex + 1); } Assert.Equal(realUser, realUgi.GetUserName()); }
public virtual void TestJobTokenRpc() { TaskUmbilicalProtocol mockTT = Org.Mockito.Mockito.Mock <TaskUmbilicalProtocol>(); Org.Mockito.Mockito.DoReturn(TaskUmbilicalProtocol.versionID).When(mockTT).GetProtocolVersion (Matchers.AnyString(), Matchers.AnyLong()); Org.Mockito.Mockito.DoReturn(ProtocolSignature.GetProtocolSignature(mockTT, typeof( TaskUmbilicalProtocol).FullName, TaskUmbilicalProtocol.versionID, 0)).When(mockTT ).GetProtocolSignature(Matchers.AnyString(), Matchers.AnyLong(), Matchers.AnyInt ()); JobTokenSecretManager sm = new JobTokenSecretManager(); Server server = new RPC.Builder(conf).SetProtocol(typeof(TaskUmbilicalProtocol)). SetInstance(mockTT).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose (true).SetSecretManager(sm).Build(); server.Start(); UserGroupInformation current = UserGroupInformation.GetCurrentUser(); IPEndPoint addr = NetUtils.GetConnectAddress(server); string jobId = current.GetUserName(); JobTokenIdentifier tokenId = new JobTokenIdentifier(new Text(jobId)); Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <JobTokenIdentifier>(tokenId, sm); sm.AddTokenForJob(jobId, token); SecurityUtil.SetTokenService(token, addr); Log.Info("Service address for token is " + token.GetService()); current.AddToken(token); current.DoAs(new _PrivilegedExceptionAction_110(addr, server)); }
public virtual void TestRefreshSuperUserGroups() { UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>(); UserGroupInformation superUser = Org.Mockito.Mockito.Mock <UserGroupInformation>(); Org.Mockito.Mockito.When(ugi.GetRealUser()).ThenReturn(superUser); Org.Mockito.Mockito.When(superUser.GetShortUserName()).ThenReturn("superuser"); Org.Mockito.Mockito.When(superUser.GetUserName()).ThenReturn("superuser"); Org.Mockito.Mockito.When(ugi.GetGroupNames()).ThenReturn(new string[] { "group3" } ); Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn("regularUser"); // Set super user groups not to include groups of regularUser conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2"); conf.Set("hadoop.proxyuser.superuser.hosts", "127.0.0.1"); string[] args = new string[1]; args[0] = "-refreshSuperUserGroupsConfiguration"; hsAdminClient.Run(args); Exception th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // Exception should be thrown NUnit.Framework.Assert.IsTrue(th is AuthorizationException); // Now add regularUser group to superuser group but not execute // refreshSuperUserGroupMapping conf.Set("hadoop.proxyuser.superuser.groups", "group1,group2,group3"); // Again,lets run ProxyUsers.authorize and see if regularUser can be // impersonated // resetting th th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // Exception should be thrown again since we didn't refresh the configs NUnit.Framework.Assert.IsTrue(th is AuthorizationException); // Lets refresh the config by running refreshSuperUserGroupsConfiguration hsAdminClient.Run(args); th = null; try { ProxyUsers.Authorize(ugi, "127.0.0.1"); } catch (Exception e) { th = e; } // No exception thrown since regularUser can be impersonated. NUnit.Framework.Assert.IsNull("Unexpected exception thrown: " + th, th); }
/// <exception cref="System.IO.IOException"/> public virtual GetDelegationTokenResponse GetDelegationToken(GetDelegationTokenRequest request) { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // Verify that the connection is kerberos authenticated if (!this.IsAllowedDelegationTokenOp()) { throw new IOException("Delegation Token can be issued only with kerberos authentication" ); } GetDelegationTokenResponse response = this.recordFactory.NewRecordInstance <GetDelegationTokenResponse >(); string user = ugi.GetUserName(); Text owner = new Text(user); Text realUser = null; if (ugi.GetRealUser() != null) { realUser = new Text(ugi.GetRealUser().GetUserName()); } MRDelegationTokenIdentifier tokenIdentifier = new MRDelegationTokenIdentifier(owner , new Text(request.GetRenewer()), realUser); Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> realJHSToken = new Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdentifier , this._enclosing.jhsDTSecretManager); Org.Apache.Hadoop.Yarn.Api.Records.Token mrDToken = Org.Apache.Hadoop.Yarn.Api.Records.Token .NewInstance(realJHSToken.GetIdentifier(), realJHSToken.GetKind().ToString(), realJHSToken .GetPassword(), realJHSToken.GetService().ToString()); response.SetDelegationToken(mrDToken); return(response); }
public virtual void TestDelegationTokenRpc() { ClientProtocol mockNN = Org.Mockito.Mockito.Mock <ClientProtocol>(); FSNamesystem mockNameSys = Org.Mockito.Mockito.Mock <FSNamesystem>(); DelegationTokenSecretManager sm = new DelegationTokenSecretManager(DFSConfigKeys. DfsNamenodeDelegationKeyUpdateIntervalDefault, DFSConfigKeys.DfsNamenodeDelegationKeyUpdateIntervalDefault , DFSConfigKeys.DfsNamenodeDelegationTokenMaxLifetimeDefault, 3600000, mockNameSys ); sm.StartThreads(); Org.Apache.Hadoop.Ipc.Server server = new RPC.Builder(conf).SetProtocol(typeof(ClientProtocol )).SetInstance(mockNN).SetBindAddress(Address).SetPort(0).SetNumHandlers(5).SetVerbose (true).SetSecretManager(sm).Build(); server.Start(); UserGroupInformation current = UserGroupInformation.GetCurrentUser(); IPEndPoint addr = NetUtils.GetConnectAddress(server); string user = current.GetUserName(); Text owner = new Text(user); DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(owner, owner, null ); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier>(dtId, sm); SecurityUtil.SetTokenService(token, addr); Log.Info("Service for token is " + token.GetService()); current.AddToken(token); current.DoAs(new _PrivilegedExceptionAction_100(addr, server)); }
/// <summary> /// Authenticates a request looking for the <code>delegation</code> /// query-string parameter and verifying it is a valid token. /// </summary> /// <remarks> /// Authenticates a request looking for the <code>delegation</code> /// query-string parameter and verifying it is a valid token. If there is not /// <code>delegation</code> query-string parameter, it delegates the /// authentication to the /// <see cref="Org.Apache.Hadoop.Security.Authentication.Server.KerberosAuthenticationHandler /// "/> /// unless it is /// disabled. /// </remarks> /// <param name="request">the HTTP client request.</param> /// <param name="response">the HTTP client response.</param> /// <returns>the authentication token for the authenticated request.</returns> /// <exception cref="System.IO.IOException">thrown if an IO error occurred.</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authentication.Client.AuthenticationException /// ">thrown if the authentication failed.</exception> public override AuthenticationToken Authenticate(HttpServletRequest request, HttpServletResponse response) { AuthenticationToken token; string delegationParam = GetDelegationToken(request); if (delegationParam != null) { try { Org.Apache.Hadoop.Security.Token.Token <AbstractDelegationTokenIdentifier> dt = new Org.Apache.Hadoop.Security.Token.Token(); dt.DecodeFromUrlString(delegationParam); UserGroupInformation ugi = tokenManager.VerifyToken(dt); string shortName = ugi.GetShortUserName(); // creating a ephemeral token token = new AuthenticationToken(shortName, ugi.GetUserName(), GetType()); token.SetExpires(0); request.SetAttribute(DelegationTokenUgiAttribute, ugi); } catch (Exception ex) { token = null; HttpExceptionUtils.CreateServletExceptionResponse(response, HttpServletResponse.ScForbidden , new AuthenticationException(ex)); } } else { token = authHandler.Authenticate(request, response); } return(token); }
/// <summary> /// This method creates the connection context using exactly the same logic /// as the old connection context as was done for writable where /// the effective and real users are set based on the auth method. /// </summary> public static IpcConnectionContextProtos.IpcConnectionContextProto MakeIpcConnectionContext (string protocol, UserGroupInformation ugi, SaslRpcServer.AuthMethod authMethod) { IpcConnectionContextProtos.IpcConnectionContextProto.Builder result = IpcConnectionContextProtos.IpcConnectionContextProto .NewBuilder(); if (protocol != null) { result.SetProtocol(protocol); } IpcConnectionContextProtos.UserInformationProto.Builder ugiProto = IpcConnectionContextProtos.UserInformationProto .NewBuilder(); if (ugi != null) { /* * In the connection context we send only additional user info that * is not derived from the authentication done during connection setup. */ if (authMethod == SaslRpcServer.AuthMethod.Kerberos) { // Real user was established as part of the connection. // Send effective user only. ugiProto.SetEffectiveUser(ugi.GetUserName()); } else { if (authMethod == SaslRpcServer.AuthMethod.Token) { } else { // With token, the connection itself establishes // both real and effective user. Hence send none in header. // Simple authentication // No user info is established as part of the connection. // Send both effective user and real user ugiProto.SetEffectiveUser(ugi.GetUserName()); if (ugi.GetRealUser() != null) { ugiProto.SetRealUser(ugi.GetRealUser().GetUserName()); } } } } result.SetUserInfo(ugiProto); return((IpcConnectionContextProtos.IpcConnectionContextProto)result.Build()); }
/// <exception cref="System.Exception"/> public virtual void TestGettingGroups() { UserGroupInformation uugi = UserGroupInformation.CreateUserForTesting(UserName, GroupNames ); Assert.Equal(UserName, uugi.GetUserName()); Assert.AssertArrayEquals(new string[] { Group1Name, Group2Name, Group3Name }, uugi .GetGroupNames()); }
private void TestConstructorSuccess(string principal, string shortName) { UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting(principal, GroupNames ); // make sure the short and full user names are correct Assert.Equal(principal, ugi.GetUserName()); Assert.Equal(shortName, ugi.GetShortUserName()); }
private Schedulable MockCall(string id) { Schedulable mockCall = Org.Mockito.Mockito.Mock <Schedulable>(); UserGroupInformation ugi = Org.Mockito.Mockito.Mock <UserGroupInformation>(); Org.Mockito.Mockito.When(ugi.GetUserName()).ThenReturn(id); Org.Mockito.Mockito.When(mockCall.GetUserGroupInformation()).ThenReturn(ugi); return(mockCall); }
private static string GetExpectedOutput(UserGroupInformation user) { string expectedOutput = user.GetUserName() + " :"; foreach (string group in user.GetGroupNames()) { expectedOutput += " " + group; } return(expectedOutput + Runtime.GetProperty("line.separator")); }
public virtual string MakeIdentity(Schedulable obj) { UserGroupInformation ugi = obj.GetUserGroupInformation(); if (ugi == null) { return(null); } return(ugi.GetUserName()); }
public virtual SaslServer Create(Server.Connection connection, IDictionary <string , object> saslProperties, SecretManager <TokenIdentifier> secretManager) { UserGroupInformation ugi = null; CallbackHandler callback; switch (authMethod) { case SaslRpcServer.AuthMethod.Token: { callback = new SaslRpcServer.SaslDigestCallbackHandler(secretManager, connection); break; } case SaslRpcServer.AuthMethod.Kerberos: { ugi = UserGroupInformation.GetCurrentUser(); if (serverId.IsEmpty()) { throw new AccessControlException("Kerberos principal name does NOT have the expected " + "hostname part: " + ugi.GetUserName()); } callback = new SaslRpcServer.SaslGssCallbackHandler(); break; } default: { // we should never be able to get here throw new AccessControlException("Server does not support SASL " + authMethod); } } SaslServer saslServer; if (ugi != null) { saslServer = ugi.DoAs(new _PrivilegedExceptionAction_159(this, saslProperties, callback )); } else { saslServer = saslFactory.CreateSaslServer(mechanism, protocol, serverId, saslProperties , callback); } if (saslServer == null) { throw new AccessControlException("Unable to find SASL server implementation for " + mechanism); } if (Log.IsDebugEnabled()) { Log.Debug("Created SASL server with mechanism = " + mechanism); } return(saslServer); }
public virtual void TestGetUserWithOwner() { TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier (new Text("owner"), null, null); UserGroupInformation ugi = ident.GetUser(); NUnit.Framework.Assert.IsNull(ugi.GetRealUser()); Assert.Equal("owner", ugi.GetUserName()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Token, ugi.GetAuthenticationMethod()); }
/// <summary> /// Authorize a user (superuser) to impersonate another user (user1) if the /// superuser belongs to the group "sudo_user1" . /// </summary> /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, string remoteAddress) { UserGroupInformation superUser = user.GetRealUser(); string sudoGroupName = "sudo_" + user.GetShortUserName(); if (!Arrays.AsList(superUser.GetGroupNames()).Contains(sudoGroupName)) { throw new AuthorizationException("User: "******" is not allowed to impersonate " + user.GetUserName()); } }
public virtual void TestUserIdentityProvider() { UserIdentityProvider uip = new UserIdentityProvider(); string identity = uip.MakeIdentity(new TestIdentityProviders.FakeSchedulable(this )); // Get our username UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); string username = ugi.GetUserName(); Assert.Equal(username, identity); }
public virtual void TestRefreshUserToGroupsMappingsWithFileSystemBasedConfigurationProvider () { configuration.Set(YarnConfiguration.RmConfigurationProviderClass, "org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider" ); string[] defaultTestUserGroups = new string[] { "dummy_group1", "dummy_group2" }; UserGroupInformation ugi = UserGroupInformation.CreateUserForTesting("dummyUser", defaultTestUserGroups); string user = ugi.GetUserName(); IList <string> groupWithInit = new AList <string>(2); for (int i = 0; i < ugi.GetGroupNames().Length; i++) { groupWithInit.AddItem(ugi.GetGroupNames()[i]); } // upload default configurations UploadDefaultConfiguration(); Configuration conf = new Configuration(); conf.SetClass(CommonConfigurationKeys.HadoopSecurityGroupMapping, typeof(TestRMAdminService.MockUnixGroupsMapping ), typeof(GroupMappingServiceProvider)); UploadConfiguration(conf, "core-site.xml"); try { rm = new MockRM(configuration); rm.Init(configuration); rm.Start(); } catch (Exception) { NUnit.Framework.Assert.Fail("Should not get any exceptions"); } // Make sure RM will use the updated GroupMappingServiceProvider IList <string> groupBefore = new AList <string>(Groups.GetUserToGroupsMappingService (configuration).GetGroups(user)); NUnit.Framework.Assert.IsTrue(groupBefore.Contains("test_group_A") && groupBefore .Contains("test_group_B") && groupBefore.Contains("test_group_C") && groupBefore .Count == 3); NUnit.Framework.Assert.IsTrue(groupWithInit.Count != groupBefore.Count); NUnit.Framework.Assert.IsFalse(groupWithInit.Contains("test_group_A") || groupWithInit .Contains("test_group_B") || groupWithInit.Contains("test_group_C")); // update the groups TestRMAdminService.MockUnixGroupsMapping.UpdateGroups(); rm.adminService.RefreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest.NewInstance ()); IList <string> groupAfter = Groups.GetUserToGroupsMappingService(configuration).GetGroups (user); // should get the updated groups NUnit.Framework.Assert.IsTrue(groupAfter.Contains("test_group_D") && groupAfter.Contains ("test_group_E") && groupAfter.Contains("test_group_F") && groupAfter.Count == 3 ); }
/// <exception cref="System.Exception"/> public virtual void TestGetUGIFromSubject() { KerberosPrincipal p = new KerberosPrincipal("guest"); Subject subject = new Subject(); subject.GetPrincipals().AddItem(p); UserGroupInformation ugi = UserGroupInformation.GetUGIFromSubject(subject); NUnit.Framework.Assert.IsNotNull(ugi); Assert.Equal("*****@*****.**", ugi.GetUserName()); }
public virtual void TestInternalGetAclStatus() { UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser(); AclStatus aclStatus = fsView.GetAclStatus(new Path("/internalDir")); Assert.Equal(aclStatus.GetOwner(), currentUser.GetUserName()); Assert.Equal(aclStatus.GetGroup(), currentUser.GetGroupNames() [0]); Assert.Equal(aclStatus.GetEntries(), AclUtil.GetMinimalAcl(Constants .Permission555)); NUnit.Framework.Assert.IsFalse(aclStatus.IsStickyBit()); }
public virtual void SetUpUsers() { // Make sure the current user's info is in the list of test users. UserGroupInformation currentUser = UserGroupInformation.GetCurrentUser(); UserGroupInformation.CreateUserForTesting(currentUser.GetUserName(), currentUser. GetGroupNames()); testUser1 = UserGroupInformation.CreateUserForTesting("foo", new string[] { "bar" , "baz" }); testUser2 = UserGroupInformation.CreateUserForTesting("fiz", new string[] { "buz" , "boz" }); }
// Expected /// <exception cref="System.IO.IOException"/> public virtual void TestDanglingLink() { Assume.AssumeTrue(!Path.Windows); Path fileAbs = new Path(TestBaseDir1() + "/file"); Path fileQual = new Path(TestURI().ToString(), fileAbs); Path link = new Path(TestBaseDir1() + "/linkToFile"); Path linkQual = new Path(TestURI().ToString(), link.ToString()); wrapper.CreateSymlink(fileAbs, link, false); // Deleting the link using FileContext currently fails because // resolve looks up LocalFs rather than RawLocalFs for the path // so we call ChecksumFs delete (which doesn't delete dangling // links) instead of delegating to delete in RawLocalFileSystem // which deletes via fullyDelete. testDeleteLink above works // because the link is not dangling. //assertTrue(fc.delete(link, false)); FileUtil.FullyDelete(new FilePath(link.ToUri().GetPath())); wrapper.CreateSymlink(fileAbs, link, false); try { wrapper.GetFileStatus(link); NUnit.Framework.Assert.Fail("Got FileStatus for dangling link"); } catch (FileNotFoundException) { } // Expected. File's exists method returns false for dangling links // We can stat a dangling link UserGroupInformation user = UserGroupInformation.GetCurrentUser(); FileStatus fsd = wrapper.GetFileLinkStatus(link); Assert.Equal(fileQual, fsd.GetSymlink()); Assert.True(fsd.IsSymlink()); NUnit.Framework.Assert.IsFalse(fsd.IsDirectory()); Assert.Equal(user.GetUserName(), fsd.GetOwner()); // Compare against user's primary group Assert.Equal(user.GetGroupNames()[0], fsd.GetGroup()); Assert.Equal(linkQual, fsd.GetPath()); // Accessing the link try { ReadFile(link); NUnit.Framework.Assert.Fail("Got FileStatus for dangling link"); } catch (FileNotFoundException) { } // Ditto. // Creating the file makes the link work CreateAndWriteFile(fileAbs); wrapper.GetFileStatus(link); }
// For each class, first ACL in the array specifies the allowed entries // and second ACL specifies blocked entries. // For each class, first MachineList in the array specifies the allowed entries // and second MachineList specifies blocked entries. /// <summary>Authorize the user to access the protocol being used.</summary> /// <param name="user">user accessing the service</param> /// <param name="protocol">service being accessed</param> /// <param name="conf">configuration to use</param> /// <param name="addr">InetAddress of the client</param> /// <exception cref="AuthorizationException">on authorization failure</exception> /// <exception cref="Org.Apache.Hadoop.Security.Authorize.AuthorizationException"/> public virtual void Authorize(UserGroupInformation user, Type protocol, Configuration conf, IPAddress addr) { AccessControlList[] acls = protocolToAcls[protocol]; MachineList[] hosts = protocolToMachineLists[protocol]; if (acls == null || hosts == null) { throw new AuthorizationException("Protocol " + protocol + " is not known."); } // get client principal key to verify (if available) KerberosInfo krbInfo = SecurityUtil.GetKerberosInfo(protocol, conf); string clientPrincipal = null; if (krbInfo != null) { string clientKey = krbInfo.ClientPrincipal(); if (clientKey != null && !clientKey.IsEmpty()) { try { clientPrincipal = SecurityUtil.GetServerPrincipal(conf.Get(clientKey), addr); } catch (IOException e) { throw (AuthorizationException)Extensions.InitCause(new AuthorizationException ("Can't figure out Kerberos principal name for connection from " + addr + " for user="******" protocol=" + protocol), e); } } } if ((clientPrincipal != null && !clientPrincipal.Equals(user.GetUserName())) || acls .Length != 2 || !acls[0].IsUserAllowed(user) || acls[1].IsUserAllowed(user)) { Auditlog.Warn(AuthzFailedFor + user + " for protocol=" + protocol + ", expected client Kerberos principal is " + clientPrincipal); throw new AuthorizationException("User " + user + " is not authorized for protocol " + protocol + ", expected client Kerberos principal is " + clientPrincipal); } if (addr != null) { string hostAddress = addr.GetHostAddress(); if (hosts.Length != 2 || !hosts[0].Includes(hostAddress) || hosts[1].Includes(hostAddress )) { Auditlog.Warn(AuthzFailedFor + " for protocol=" + protocol + " from host = " + hostAddress ); throw new AuthorizationException("Host " + hostAddress + " is not authorized for protocol " + protocol); } } Auditlog.Info(AuthzSuccessfulFor + user + " for protocol=" + protocol); }
/// <summary>Create an ACL For a user.</summary> /// <param name="ugi">User identity</param> /// <returns> /// the ACL For the specified user. Ifthe username doesn't end /// in "@" then the realm is added /// </returns> public virtual ACL CreateACLForUser(UserGroupInformation ugi, int perms) { if (Log.IsDebugEnabled()) { Log.Debug("Creating ACL For ", new RegistrySecurity.UgiInfo(ugi)); } if (!secureRegistry) { return(AllReadwriteAccess); } else { return(CreateACLfromUsername(ugi.GetUserName(), perms)); } }
public override string ToString() { if (ugi == null) { return("(null ugi)"); } StringBuilder builder = new StringBuilder(); builder.Append(ugi.GetUserName()).Append(": "); builder.Append(ugi.ToString()); builder.Append(" hasKerberosCredentials=").Append(ugi.HasKerberosCredentials()); builder.Append(" isFromKeytab=").Append(ugi.IsFromKeytab()); builder.Append(" kerberos is enabled in Hadoop =").Append(UserGroupInformation.IsSecurityEnabled ()); return(builder.ToString()); }
public virtual void TestGetUserGroupInformation() { string userName = "******"; string currentUser = "******"; UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser , new string[0]); NfsConfiguration conf = new NfsConfiguration(); conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost"); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }