/// <summary>Sets up the KDC and a set of principals in the JAAS file</summary>
/// <exception cref="System.Exception"/>
public static void SetupKDCAndPrincipals()
{
// set up the KDC
FilePath target = new FilePath(Runtime.GetProperty("test.dir", "target"));
kdcWorkDir = new FilePath(target, "kdc");
kdcWorkDir.Mkdirs();
if (!kdcWorkDir.Mkdirs())
{
NUnit.Framework.Assert.IsTrue(kdcWorkDir.IsDirectory());
}
kdcConf = MiniKdc.CreateConf();
kdcConf.SetProperty(MiniKdc.Debug, "true");
kdc = new MiniKdc(kdcConf, kdcWorkDir);
kdc.Start();
keytab_zk = CreateKeytab(Zookeeper, "zookeeper.keytab");
keytab_alice = CreateKeytab(Alice, "alice.keytab");
keytab_bob = CreateKeytab(Bob, "bob.keytab");
zkServerPrincipal = Shell.Windows ? Zookeeper1270001 : ZookeeperLocalhost;
StringBuilder jaas = new StringBuilder(1024);
jaas.Append(registrySecurity.CreateJAASEntry(ZookeeperClientContext, Zookeeper, keytab_zk
));
jaas.Append(registrySecurity.CreateJAASEntry(ZookeeperServerContext, zkServerPrincipal
, keytab_zk));
jaas.Append(registrySecurity.CreateJAASEntry(AliceClientContext, AliceLocalhost,
keytab_alice));
jaas.Append(registrySecurity.CreateJAASEntry(BobClientContext, BobLocalhost, keytab_bob
));
jaasFile = new FilePath(kdcWorkDir, "jaas.txt");
FileUtils.Write(jaasFile, jaas.ToString());
Log.Info("\n" + jaas);
RegistrySecurity.BindJVMtoJAASFile(jaasFile);
}
public static void Setup()
{
try
{
testMiniKDC = new MiniKdc(MiniKdc.CreateConf(), testRootDir);
testMiniKDC.Start();
testMiniKDC.CreatePrincipal(httpSpnegoKeytabFile, HttpUser + "/localhost");
}
catch (Exception)
{
NUnit.Framework.Assert.IsTrue("Couldn't setup MiniKDC", false);
}
try
{
testTimelineServer = new ApplicationHistoryServer();
conf = new Configuration(false);
conf.SetStrings(TimelineAuthenticationFilterInitializer.Prefix + "type", "kerberos"
);
conf.Set(TimelineAuthenticationFilterInitializer.Prefix + KerberosAuthenticationHandler
.Principal, httpSpnegoPrincipal);
conf.Set(TimelineAuthenticationFilterInitializer.Prefix + KerberosAuthenticationHandler
.Keytab, httpSpnegoKeytabFile.GetAbsolutePath());
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityAuthentication, "kerberos");
conf.Set(YarnConfiguration.TimelineServicePrincipal, httpSpnegoPrincipal);
conf.Set(YarnConfiguration.TimelineServiceKeytab, httpSpnegoKeytabFile.GetAbsolutePath
());
conf.SetBoolean(YarnConfiguration.TimelineServiceEnabled, true);
conf.SetClass(YarnConfiguration.TimelineServiceStore, typeof(MemoryTimelineStore)
, typeof(TimelineStore));
conf.Set(YarnConfiguration.TimelineServiceAddress, "localhost:10200");
conf.Set(YarnConfiguration.TimelineServiceWebappAddress, "localhost:8188");
conf.Set(YarnConfiguration.TimelineServiceWebappHttpsAddress, "localhost:8190");
conf.Set("hadoop.proxyuser.HTTP.hosts", "*");
conf.Set("hadoop.proxyuser.HTTP.users", FooUser);
conf.SetInt(YarnConfiguration.TimelineServiceClientMaxRetries, 1);
if (withSsl)
{
conf.Set(YarnConfiguration.YarnHttpPolicyKey, HttpConfig.Policy.HttpsOnly.ToString
());
FilePath @base = new FilePath(Basedir);
FileUtil.FullyDelete(@base);
@base.Mkdirs();
keystoresDir = new FilePath(Basedir).GetAbsolutePath();
sslConfDir = KeyStoreTestUtil.GetClasspathDir(typeof(Org.Apache.Hadoop.Yarn.Server.Timeline.Security.TestTimelineAuthenticationFilter
));
KeyStoreTestUtil.SetupSSLConfig(keystoresDir, sslConfDir, conf, false);
}
UserGroupInformation.SetConfiguration(conf);
testTimelineServer.Init(conf);
testTimelineServer.Start();
}
catch (Exception)
{
NUnit.Framework.Assert.IsTrue("Couldn't setup TimelineServer", false);
}
}
/// <exception cref="System.Exception"/>
private static void SetupKDC()
{
if (!miniKDCStarted)
{
testMiniKDC.Start();
GetKdc().CreatePrincipal(httpSpnegoKeytabFile, "HTTP/localhost", "client", UserGroupInformation
.GetLoginUser().GetShortUserName(), "client2");
miniKDCStarted = true;
}
}
public virtual void StartMiniKdc()
{
// This setting below is required. If not enabled, UGI will abort
// any attempt to loginUserFromKeytab.
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeys.HadoopSecurityAuthentication, "kerberos");
UserGroupInformation.SetConfiguration(conf);
workDir = folder.GetRoot();
kdc = new MiniKdc(MiniKdc.CreateConf(), workDir);
kdc.Start();
}
/// <exception cref="System.Exception"/>
private void TestKerberosDelegationTokenAuthenticator(bool doAs)
{
string doAsUser = doAs ? OkUser : null;
// setting hadoop security to kerberos
Configuration conf = new Configuration();
conf.Set("hadoop.security.authentication", "kerberos");
UserGroupInformation.SetConfiguration(conf);
FilePath testDir = new FilePath("target/" + UUID.RandomUUID().ToString());
Assert.True(testDir.Mkdirs());
MiniKdc kdc = new MiniKdc(MiniKdc.CreateConf(), testDir);
Org.Mortbay.Jetty.Server jetty = CreateJettyServer();
Context context = new Context();
context.SetContextPath("/foo");
jetty.SetHandler(context);
context.AddFilter(new FilterHolder(typeof(TestWebDelegationToken.KDTAFilter)), "/*"
, 0);
context.AddServlet(new ServletHolder(typeof(TestWebDelegationToken.UserServlet)),
"/bar");
try
{
kdc.Start();
FilePath keytabFile = new FilePath(testDir, "test.keytab");
kdc.CreatePrincipal(keytabFile, "client", "HTTP/localhost");
TestWebDelegationToken.KDTAFilter.keytabFile = keytabFile.GetAbsolutePath();
jetty.Start();
DelegationTokenAuthenticatedURL.Token token = new DelegationTokenAuthenticatedURL.Token
();
DelegationTokenAuthenticatedURL aUrl = new DelegationTokenAuthenticatedURL();
Uri url = new Uri(GetJettyURL() + "/foo/bar");
try
{
aUrl.GetDelegationToken(url, token, FooUser, doAsUser);
NUnit.Framework.Assert.Fail();
}
catch (AuthenticationException ex)
{
Assert.True(ex.Message.Contains("GSSException"));
}
DoAsKerberosUser("client", keytabFile.GetAbsolutePath(), new _Callable_778(aUrl,
url, token, doAs, doAsUser));
}
finally
{
// Make sure the token belongs to the right owner
jetty.Stop();
kdc.Stop();
}
}
public static void Init()
{
baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"),
typeof(TestSecureNNWithQJM).Name);
FileUtil.FullyDelete(baseDir);
NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs());
Properties kdcConf = MiniKdc.CreateConf();
kdc = new MiniKdc(kdcConf, baseDir);
kdc.Start();
baseConf = new HdfsConfiguration();
SecurityUtil.SetAuthenticationMethod(UserGroupInformation.AuthenticationMethod.Kerberos
, baseConf);
UserGroupInformation.SetConfiguration(baseConf);
NUnit.Framework.Assert.IsTrue("Expected configuration to enable security", UserGroupInformation
.IsSecurityEnabled());
string userName = UserGroupInformation.GetLoginUser().GetShortUserName();
FilePath keytabFile = new FilePath(baseDir, userName + ".keytab");
string keytab = keytabFile.GetAbsolutePath();
// Windows will not reverse name lookup "127.0.0.1" to "localhost".
string krbInstance = Path.Windows ? "127.0.0.1" : "localhost";
kdc.CreatePrincipal(keytabFile, userName + "/" + krbInstance, "HTTP/" + krbInstance
);
string hdfsPrincipal = userName + "/" + krbInstance + "@" + kdc.GetRealm();
string spnegoPrincipal = "HTTP/" + krbInstance + "@" + kdc.GetRealm();
baseConf.Set(DFSConfigKeys.DfsNamenodeKerberosPrincipalKey, hdfsPrincipal);
baseConf.Set(DFSConfigKeys.DfsNamenodeKeytabFileKey, keytab);
baseConf.Set(DFSConfigKeys.DfsDatanodeKerberosPrincipalKey, hdfsPrincipal);
baseConf.Set(DFSConfigKeys.DfsDatanodeKeytabFileKey, keytab);
baseConf.Set(DFSConfigKeys.DfsWebAuthenticationKerberosPrincipalKey, spnegoPrincipal
);
baseConf.Set(DFSConfigKeys.DfsJournalnodeKeytabFileKey, keytab);
baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosPrincipalKey, hdfsPrincipal);
baseConf.Set(DFSConfigKeys.DfsJournalnodeKerberosInternalSpnegoPrincipalKey, spnegoPrincipal
);
baseConf.SetBoolean(DFSConfigKeys.DfsBlockAccessTokenEnableKey, true);
baseConf.Set(DFSConfigKeys.DfsDataTransferProtectionKey, "authentication");
baseConf.Set(DFSConfigKeys.DfsHttpPolicyKey, HttpConfig.Policy.HttpsOnly.ToString
());
baseConf.Set(DFSConfigKeys.DfsNamenodeHttpsAddressKey, "localhost:0");
baseConf.Set(DFSConfigKeys.DfsDatanodeHttpsAddressKey, "localhost:0");
baseConf.Set(DFSConfigKeys.DfsJournalnodeHttpsAddressKey, "localhost:0");
baseConf.SetInt(CommonConfigurationKeys.IpcClientConnectMaxRetriesOnSaslKey, 10);
string keystoresDir = baseDir.GetAbsolutePath();
string sslConfDir = KeyStoreTestUtil.GetClasspathDir(typeof(TestSecureNNWithQJM));
KeyStoreTestUtil.SetupSSLConfig(keystoresDir, sslConfDir, baseConf, false);
}
public static void InitKdc()
{
baseDir = new FilePath(Runtime.GetProperty("test.build.dir", "target/test-dir"),
typeof(SaslDataTransferTestCase).Name);
FileUtil.FullyDelete(baseDir);
NUnit.Framework.Assert.IsTrue(baseDir.Mkdirs());
Properties kdcConf = MiniKdc.CreateConf();
kdc = new MiniKdc(kdcConf, baseDir);
kdc.Start();
string userName = UserGroupInformation.GetLoginUser().GetShortUserName();
FilePath keytabFile = new FilePath(baseDir, userName + ".keytab");
keytab = keytabFile.GetAbsolutePath();
kdc.CreatePrincipal(keytabFile, userName + "/localhost", "HTTP/localhost");
hdfsPrincipal = userName + "/localhost@" + kdc.GetRealm();
spnegoPrincipal = "HTTP/localhost@" + kdc.GetRealm();
}
/// <exception cref="System.Exception"/>
private static void SetupKDC()
{
testMiniKDC.Start();
testMiniKDC.CreatePrincipal(spnegoKeytabFile, "HTTP/localhost", "client", UserGroupInformation
.GetLoginUser().GetShortUserName(), "client2");
}