public virtual void TestGetNonProxyUgi()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string realUser = "******";
string user = "******";
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
// have to be auth-ed with remote user
request = GetMockRequest(null, null, null);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
request = GetMockRequest(null, realUser, null);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
// ugi for remote user
request = GetMockRequest(realUser, null, null);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), realUser);
CheckUgiFromAuth(ugi);
// ugi for remote user = real user
request = GetMockRequest(realUser, realUser, null);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), realUser);
CheckUgiFromAuth(ugi);
// ugi for remote user != real user
request = GetMockRequest(realUser, user, null);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=" + user + " != expected="
+ realUser, ioe.Message);
}
}
/// <exception cref="System.IO.IOException"/>
private void VerifyServiceInToken(ServletContext context, HttpServletRequest request
, string expected)
{
UserGroupInformation ugi = JspHelper.GetUGI(context, request, conf);
Org.Apache.Hadoop.Security.Token.Token <TokenIdentifier> tokenInUgi = ugi.GetTokens
().GetEnumerator().Next();
NUnit.Framework.Assert.AreEqual(expected, tokenInUgi.GetService().ToString());
}
private string GetRemoteAddr(string clientAddr, string proxyAddr, bool trusted)
{
HttpServletRequest req = Org.Mockito.Mockito.Mock <HttpServletRequest>();
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn("1.2.3.4");
Configuration conf = new Configuration();
if (proxyAddr == null)
{
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(clientAddr);
}
else
{
Org.Mockito.Mockito.When(req.GetRemoteAddr()).ThenReturn(proxyAddr);
Org.Mockito.Mockito.When(req.GetHeader("X-Forwarded-For")).ThenReturn(clientAddr);
if (trusted)
{
conf.Set(ProxyServers.ConfHadoopProxyservers, proxyAddr);
}
}
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
return(JspHelper.GetRemoteAddr(req));
}
public virtual void TestGetProxyUgi()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string realUser = "******";
string user = "******";
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(realUser), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(realUser), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
// have to be auth-ed with remote user
request = GetMockRequest(null, null, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
request = GetMockRequest(null, realUser, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Security enabled but user not authenticated by filter"
, ioe.Message);
}
// proxy ugi for user via remote user
request = GetMockRequest(realUser, null, user);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromAuth(ugi);
// proxy ugi for user vi a remote user = real user
request = GetMockRequest(realUser, realUser, user);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromAuth(ugi);
// proxy ugi for user via remote user != real user
request = GetMockRequest(realUser, user, user);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=" + user + " != expected="
+ realUser, ioe.Message);
}
// try to get get a proxy user with unauthorized user
try
{
request = GetMockRequest(user, null, realUser);
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad proxy request allowed");
}
catch (AuthorizationException ae)
{
NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
+ realUser, ae.Message);
}
try
{
request = GetMockRequest(user, user, realUser);
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad proxy request allowed");
}
catch (AuthorizationException ae)
{
NUnit.Framework.Assert.AreEqual("User: "******" is not allowed to impersonate "
+ realUser, ae.Message);
}
}
public virtual void TestGetUgiFromToken()
{
conf.Set(DFSConfigKeys.FsDefaultNameKey, "hdfs://localhost:4321/");
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
string realUser = "******";
string user = "******";
conf.Set(DFSConfigKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
Text ownerText = new Text(user);
DelegationTokenIdentifier dtId = new DelegationTokenIdentifier(ownerText, ownerText
, new Text(realUser));
Org.Apache.Hadoop.Security.Token.Token <DelegationTokenIdentifier> token = new Org.Apache.Hadoop.Security.Token.Token
<DelegationTokenIdentifier>(dtId, new TestJspHelper.DummySecretManager(0, 0, 0,
0));
string tokenString = token.EncodeToUrlString();
// token with no auth-ed user
request = GetMockRequest(null, null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// token with auth-ed user
request = GetMockRequest(realUser, null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// completely different user, token trumps auth
request = GetMockRequest("rogue", null, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// expected case
request = GetMockRequest(null, user, null);
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
ugi = JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.IsNotNull(ugi.GetRealUser());
NUnit.Framework.Assert.AreEqual(ugi.GetRealUser().GetShortUserName(), realUser);
NUnit.Framework.Assert.AreEqual(ugi.GetShortUserName(), user);
CheckUgiFromToken(ugi);
// can't proxy with a token!
request = GetMockRequest(null, null, "rogue");
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
+ user, ioe.Message);
}
// can't proxy with a token!
request = GetMockRequest(null, user, "rogue");
Org.Mockito.Mockito.When(request.GetParameter(JspHelper.DelegationParameterName))
.ThenReturn(tokenString);
try
{
JspHelper.GetUGI(context, request, conf);
NUnit.Framework.Assert.Fail("bad request allowed");
}
catch (IOException ioe)
{
NUnit.Framework.Assert.AreEqual("Usernames not matched: name=rogue != expected="
+ user, ioe.Message);
}
}
