/// <exception cref="System.Exception"/> public virtual void TestDecryptWithKeyVersionNameKeyMismatch() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.IsACLPresent("testKey", KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); UserGroupInformation u2 = UserGroupInformation.CreateRemoteUser("u2"); UserGroupInformation u3 = UserGroupInformation.CreateRemoteUser("u3"); UserGroupInformation sudo = UserGroupInformation.CreateRemoteUser("sudo"); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u2, KeyAuthorizationKeyProvider.KeyOpType .GenerateEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", u3, KeyAuthorizationKeyProvider.KeyOpType .DecryptEek)).ThenReturn(true); Org.Mockito.Mockito.When(mock.HasAccessToKey("testKey", sudo, KeyAuthorizationKeyProvider.KeyOpType .All)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); sudo.DoAs(new _PrivilegedExceptionAction_247(conf, kpExt)); }
public virtual void TestCreateKey() { Configuration conf = new Configuration(); KeyProvider kp = new UserProvider.Factory().CreateProvider(new URI("user:///"), conf ); KeyAuthorizationKeyProvider.KeyACLs mock = Org.Mockito.Mockito.Mock <KeyAuthorizationKeyProvider.KeyACLs >(); Org.Mockito.Mockito.When(mock.IsACLPresent("foo", KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); UserGroupInformation u1 = UserGroupInformation.CreateRemoteUser("u1"); Org.Mockito.Mockito.When(mock.HasAccessToKey("foo", u1, KeyAuthorizationKeyProvider.KeyOpType .Management)).ThenReturn(true); KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension .CreateKeyProviderCryptoExtension(kp), mock); u1.DoAs(new _PrivilegedExceptionAction_62(kpExt, conf)); // "bar" key not configured // Ignore // Unauthorized User UserGroupInformation.CreateRemoteUser("badGuy").DoAs(new _PrivilegedExceptionAction_87 (kpExt, conf)); }
// This method first checks if "key.acl.name" attribute is present as an // attribute in the provider Options. If yes, use the aclName for any // subsequent access checks, else use the keyName as the aclName and set it // as the value of the "key.acl.name" in the key's metadata. /// <exception cref="System.IO.IOException"/> private void AuthorizeCreateKey(string keyName, KeyProvider.Options options, UserGroupInformation ugi) { Preconditions.CheckNotNull(ugi, "UserGroupInformation cannot be null"); IDictionary <string, string> attributes = options.GetAttributes(); string aclName = attributes[KeyAclName]; bool success = false; if (Strings.IsNullOrEmpty(aclName)) { if (acls.IsACLPresent(keyName, KeyAuthorizationKeyProvider.KeyOpType.Management)) { options.SetAttributes(ImmutableMap.Builder <string, string>().PutAll(attributes).Put (KeyAclName, keyName).Build()); success = acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType .Management) || acls.HasAccessToKey(keyName, ugi, KeyAuthorizationKeyProvider.KeyOpType .All); } else { success = false; } } else { success = acls.IsACLPresent(aclName, KeyAuthorizationKeyProvider.KeyOpType.Management ) && (acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.Management ) || acls.HasAccessToKey(aclName, ugi, KeyAuthorizationKeyProvider.KeyOpType.All )); } if (!success) { throw new AuthorizationException(string.Format("User [%s] is not" + " authorized to create key !!" , ugi.GetShortUserName())); } }