/// <exception cref="System.Exception"/> public virtual void TestValidProxyUser() { UserGroupInformation ugi = UserGroupInformation.CreateProxyUser("u1", UserGroupInformation .GetLoginUser()); ugi.DoAs(new _PrivilegedExceptionAction_135(this)); }
/// <exception cref="System.IO.IOException"/> private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod method, bool expectSuccess) { SecurityUtil.SetAuthenticationMethod(method, conf); UserGroupInformation.SetConfiguration(conf); // pick up changed auth UserGroupInformation ugi = null; Exception ex = null; try { ugi = UserGroupInformation.GetLoginUser(); } catch (Exception e) { ex = e; } if (expectSuccess) { NUnit.Framework.Assert.IsNotNull(ugi); Assert.Equal(method, ugi.GetAuthenticationMethod()); } else { NUnit.Framework.Assert.IsNotNull(ex); Assert.Equal(typeof(NotSupportedException), ex.GetType()); Assert.Equal(method + " login authentication is not supported" , ex.Message); } }
/// <summary>Initializes the staging directory and returns the path.</summary> /// <remarks> /// Initializes the staging directory and returns the path. It also /// keeps track of all necessary ownership and permissions /// </remarks> /// <param name="cluster"/> /// <param name="conf"/> /// <exception cref="System.IO.IOException"/> /// <exception cref="System.Exception"/> public static Path GetStagingDir(Cluster cluster, Configuration conf) { Path stagingArea = cluster.GetStagingAreaDir(); FileSystem fs = stagingArea.GetFileSystem(conf); string realUser; string currentUser; UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); realUser = ugi.GetShortUserName(); currentUser = UserGroupInformation.GetCurrentUser().GetShortUserName(); if (fs.Exists(stagingArea)) { FileStatus fsStatus = fs.GetFileStatus(stagingArea); string owner = fsStatus.GetOwner(); if (!(owner.Equals(currentUser) || owner.Equals(realUser))) { throw new IOException("The ownership on the staging directory " + stagingArea + " is not as expected. " + "It is owned by " + owner + ". The directory must " + "be owned by the submitter " + currentUser + " or " + "by " + realUser); } if (!fsStatus.GetPermission().Equals(JobDirPermission)) { Log.Info("Permissions on staging directory " + stagingArea + " are " + "incorrect: " + fsStatus.GetPermission() + ". Fixing permissions " + "to correct value " + JobDirPermission ); fs.SetPermission(stagingArea, JobDirPermission); } } else { fs.Mkdirs(stagingArea, new FsPermission(JobDirPermission)); } return(stagingArea); }
/// <exception cref="System.Exception"/> public Void Run() { // make sure it is not the same as the login user because we use the // same UGI object for every instantiation of the login user and you // won't run into the race condition otherwise Assert.AssertNotEquals(UserGroupInformation.GetLoginUser(), UserGroupInformation. GetCurrentUser()); TestUserGroupInformation.GetTokenThread thread = new TestUserGroupInformation.GetTokenThread (); try { thread.Start(); for (int i = 0; i < 100; i++) { Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> t = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token>(); Org.Mockito.Mockito.When(t.GetService()).ThenReturn(new Text("t" + i)); UserGroupInformation.GetCurrentUser().AddToken(t); NUnit.Framework.Assert.IsNull("ConcurrentModificationException encountered", thread .cme); } } catch (ConcurrentModificationException cme) { Runtime.PrintStackTrace(cme); NUnit.Framework.Assert.Fail("ConcurrentModificationException encountered"); } finally { thread.runThread = false; thread.Join(5 * 1000); } return(null); }
/// <exception cref="System.Exception"/> public virtual void ___testInvalidProxyUser() { UserGroupInformation ugi = UserGroupInformation.CreateProxyUser("u2", UserGroupInformation .GetLoginUser()); ugi.DoAs(new _PrivilegedExceptionAction_147(this)); }
public virtual void TestProxyUserFromEnvironment() { string proxyUser = "******"; Runtime.SetProperty(UserGroupInformation.HadoopProxyUser, proxyUser); UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); Assert.Equal(proxyUser, ugi.GetUserName()); UserGroupInformation realUgi = ugi.GetRealUser(); NUnit.Framework.Assert.IsNotNull(realUgi); // get the expected real user name SystemProcess pp = Runtime.GetRuntime().Exec("whoami"); BufferedReader br = new BufferedReader(new InputStreamReader(pp.GetInputStream()) ); string realUser = br.ReadLine().Trim(); // On Windows domain joined machine, whoami returns the username // in the DOMAIN\\username format, so we trim the domain part before // the comparison. We don't have to special case for Windows // given that Unix systems do not allow slashes in usernames. int backslashIndex = realUser.IndexOf('\\'); if (backslashIndex != -1) { realUser = Runtime.Substring(realUser, backslashIndex + 1); } Assert.Equal(realUser, realUgi.GetUserName()); }
/// <exception cref="System.IO.IOException"/> private Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job VerifyAndGetJob(JobId jobID, bool exceptionThrow) { UserGroupInformation loginUgi = null; Org.Apache.Hadoop.Mapreduce.V2.App.Job.Job job = null; try { loginUgi = UserGroupInformation.GetLoginUser(); job = loginUgi.DoAs(new _PrivilegedExceptionAction_205(this, jobID)); } catch (Exception e) { throw new IOException(e); } if (job == null && exceptionThrow) { throw new IOException("Unknown Job " + jobID); } if (job != null) { JobACL operation = JobACL.ViewJob; this.CheckAccess(job, operation); } return(job); }
/// <exception cref="System.IO.IOException"/> public virtual void TestSetLoginUser() { UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("test-user"); UserGroupInformation.SetLoginUser(ugi); Assert.Equal(ugi, UserGroupInformation.GetLoginUser()); }
/// <summary>Test that delegation tokens continue to work after the failover.</summary> /// <exception cref="System.IO.IOException"/> public virtual void TestDelegationTokensAfterFailover() { Configuration conf = new Configuration(); conf.SetBoolean(DFSConfigKeys.DfsNamenodeDelegationTokenAlwaysUseKey, true); MiniDFSCluster cluster = new MiniDFSCluster.Builder(conf).NnTopology(MiniDFSNNTopology .SimpleHATopology()).NumDataNodes(0).Build(); try { cluster.WaitActive(); cluster.TransitionToActive(0); NameNode nn1 = cluster.GetNameNode(0); NameNode nn2 = cluster.GetNameNode(1); string renewer = UserGroupInformation.GetLoginUser().GetUserName(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = nn1.GetRpcServer ().GetDelegationToken(new Text(renewer)); Log.Info("Failing over to NN 1"); cluster.TransitionToStandby(0); cluster.TransitionToActive(1); nn2.GetRpcServer().RenewDelegationToken(token); nn2.GetRpcServer().CancelDelegationToken(token); token = nn2.GetRpcServer().GetDelegationToken(new Text(renewer)); NUnit.Framework.Assert.IsTrue(token != null); } finally { cluster.Shutdown(); } }
protected override string GetUserName() { try { return(UserGroupInformation.GetLoginUser().GetUserName()); } catch (IOException e) { throw new SecurityException("Failed to obtain current username", e); } }
/// <exception cref="System.Exception"/> protected override void ServiceStart() { if (UserGroupInformation.IsSecurityEnabled()) { loginUGI = UserGroupInformation.GetLoginUser(); } else { loginUGI = UserGroupInformation.GetCurrentUser(); } clientRpcServer.Start(); }
/// <summary>Coordinate a graceful failover to this node.</summary> /// <exception cref="ServiceFailedException">if the node fails to become active</exception> /// <exception cref="System.IO.IOException">some other error occurs</exception> /// <exception cref="Org.Apache.Hadoop.HA.ServiceFailedException"/> internal virtual void GracefulFailoverToYou() { try { UserGroupInformation.GetLoginUser().DoAs(new _PrivilegedExceptionAction_601(this) ); } catch (Exception e) { throw new IOException(e); } }
/// <summary>Request from graceful failover to cede active role.</summary> /// <remarks> /// Request from graceful failover to cede active role. Causes /// this ZKFC to transition its local node to standby, then quit /// the election for the specified period of time, after which it /// will rejoin iff it is healthy. /// </remarks> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> /// <exception cref="Org.Apache.Hadoop.HA.ServiceFailedException"/> /// <exception cref="System.IO.IOException"/> internal virtual void CedeActive(int millisToCede) { try { UserGroupInformation.GetLoginUser().DoAs(new _PrivilegedExceptionAction_547(this, millisToCede)); } catch (Exception e) { throw new IOException(e); } }
/// <exception cref="System.Exception"/> public virtual void TestLoginObjectInSubject() { UserGroupInformation loginUgi = UserGroupInformation.GetLoginUser(); UserGroupInformation anotherUgi = new UserGroupInformation(loginUgi.GetSubject()); LoginContext login1 = loginUgi.GetSubject().GetPrincipals <User>().GetEnumerator() .Next().GetLogin(); LoginContext login2 = anotherUgi.GetSubject().GetPrincipals <User>().GetEnumerator ().Next().GetLogin(); //login1 and login2 must be same instances Assert.True(login1 == login2); }
/// <exception cref="System.Exception"/> public virtual void TestLoginModuleCommit() { UserGroupInformation loginUgi = UserGroupInformation.GetLoginUser(); User user1 = loginUgi.GetSubject().GetPrincipals <User>().GetEnumerator().Next(); LoginContext login = user1.GetLogin(); login.Logout(); login.Login(); User user2 = loginUgi.GetSubject().GetPrincipals <User>().GetEnumerator().Next(); // user1 and user2 must be same instances. Assert.True(user1 == user2); }
public static void Init() { baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"), typeof(TestSecureNNWithQJM).Name); FileUtil.FullyDelete(baseDir); NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs()); Properties kdcConf = MiniKdc.CreateConf(); kdc = new MiniKdc(kdcConf, baseDir); kdc.Start(); baseConf = new HdfsConfiguration(); SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos , baseConf); UserGroupInformation.SetConfiguration(baseConf); NUnit.Framework.Assert.IsTrue("Expected configuration to enable security", UserGroupInformation .IsSecurityEnabled()); string userName = UserGroupInformation.GetLoginUser().GetShortUserName(); FilePath keytabFile = new FilePath(baseDir, userName + ".keytab"); string keytab = keytabFile.GetAbsolutePath(); // Windows will not reverse name lookup "127.0.0.1" to "localhost". string krbInstance = Path.Windows ? "127.0.0.1" : "localhost"; kdc.CreatePrincipal(keytabFile, userName + "/" + krbInstance, "HTTP/" + krbInstance ); string hdfsPrincipal = userName + "/" + krbInstance + "@" + kdc.GetRealm(); string spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.GetRealm(); baseConf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, hdfsPrincipal); baseConf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, keytab); baseConf.Set(DFSConfigKeys.DfsDatanodeKerberosPrincipalKey, hdfsPrincipal); baseConf.Set(DFSConfigKeys.DfsDatanodeKeytabFileKey, keytab); baseConf.Set(DFSConfigKeys.DfsWebAuthenticationKerberosPrincipalKey, spnegoPrincipal ); baseConf.Set(DFSConfigKeys.DfsJournalnodeKeytabFileKey, keytab); baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosPrincipalKey, hdfsPrincipal); baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosInternalSpnegoPrincipalKey, spnegoPrincipal ); baseConf.SetBoolean(DFSConfigKeys.DfsBlockAccessTokenEnableKey, true); baseConf.Set(DFSConfigKeys.DfsDataTransferProtectionKey, "authentication"); baseConf.Set(DFSConfigKeys.DfsHttpPolicyKey, HttpConfig.Policy.HttpsOnly.ToString ()); baseConf.Set(DFSConfigKeys.DfsNamenodeHttpsAddressKey, "localhost:0"); baseConf.Set(DFSConfigKeys.DfsDatanodeHttpsAddressKey, "localhost:0"); baseConf.Set(DFSConfigKeys.DfsJournalnodeHttpsAddressKey, "localhost:0"); baseConf.SetInt(CommonConfigurationKeys.IpcClientConnectMaxRetriesOnSaslKey, 10); string keystoresDir = baseDir.GetAbsolutePath(); string sslConfDir = KeyStoreTestUtil.GetClasspathDir(typeof(TestSecureNNWithQJM)); KeyStoreTestUtil.SetupSSLConfig(keystoresDir, sslConfDir, baseConf, false); }
/// <exception cref="System.Exception"/> private void TestDelegationTokenWithinDoAs(Type fileSystemClass, bool proxyUser) { Configuration conf = new Configuration(); conf.Set("hadoop.security.authentication", "kerberos"); UserGroupInformation.SetConfiguration(conf); UserGroupInformation.LoginUserFromKeytab("client", "/Users/tucu/tucu.keytab"); UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); if (proxyUser) { ugi = UserGroupInformation.CreateProxyUser("foo", ugi); } conf = new Configuration(); UserGroupInformation.SetConfiguration(conf); ugi.DoAs(new _PrivilegedExceptionAction_248(this, fileSystemClass)); }
/// <exception cref="System.IO.IOException"/> internal virtual void StartAll() { lock (this) { try { UserGroupInformation.GetLoginUser().DoAs(new _PrivilegedExceptionAction_128(this) ); } catch (Exception ex) { IOException ioe = new IOException(); Sharpen.Extensions.InitCause(ioe, ex.InnerException); throw ioe; } } }
public static void InitKdc() { baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"), typeof(SaslDataTransferTestCase).Name); FileUtil.FullyDelete(baseDir); NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs()); Properties kdcConf = MiniKdc.CreateConf(); kdc = new MiniKdc(kdcConf, baseDir); kdc.Start(); string userName = UserGroupInformation.GetLoginUser().GetShortUserName(); FilePath keytabFile = new FilePath(baseDir, userName + ".keytab"); keytab = keytabFile.GetAbsolutePath(); kdc.CreatePrincipal(keytabFile, userName + "/localhost", "HTTP/localhost"); hdfsPrincipal = userName + "/localhost@" + kdc.GetRealm(); spnegoPrincipal = "HTTP/localhost@" + kdc.GetRealm(); }
public virtual void SetUp() { dfs = new MiniDFSCluster.Builder(conf).NumDataNodes(4).Build(); fs = DfsUgi.DoAs(new _PrivilegedExceptionAction_80(this)); // Home directories for users Mkdir(fs, "/user", "nobody", "nogroup", (short)0x3ff); Mkdir(fs, "/user/alice", "alice", "nogroup", (short)0x1ed); Mkdir(fs, "/user/bob", "bob", "nogroup", (short)0x1ed); // staging directory root with sticky bit UserGroupInformation MrUgi = UserGroupInformation.GetLoginUser(); Mkdir(fs, "/staging", MrUgi.GetShortUserName(), "nogroup", (short)0x3ff); JobConf mrConf = new JobConf(); mrConf.Set(JTConfig.JtStagingAreaRoot, "/staging"); mr = new MiniMRCluster(0, 0, 4, dfs.GetFileSystem().GetUri().ToString(), 1, null, null, MrUgi, mrConf); }
/// <exception cref="System.IO.IOException"/> /// <exception cref="Org.Apache.Hadoop.Security.AccessControlException"/> protected override void CheckRpcAdminAccess() { UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); UserGroupInformation zkfcUgi = UserGroupInformation.GetLoginUser(); if (adminAcl.IsUserAllowed(ugi) || ugi.GetShortUserName().Equals(zkfcUgi.GetShortUserName ())) { Log.Info("Allowed RPC access from " + ugi + " at " + Org.Apache.Hadoop.Ipc.Server .GetRemoteAddress()); return; } string msg = "Disallowed RPC access from " + ugi + " at " + Org.Apache.Hadoop.Ipc.Server .GetRemoteAddress() + ". Not listed in " + DFSConfigKeys.DfsAdmin; Log.Warn(msg); throw new AccessControlException(msg); }
// add a bunch of transactions. public virtual void Run() { FSEditLog editLog = namesystem.GetEditLog(); for (int i = 0; i < numTransactions; i++) { try { string renewer = UserGroupInformation.GetLoginUser().GetUserName(); Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = namesystem .GetDelegationToken(new Text(renewer)); namesystem.RenewDelegationToken(token); namesystem.CancelDelegationToken(token); editLog.LogSync(); } catch (IOException e) { System.Console.Out.WriteLine("Transaction " + i + " encountered exception " + e); } } }
public virtual void TestUGICredentialsPropogation() { Credentials creds = new Credentials(); Org.Apache.Hadoop.Security.Token.Token <object> token = Org.Mockito.Mockito.Mock <Org.Apache.Hadoop.Security.Token.Token >(); Text tokenService = new Text("service"); Text secretName = new Text("secret"); byte[] secret = new byte[] { }; creds.AddToken(tokenService, token); creds.AddSecretKey(secretName, secret); UserGroupInformation.GetLoginUser().AddCredentials(creds); JobConf jobConf = new JobConf(); Job job = new Job(jobConf); NUnit.Framework.Assert.AreSame(token, job.GetCredentials().GetToken(tokenService) ); NUnit.Framework.Assert.AreSame(secret, job.GetCredentials().GetSecretKey(secretName )); }
public virtual void TestUGILoginFromKeytab() { UserGroupInformation.SetShouldRenewImmediatelyForTests(true); string principal = "foo"; FilePath keytab = new FilePath(workDir, "foo.keytab"); kdc.CreatePrincipal(keytab, principal); UserGroupInformation.LoginUserFromKeytab(principal, keytab.GetPath()); UserGroupInformation ugi = UserGroupInformation.GetLoginUser(); Assert.True("UGI should be configured to login from keytab", ugi .IsFromKeytab()); // Verify relogin from keytab. User user = ugi.GetSubject().GetPrincipals <User>().GetEnumerator().Next(); long firstLogin = user.GetLastLogin(); ugi.ReloginFromKeytab(); long secondLogin = user.GetLastLogin(); Assert.True("User should have been able to relogin from keytab" , secondLogin > firstLogin); }
/// <summary>Perform the given action as the daemon's login user.</summary> /// <remarks> /// Perform the given action as the daemon's login user. If the login /// user cannot be determined, this will log a FATAL error and exit /// the whole JVM. /// </remarks> public static T DoAsLoginUserOrFatal <T>(PrivilegedAction <T> action) { if (UserGroupInformation.IsSecurityEnabled()) { UserGroupInformation ugi = null; try { ugi = UserGroupInformation.GetLoginUser(); } catch (IOException e) { Log.Fatal("Exception while getting login user", e); Runtime.PrintStackTrace(e); Runtime.GetRuntime().Exit(-1); } return(ugi.DoAs(action)); } else { return(action.Run()); } }
/// <summary>Test login method</summary> /// <exception cref="System.Exception"/> public virtual void TestLogin() { conf.Set(CommonConfigurationKeys.HadoopUserGroupMetricsPercentilesIntervals, PercentilesInterval .ToString()); UserGroupInformation.SetConfiguration(conf); // login from unix UserGroupInformation ugi = UserGroupInformation.GetCurrentUser(); Assert.Equal(UserGroupInformation.GetCurrentUser(), UserGroupInformation .GetLoginUser()); Assert.True(ugi.GetGroupNames().Length >= 1); VerifyGroupMetrics(1); // ensure that doAs works correctly UserGroupInformation userGroupInfo = UserGroupInformation.CreateUserForTesting(UserName , GroupNames); UserGroupInformation curUGI = userGroupInfo.DoAs(new _PrivilegedExceptionAction_185 ()); // make sure in the scope of the doAs, the right user is current Assert.Equal(curUGI, userGroupInfo); // make sure it is not the same as the login user NUnit.Framework.Assert.IsFalse(curUGI.Equals(UserGroupInformation.GetLoginUser()) ); }
/// <exception cref="System.IO.IOException"/> private NamenodeProtocol CreateNNProtocolProxy() { return(NameNodeProxies.CreateNonHAProxy <NamenodeProtocol>(GetConf(), otherIpcAddr , UserGroupInformation.GetLoginUser(), true).GetProxy()); }
/// <exception cref="System.IO.IOException"/> protected internal virtual bool IsValidRequestor(HttpServletRequest request, Configuration conf) { string remotePrincipal = request.GetUserPrincipal().GetName(); string remoteShortName = request.GetRemoteUser(); if (remotePrincipal == null) { // This really shouldn't happen... Log.Warn("Received null remoteUser while authorizing access to " + "GetJournalEditServlet" ); return(false); } if (Log.IsDebugEnabled()) { Log.Debug("Validating request made by " + remotePrincipal + " / " + remoteShortName + ". This user is: " + UserGroupInformation.GetLoginUser()); } ICollection <string> validRequestors = new HashSet <string>(); Sharpen.Collections.AddAll(validRequestors, DFSUtil.GetAllNnPrincipals(conf)); try { validRequestors.AddItem(SecurityUtil.GetServerPrincipal(conf.Get(DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey ), SecondaryNameNode.GetHttpAddress(conf).GetHostName())); } catch (Exception e) { // Don't halt if SecondaryNameNode principal could not be added. Log.Debug("SecondaryNameNode principal could not be added", e); string msg = string.Format("SecondaryNameNode principal not considered, %s = %s, %s = %s" , DFSConfigKeys.DfsSecondaryNamenodeKerberosPrincipalKey, conf.Get(DFSConfigKeys .DfsSecondaryNamenodeKerberosPrincipalKey), DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey , conf.Get(DFSConfigKeys.DfsNamenodeSecondaryHttpAddressKey, DFSConfigKeys.DfsNamenodeSecondaryHttpAddressDefault )); Log.Warn(msg); } // Check the full principal name of all the configured valid requestors. foreach (string v in validRequestors) { if (Log.IsDebugEnabled()) { Log.Debug("isValidRequestor is comparing to valid requestor: " + v); } if (v != null && v.Equals(remotePrincipal)) { if (Log.IsDebugEnabled()) { Log.Debug("isValidRequestor is allowing: " + remotePrincipal); } return(true); } } // Additionally, we compare the short name of the requestor to this JN's // username, because we want to allow requests from other JNs during // recovery, but we can't enumerate the full list of JNs. if (remoteShortName.Equals(UserGroupInformation.GetLoginUser().GetShortUserName() )) { if (Log.IsDebugEnabled()) { Log.Debug("isValidRequestor is allowing other JN principal: " + remotePrincipal); } return(true); } if (Log.IsDebugEnabled()) { Log.Debug("isValidRequestor is rejecting: " + remotePrincipal); } return(false); }
public virtual void TestUserFromEnvironment() { Runtime.SetProperty(UserGroupInformation.HadoopUserName, "randomUser"); Assert.Equal("randomUser", UserGroupInformation.GetLoginUser() .GetUserName()); }
/// <exception cref="System.Exception"/> private static void SetupKDC() { if (!miniKDCStarted) { testMiniKDC.Start(); GetKdc().CreatePrincipal(httpSpnegoKeytabFile, "HTTP/localhost", "client", UserGroupInformation .GetLoginUser().GetShortUserName(), "client2"); miniKDCStarted = true; } }