/// <exception cref="System.Exception"/>
public virtual void TestNameRules()
{
KerberosName kn = new KerberosName(KerberosTestUtils.GetServerPrincipal());
Assert.Equal(KerberosTestUtils.GetRealm(), kn.GetRealm());
//destroy handler created in setUp()
handler.Destroy();
KerberosName.SetRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT");
handler = GetNewAuthenticationHandler();
Properties props = GetDefaultProperties();
props.SetProperty(KerberosAuthenticationHandler.NameRules, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"
);
try
{
handler.Init(props);
}
catch (Exception)
{
}
kn = new KerberosName("bar@BAR");
Assert.Equal("bar", kn.GetShortName());
kn = new KerberosName("bar@FOO");
try
{
kn.GetShortName();
NUnit.Framework.Assert.Fail();
}
catch (Exception)
{
}
}
/// <exception cref="System.IO.IOException"/>
public virtual void TestEnsureInitWithRules()
{
string rules = "RULE:[1:RULE1]";
// trigger implicit init, rules should init
UserGroupInformation.Reset();
NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet());
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.True(KerberosName.HasRulesBeenSet());
// set a rule, trigger implicit init, rule should not change
UserGroupInformation.Reset();
KerberosName.SetRules(rules);
Assert.True(KerberosName.HasRulesBeenSet());
Assert.Equal(rules, KerberosName.GetRules());
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules, KerberosName.GetRules());
}
public virtual void TestIsValidRequestor()
{
Configuration conf = new HdfsConfiguration();
KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
// Set up generic HA configs.
conf.Set(DFSConfigKeys.DfsNameservices, "ns1");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsHaNamenodesKeyPrefix, "ns1"), "nn1,nn2"
);
// Set up NN1 HA configs.
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn1"
), "host1:1234");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1"
, "nn1"), "hdfs/[email protected]");
// Set up NN2 HA configs.
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeRpcAddressKey, "ns1", "nn2"
), "host2:1234");
conf.Set(DFSUtil.AddKeySuffixes(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, "ns1"
, "nn2"), "hdfs/[email protected]");
// Initialize this conf object as though we're running on NN1.
NameNode.InitializeGenericKeys(conf, "ns1", "nn1");
AccessControlList acls = Org.Mockito.Mockito.Mock <AccessControlList>();
Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.Any <UserGroupInformation
>())).ThenReturn(false);
ServletContext context = Org.Mockito.Mockito.Mock <ServletContext>();
Org.Mockito.Mockito.When(context.GetAttribute(HttpServer2.AdminsAcl)).ThenReturn(
acls);
// Make sure that NN2 is considered a valid fsimage/edits requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]"
, conf));
// Mark atm as an admin.
Org.Mockito.Mockito.When(acls.IsUserAllowed(Org.Mockito.Mockito.ArgThat(new _ArgumentMatcher_76
()))).ThenReturn(true);
// Make sure that NN2 is still considered a valid requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "hdfs/[email protected]"
, conf));
// Make sure an admin is considered a valid requestor.
NUnit.Framework.Assert.IsTrue(ImageServlet.IsValidRequestor(context, "*****@*****.**"
, conf));
// Make sure other users are *not* considered valid requestors.
NUnit.Framework.Assert.IsFalse(ImageServlet.IsValidRequestor(context, "*****@*****.**"
, conf));
}
public virtual void TestSetConfigWithRules()
{
string[] rules = new string[] { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" };
// explicitly set a rule
UserGroupInformation.Reset();
NUnit.Framework.Assert.IsFalse(KerberosName.HasRulesBeenSet());
KerberosName.SetRules(rules[0]);
Assert.True(KerberosName.HasRulesBeenSet());
Assert.Equal(rules[0], KerberosName.GetRules());
// implicit init should honor rules already being set
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules[0], KerberosName.GetRules());
// set conf, should override
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[1]);
UserGroupInformation.SetConfiguration(conf);
Assert.Equal(rules[1], KerberosName.GetRules());
// set conf, should again override
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthToLocal, rules[2]);
UserGroupInformation.SetConfiguration(conf);
Assert.Equal(rules[2], KerberosName.GetRules());
// implicit init should honor rules already being set
UserGroupInformation.CreateUserForTesting("someone", new string[0]);
Assert.Equal(rules[2], KerberosName.GetRules());
}
//
/// <summary>Init hadoop security by setting up the UGI config</summary>
public static void InitHadoopSecurity()
{
UserGroupInformation.SetConfiguration(Conf);
KerberosName.SetRules(kerberosRule);
}
/// <summary>Initializes the authentication handler instance.</summary>
/// <remarks>
/// Initializes the authentication handler instance.
/// <p>
/// It creates a Kerberos context using the principal and keytab specified in the configuration.
/// <p>
/// This method is invoked by the
/// <see cref="AuthenticationFilter.Init(Javax.Servlet.FilterConfig)"/>
/// method.
/// </remarks>
/// <param name="config">configuration properties to initialize the handler.</param>
/// <exception cref="Javax.Servlet.ServletException">thrown if the handler could not be initialized.
/// </exception>
public override void Init(Properties config)
{
try
{
string principal = config.GetProperty(Principal);
if (principal == null || principal.Trim().Length == 0)
{
throw new ServletException("Principal not defined in configuration");
}
keytab = config.GetProperty(Keytab, keytab);
if (keytab == null || keytab.Trim().Length == 0)
{
throw new ServletException("Keytab not defined in configuration");
}
if (!new FilePath(keytab).Exists())
{
throw new ServletException("Keytab does not exist: " + keytab);
}
// use all SPNEGO principals in the keytab if a principal isn't
// specifically configured
string[] spnegoPrincipals;
if (principal.Equals("*"))
{
spnegoPrincipals = KerberosUtil.GetPrincipalNames(keytab, Pattern.Compile
("HTTP/.*"));
if (spnegoPrincipals.Length == 0)
{
throw new ServletException("Principals do not exist in the keytab");
}
}
else
{
spnegoPrincipals = new string[] { principal };
}
string nameRules = config.GetProperty(NameRules, null);
if (nameRules != null)
{
KerberosName.SetRules(nameRules);
}
foreach (string spnegoPrincipal in spnegoPrincipals)
{
Log.Info("Login using keytab {}, for principal {}", keytab, spnegoPrincipal);
KerberosAuthenticationHandler.KerberosConfiguration kerberosConfiguration = new KerberosAuthenticationHandler.KerberosConfiguration
(keytab, spnegoPrincipal);
LoginContext loginContext = new LoginContext(string.Empty, serverSubject, null, kerberosConfiguration
);
try
{
loginContext.Login();
}
catch (LoginException le)
{
Log.Warn("Failed to login as [{}]", spnegoPrincipal, le);
throw new AuthenticationException(le);
}
loginContexts.AddItem(loginContext);
}
try
{
gssManager = Subject.DoAs(serverSubject, new _PrivilegedExceptionAction_229());
}
catch (PrivilegedActionException ex)
{
throw ex.GetException();
}
}
catch (Exception ex)
{
throw new ServletException(ex);
}
}
public virtual void TestRecovery()
{
Configuration conf = new Configuration();
HistoryServerStateStoreService store = new HistoryServerMemStateStoreService();
store.Init(conf);
store.Start();
TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest mgr =
new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest(store
);
mgr.StartThreads();
MRDelegationTokenIdentifier tokenId1 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token1 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId1, mgr
);
MRDelegationTokenIdentifier tokenId2 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token2 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId2, mgr
);
DelegationKey[] keys = mgr.GetAllKeys();
long tokenRenewDate1 = mgr.GetAllTokens()[tokenId1].GetRenewDate();
long tokenRenewDate2 = mgr.GetAllTokens()[tokenId2].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
IList <DelegationKey> recoveredKeys = Arrays.AsList(mgr.GetAllKeys());
foreach (DelegationKey key in keys)
{
NUnit.Framework.Assert.IsTrue("key missing after recovery", recoveredKeys.Contains
(key));
}
NUnit.Framework.Assert.IsTrue("token1 missing", mgr.GetAllTokens().Contains(tokenId1
));
NUnit.Framework.Assert.AreEqual("token1 renew date", tokenRenewDate1, mgr.GetAllTokens
()[tokenId1].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId1, token1.GetPassword());
mgr.VerifyToken(tokenId2, token2.GetPassword());
MRDelegationTokenIdentifier tokenId3 = new MRDelegationTokenIdentifier(new Text("tokenOwner"
), new Text("tokenRenewer"), new Text("tokenUser"));
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> token3 = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenId3, mgr
);
NUnit.Framework.Assert.AreEqual("sequence number restore", tokenId2.GetSequenceNumber
() + 1, tokenId3.GetSequenceNumber());
mgr.CancelToken(token1, "tokenOwner");
// Testing with full principal name
MRDelegationTokenIdentifier tokenIdFull = new MRDelegationTokenIdentifier(new Text
("tokenOwner/localhost@LOCALHOST"), new Text("tokenRenewer"), new Text("tokenUser"
));
KerberosName.SetRules("RULE:[1:$1]\nRULE:[2:$1]");
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier> tokenFull = new
Org.Apache.Hadoop.Security.Token.Token <MRDelegationTokenIdentifier>(tokenIdFull,
mgr);
// Negative test
try
{
mgr.CancelToken(tokenFull, "tokenOwner");
}
catch (AccessControlException ace)
{
NUnit.Framework.Assert.IsTrue(ace.Message.Contains("is not authorized to cancel the token"
));
}
// Succeed to cancel with full principal
mgr.CancelToken(tokenFull, tokenIdFull.GetOwner().ToString());
long tokenRenewDate3 = mgr.GetAllTokens()[tokenId3].GetRenewDate();
mgr.StopThreads();
mgr = new TestJHSDelegationTokenSecretManager.JHSDelegationTokenSecretManagerForTest
(store);
mgr.Recover(store.LoadState());
NUnit.Framework.Assert.IsFalse("token1 should be missing", mgr.GetAllTokens().Contains
(tokenId1));
NUnit.Framework.Assert.IsTrue("token2 missing", mgr.GetAllTokens().Contains(tokenId2
));
NUnit.Framework.Assert.AreEqual("token2 renew date", tokenRenewDate2, mgr.GetAllTokens
()[tokenId2].GetRenewDate());
NUnit.Framework.Assert.IsTrue("token3 missing", mgr.GetAllTokens().Contains(tokenId3
));
NUnit.Framework.Assert.AreEqual("token3 renew date", tokenRenewDate3, mgr.GetAllTokens
()[tokenId3].GetRenewDate());
mgr.StartThreads();
mgr.VerifyToken(tokenId2, token2.GetPassword());
mgr.VerifyToken(tokenId3, token3.GetPassword());
mgr.StopThreads();
}