public virtual void TestCreateRemoteUser() { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1"); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetAuthenticationMethod()); Assert.True(ugi.ToString().Contains("(auth:SIMPLE)")); ugi = UserGroupInformation.CreateRemoteUser("user1", SaslRpcServer.AuthMethod.Kerberos ); Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos , ugi.GetAuthenticationMethod()); Assert.True(ugi.ToString().Contains("(auth:KERBEROS)")); }
private void CheckUgiFromToken(UserGroupInformation ugi) { if (ugi.GetRealUser() != null) { NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy, ugi.GetAuthenticationMethod()); NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token, ugi.GetRealUser().GetAuthenticationMethod()); } else { NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token, ugi.GetAuthenticationMethod()); } }
public virtual void TestGetRealAuthenticationMethod() { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1"); ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetRealAuthenticationMethod()); ugi = UserGroupInformation.CreateProxyUser("user2", ugi); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple, ugi.GetRealAuthenticationMethod()); }
/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethodInRealUser() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi ); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy, proxyUgi.GetAuthenticationMethod()); Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod (proxyUgi)); proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am)); UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject()); proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy ); Assert.Equal(proxyUgi, proxyUgi2); // Equality should work if authMethod is null UserGroupInformation realugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother" , realugi); UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject()); Assert.Equal(proxyUgi3, proxyUgi4); }
/// <exception cref="System.IO.IOException"/> private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod method, bool expectSuccess) { SecurityUtil.SetAuthenticationMethod(method, conf); UserGroupInformation.SetConfiguration(conf); // pick up changed auth UserGroupInformation ugi = null; Exception ex = null; try { ugi = UserGroupInformation.GetLoginUser(); } catch (Exception e) { ex = e; } if (expectSuccess) { NUnit.Framework.Assert.IsNotNull(ugi); Assert.Equal(method, ugi.GetAuthenticationMethod()); } else { NUnit.Framework.Assert.IsNotNull(ex); Assert.Equal(typeof(NotSupportedException), ex.GetType()); Assert.Equal(method + " login authentication is not supported" , ex.Message); } }
/// <exception cref="System.IO.IOException"/> private HttpURLConnection CreateConnection(Uri url, string method) { HttpURLConnection conn; try { // if current UGI is different from UGI at constructor time, behave as // proxyuser UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser(); string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod .Proxy) ? currentUgi.GetShortUserName() : null; // creating the HTTP connection using the current UGI at constructor time conn = actualUgi.DoAs(new _PrivilegedExceptionAction_478(this, url, doAsUser)); } catch (IOException ex) { throw; } catch (UndeclaredThrowableException ex) { throw new IOException(ex.GetUndeclaredThrowable()); } catch (Exception ex) { throw new IOException(ex); } conn.SetUseCaches(false); conn.SetRequestMethod(method); if (method.Equals(HttpPost) || method.Equals(HttpPut)) { conn.SetDoOutput(true); } conn = ConfigureConnection(conn); return(conn); }
public virtual void TestLogin() { string userPrincipal = Runtime.GetProperty("user.principal"); string userKeyTab = Runtime.GetProperty("user.keytab"); NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal ); NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab); Configuration conf = new Configuration(); conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos"); UserGroupInformation.SetConfiguration(conf); UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal , userKeyTab); Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos , ugi.GetAuthenticationMethod()); try { UserGroupInformation.LoginUserFromKeytabAndReturnUGI("*****@*****.**", userKeyTab ); NUnit.Framework.Assert.Fail("Login should have failed"); } catch (Exception ex) { Runtime.PrintStackTrace(ex); } }
public virtual void TestSecureNameNode() { MiniDFSCluster cluster = null; try { string nnPrincipal = Runtime.GetProperty("dfs.namenode.kerberos.principal"); string nnSpnegoPrincipal = Runtime.GetProperty("dfs.namenode.kerberos.internal.spnego.principal" ); string nnKeyTab = Runtime.GetProperty("dfs.namenode.keytab.file"); NUnit.Framework.Assert.IsNotNull("NameNode principal was not specified", nnPrincipal ); NUnit.Framework.Assert.IsNotNull("NameNode SPNEGO principal was not specified", nnSpnegoPrincipal ); NUnit.Framework.Assert.IsNotNull("NameNode keytab was not specified", nnKeyTab); Configuration conf = new HdfsConfiguration(); conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos"); conf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, nnPrincipal); conf.Set(DFSConfigKeys.DfsNamenodeKerberosInternalSpnegoPrincipalKey, nnSpnegoPrincipal ); conf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, nnKeyTab); cluster = new MiniDFSCluster.Builder(conf).NumDataNodes(NumOfDatanodes).Build(); MiniDFSCluster clusterRef = cluster; cluster.WaitActive(); FileSystem fsForCurrentUser = cluster.GetFileSystem(); fsForCurrentUser.Mkdirs(new Path("/tmp")); fsForCurrentUser.SetPermission(new Path("/tmp"), new FsPermission((short)511)); // The user specified should not be a superuser string userPrincipal = Runtime.GetProperty("user.principal"); string userKeyTab = Runtime.GetProperty("user.keytab"); NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal ); NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab); UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal , userKeyTab); FileSystem fs = ugi.DoAs(new _PrivilegedExceptionAction_105(clusterRef)); try { Path p = new Path("/users"); fs.Mkdirs(p); NUnit.Framework.Assert.Fail("User must not be allowed to write in /"); } catch (IOException) { } Path p_1 = new Path("/tmp/alpha"); fs.Mkdirs(p_1); NUnit.Framework.Assert.IsNotNull(fs.ListStatus(p_1)); NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Kerberos , ugi.GetAuthenticationMethod()); } finally { if (cluster != null) { cluster.Shutdown(); } } }
/// <exception cref="System.Exception"/> public virtual void TestUGIAuthMethod() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod .Kerberos; ugi.SetAuthenticationMethod(am); Assert.Equal(am, ugi.GetAuthenticationMethod()); ugi.DoAs(new _PrivilegedExceptionAction_668(am)); }
public virtual void TestGetUserWithOwner() { TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier (new Text("owner"), null, null); UserGroupInformation ugi = ident.GetUser(); NUnit.Framework.Assert.IsNull(ugi.GetRealUser()); Assert.Equal("owner", ugi.GetUserName()); Assert.Equal(UserGroupInformation.AuthenticationMethod.Token, ugi.GetAuthenticationMethod()); }
/// <exception cref="System.Exception"/> public virtual void TestTestAuthMethod() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); // verify the reverse mappings works foreach (UserGroupInformation.AuthenticationMethod am in UserGroupInformation.AuthenticationMethod .Values()) { if (am.GetAuthMethod() != null) { ugi.SetAuthenticationMethod(am.GetAuthMethod()); Assert.Equal(am, ugi.GetAuthenticationMethod()); } } }
/// <exception cref="System.IO.IOException"/> public virtual Org.Apache.Hadoop.Security.Token.Token <object>[] AddDelegationTokens (string renewer, Credentials credentials) { Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = null; Text dtService = GetDelegationTokenService(); Org.Apache.Hadoop.Security.Token.Token <object> token = credentials.GetToken(dtService ); if (token == null) { Uri url = CreateURL(null, null, null, null); DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator ); try { // 'actualUGI' is the UGI of the user creating the client // It is possible that the creator of the KMSClientProvier // calls this method on behalf of a proxyUser (the doAsUser). // In which case this call has to be made as the proxy user. UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser(); string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod .Proxy) ? currentUgi.GetShortUserName() : null; token = actualUgi.DoAs(new _PrivilegedExceptionAction_870(authUrl, url, renewer, doAsUser)); // Not using the cached token here.. Creating a new token here // everytime. if (token != null) { credentials.AddToken(token.GetService(), token); tokens = new Org.Apache.Hadoop.Security.Token.Token <object>[] { token }; } else { throw new IOException("Got NULL as delegation token"); } } catch (Exception) { Thread.CurrentThread().Interrupt(); } catch (Exception e) { throw new IOException(e); } } return(tokens); }
public virtual void TestGetUserGroupInformation() { string userName = "******"; string currentUser = "******"; UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser , new string[0]); NfsConfiguration conf = new NfsConfiguration(); conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost"); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }
public virtual void TestGetUserGroupInformationSecure() { string userName = "******"; string currentUser = "******"; NfsConfiguration conf = new NfsConfiguration(); UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser ); currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod. Kerberos); UserGroupInformation.SetLoginUser(currentUserUgi); DFSClientCache cache = new DFSClientCache(conf); UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi ); Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName)); Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi)); Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod .Proxy)); }
/// <exception cref="Javax.Servlet.ServletException"/> /// <exception cref="System.IO.IOException"/> protected override void DoGet(HttpServletRequest req, HttpServletResponse resp) { UserGroupInformation ugi = HttpUserGroupInformation.Get(); if (ugi != null) { string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName (); if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy) { ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret; } resp.SetStatus(HttpServletResponse.ScOk); resp.GetWriter().Write(ret); } else { resp.SetStatus(HttpServletResponse.ScInternalServerError); } }