public virtual void TestCreateRemoteUser()
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetAuthenticationMethod());
Assert.True(ugi.ToString().Contains("(auth:SIMPLE)"));
ugi = UserGroupInformation.CreateRemoteUser("user1", SaslRpcServer.AuthMethod.Kerberos
);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos
, ugi.GetAuthenticationMethod());
Assert.True(ugi.ToString().Contains("(auth:KERBEROS)"));
}
private void CheckUgiFromToken(UserGroupInformation ugi)
{
if (ugi.GetRealUser() != null)
{
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetRealUser().GetAuthenticationMethod());
}
else
{
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetAuthenticationMethod());
}
}
public virtual void TestGetRealAuthenticationMethod()
{
UserGroupInformation ugi = UserGroupInformation.CreateRemoteUser("user1");
ugi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Simple);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
ugi = UserGroupInformation.CreateProxyUser("user2", ugi);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Simple,
ugi.GetRealAuthenticationMethod());
}
/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethodInRealUser()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi = UserGroupInformation.CreateProxyUser("proxy", ugi
);
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Proxy,
proxyUgi.GetAuthenticationMethod());
Assert.Equal(am, UserGroupInformation.GetRealAuthenticationMethod
(proxyUgi));
proxyUgi.DoAs(new _PrivilegedExceptionAction_690(am));
UserGroupInformation proxyUgi2 = new UserGroupInformation(proxyUgi.GetSubject());
proxyUgi2.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Proxy
);
Assert.Equal(proxyUgi, proxyUgi2);
// Equality should work if authMethod is null
UserGroupInformation realugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation proxyUgi3 = UserGroupInformation.CreateProxyUser("proxyAnother"
, realugi);
UserGroupInformation proxyUgi4 = new UserGroupInformation(proxyUgi3.GetSubject());
Assert.Equal(proxyUgi3, proxyUgi4);
}
/// <exception cref="System.IO.IOException"/>
private void TryLoginAuthenticationMethod(UserGroupInformation.AuthenticationMethod
method, bool expectSuccess)
{
SecurityUtil.SetAuthenticationMethod(method, conf);
UserGroupInformation.SetConfiguration(conf);
// pick up changed auth
UserGroupInformation ugi = null;
Exception ex = null;
try
{
ugi = UserGroupInformation.GetLoginUser();
}
catch (Exception e)
{
ex = e;
}
if (expectSuccess)
{
NUnit.Framework.Assert.IsNotNull(ugi);
Assert.Equal(method, ugi.GetAuthenticationMethod());
}
else
{
NUnit.Framework.Assert.IsNotNull(ex);
Assert.Equal(typeof(NotSupportedException), ex.GetType());
Assert.Equal(method + " login authentication is not supported"
, ex.Message);
}
}
/// <exception cref="System.IO.IOException"/>
private HttpURLConnection CreateConnection(Uri url, string method)
{
HttpURLConnection conn;
try
{
// if current UGI is different from UGI at constructor time, behave as
// proxyuser
UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser();
string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod
.Proxy) ? currentUgi.GetShortUserName() : null;
// creating the HTTP connection using the current UGI at constructor time
conn = actualUgi.DoAs(new _PrivilegedExceptionAction_478(this, url, doAsUser));
}
catch (IOException ex)
{
throw;
}
catch (UndeclaredThrowableException ex)
{
throw new IOException(ex.GetUndeclaredThrowable());
}
catch (Exception ex)
{
throw new IOException(ex);
}
conn.SetUseCaches(false);
conn.SetRequestMethod(method);
if (method.Equals(HttpPost) || method.Equals(HttpPut))
{
conn.SetDoOutput(true);
}
conn = ConfigureConnection(conn);
return(conn);
}
public virtual void TestLogin()
{
string userPrincipal = Runtime.GetProperty("user.principal");
string userKeyTab = Runtime.GetProperty("user.keytab");
NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal
);
NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab);
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal
, userKeyTab);
Assert.Equal(UserGroupInformation.AuthenticationMethod.Kerberos
, ugi.GetAuthenticationMethod());
try
{
UserGroupInformation.LoginUserFromKeytabAndReturnUGI("*****@*****.**", userKeyTab
);
NUnit.Framework.Assert.Fail("Login should have failed");
}
catch (Exception ex)
{
Runtime.PrintStackTrace(ex);
}
}
public virtual void TestSecureNameNode()
{
MiniDFSCluster cluster = null;
try
{
string nnPrincipal = Runtime.GetProperty("dfs.namenode.kerberos.principal");
string nnSpnegoPrincipal = Runtime.GetProperty("dfs.namenode.kerberos.internal.spnego.principal"
);
string nnKeyTab = Runtime.GetProperty("dfs.namenode.keytab.file");
NUnit.Framework.Assert.IsNotNull("NameNode principal was not specified", nnPrincipal
);
NUnit.Framework.Assert.IsNotNull("NameNode SPNEGO principal was not specified", nnSpnegoPrincipal
);
NUnit.Framework.Assert.IsNotNull("NameNode keytab was not specified", nnKeyTab);
Configuration conf = new HdfsConfiguration();
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
conf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, nnPrincipal);
conf.Set(DFSConfigKeys.DfsNamenodeKerberosInternalSpnegoPrincipalKey, nnSpnegoPrincipal
);
conf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, nnKeyTab);
cluster = new MiniDFSCluster.Builder(conf).NumDataNodes(NumOfDatanodes).Build();
MiniDFSCluster clusterRef = cluster;
cluster.WaitActive();
FileSystem fsForCurrentUser = cluster.GetFileSystem();
fsForCurrentUser.Mkdirs(new Path("/tmp"));
fsForCurrentUser.SetPermission(new Path("/tmp"), new FsPermission((short)511));
// The user specified should not be a superuser
string userPrincipal = Runtime.GetProperty("user.principal");
string userKeyTab = Runtime.GetProperty("user.keytab");
NUnit.Framework.Assert.IsNotNull("User principal was not specified", userPrincipal
);
NUnit.Framework.Assert.IsNotNull("User keytab was not specified", userKeyTab);
UserGroupInformation ugi = UserGroupInformation.LoginUserFromKeytabAndReturnUGI(userPrincipal
, userKeyTab);
FileSystem fs = ugi.DoAs(new _PrivilegedExceptionAction_105(clusterRef));
try
{
Path p = new Path("/users");
fs.Mkdirs(p);
NUnit.Framework.Assert.Fail("User must not be allowed to write in /");
}
catch (IOException)
{
}
Path p_1 = new Path("/tmp/alpha");
fs.Mkdirs(p_1);
NUnit.Framework.Assert.IsNotNull(fs.ListStatus(p_1));
NUnit.Framework.Assert.AreEqual(UserGroupInformation.AuthenticationMethod.Kerberos
, ugi.GetAuthenticationMethod());
}
finally
{
if (cluster != null)
{
cluster.Shutdown();
}
}
}
/// <exception cref="System.Exception"/>
public virtual void TestUGIAuthMethod()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
UserGroupInformation.AuthenticationMethod am = UserGroupInformation.AuthenticationMethod
.Kerberos;
ugi.SetAuthenticationMethod(am);
Assert.Equal(am, ugi.GetAuthenticationMethod());
ugi.DoAs(new _PrivilegedExceptionAction_668(am));
}
public virtual void TestGetUserWithOwner()
{
TestDelegationToken.TestDelegationTokenIdentifier ident = new TestDelegationToken.TestDelegationTokenIdentifier
(new Text("owner"), null, null);
UserGroupInformation ugi = ident.GetUser();
NUnit.Framework.Assert.IsNull(ugi.GetRealUser());
Assert.Equal("owner", ugi.GetUserName());
Assert.Equal(UserGroupInformation.AuthenticationMethod.Token,
ugi.GetAuthenticationMethod());
}
/// <exception cref="System.Exception"/>
public virtual void TestTestAuthMethod()
{
UserGroupInformation ugi = UserGroupInformation.GetCurrentUser();
// verify the reverse mappings works
foreach (UserGroupInformation.AuthenticationMethod am in UserGroupInformation.AuthenticationMethod
.Values())
{
if (am.GetAuthMethod() != null)
{
ugi.SetAuthenticationMethod(am.GetAuthMethod());
Assert.Equal(am, ugi.GetAuthenticationMethod());
}
}
}
/// <exception cref="System.IO.IOException"/>
public virtual Org.Apache.Hadoop.Security.Token.Token <object>[] AddDelegationTokens
(string renewer, Credentials credentials)
{
Org.Apache.Hadoop.Security.Token.Token <object>[] tokens = null;
Text dtService = GetDelegationTokenService();
Org.Apache.Hadoop.Security.Token.Token <object> token = credentials.GetToken(dtService
);
if (token == null)
{
Uri url = CreateURL(null, null, null, null);
DelegationTokenAuthenticatedURL authUrl = new DelegationTokenAuthenticatedURL(configurator
);
try
{
// 'actualUGI' is the UGI of the user creating the client
// It is possible that the creator of the KMSClientProvier
// calls this method on behalf of a proxyUser (the doAsUser).
// In which case this call has to be made as the proxy user.
UserGroupInformation currentUgi = UserGroupInformation.GetCurrentUser();
string doAsUser = (currentUgi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod
.Proxy) ? currentUgi.GetShortUserName() : null;
token = actualUgi.DoAs(new _PrivilegedExceptionAction_870(authUrl, url, renewer,
doAsUser));
// Not using the cached token here.. Creating a new token here
// everytime.
if (token != null)
{
credentials.AddToken(token.GetService(), token);
tokens = new Org.Apache.Hadoop.Security.Token.Token <object>[] { token };
}
else
{
throw new IOException("Got NULL as delegation token");
}
}
catch (Exception)
{
Thread.CurrentThread().Interrupt();
}
catch (Exception e)
{
throw new IOException(e);
}
}
return(tokens);
}
public virtual void TestGetUserGroupInformation()
{
string userName = "******";
string currentUser = "******";
UserGroupInformation currentUserUgi = UserGroupInformation.CreateUserForTesting(currentUser
, new string[0]);
NfsConfiguration conf = new NfsConfiguration();
conf.Set(FileSystem.FsDefaultNameKey, "hdfs://localhost");
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}
public virtual void TestGetUserGroupInformationSecure()
{
string userName = "******";
string currentUser = "******";
NfsConfiguration conf = new NfsConfiguration();
UserGroupInformation currentUserUgi = UserGroupInformation.CreateRemoteUser(currentUser
);
currentUserUgi.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.
Kerberos);
UserGroupInformation.SetLoginUser(currentUserUgi);
DFSClientCache cache = new DFSClientCache(conf);
UserGroupInformation ugiResult = cache.GetUserGroupInformation(userName, currentUserUgi
);
Assert.AssertThat(ugiResult.GetUserName(), IS.Is(userName));
Assert.AssertThat(ugiResult.GetRealUser(), IS.Is(currentUserUgi));
Assert.AssertThat(ugiResult.GetAuthenticationMethod(), IS.Is(UserGroupInformation.AuthenticationMethod
.Proxy));
}
/// <exception cref="Javax.Servlet.ServletException"/>
/// <exception cref="System.IO.IOException"/>
protected override void DoGet(HttpServletRequest req, HttpServletResponse resp)
{
UserGroupInformation ugi = HttpUserGroupInformation.Get();
if (ugi != null)
{
string ret = "remoteuser="******":ugi=" + ugi.GetShortUserName
();
if (ugi.GetAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.Proxy)
{
ret = "realugi=" + ugi.GetRealUser().GetShortUserName() + ":" + ret;
}
resp.SetStatus(HttpServletResponse.ScOk);
resp.GetWriter().Write(ret);
}
else
{
resp.SetStatus(HttpServletResponse.ScInternalServerError);
}
}
