public virtual void TestProxyUsersWithCustomPrefix()
{
Configuration conf = new Configuration(false);
conf.Set("x." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
)));
conf.Set("x." + RealUserName + ".hosts", ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "x");
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public static void LoadTest(string ipString, int testRange)
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ipString);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
long startTime = Runtime.NanoTime();
SecureRandom sr = new SecureRandom();
for (int i = 1; i < 1000000; i++)
{
try
{
ProxyUsers.Authorize(proxyUserUgi, "1.2.3." + sr.Next(testRange));
}
catch (AuthorizationException)
{
}
}
long stopTime = Runtime.NanoTime();
long elapsedTime = stopTime - startTime;
System.Console.Out.WriteLine(elapsedTime / 1000000 + " ms");
}
public virtual void TestProxyUsersWithProviderOverride()
{
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityImpersonationProviderClass,
"org.apache.hadoop.security.authorize.TestProxyUsers$TestDummyImpersonationProvider"
);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName
, SudoGroupNames);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a group that's not allowed
realUserUgi = UserGroupInformation.CreateUserForTesting(RealUserName, GroupNames);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardIP()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), "*");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From either IP should be fine
AssertAuthorized(proxyUserUgi, "1.2.3.4");
AssertAuthorized(proxyUserUgi, "1.2.3.5");
// Now set up an unallowed group
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// Neither IP should be OK
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestWildcardUser()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a different user (just to make sure we aren't getting spill over
// from the other test case!)
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, OtherGroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestProxyUsersWithUserConf()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a user that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
// Now try proxying a user that's not allowed
realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName);
proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting(ProxyUserName, realUserUgi
, GroupNames);
// From good IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "1.2.3.5");
}
public virtual void TestProxyServer()
{
Configuration conf = new Configuration();
NUnit.Framework.Assert.IsFalse(ProxyServers.IsProxyServer("1.1.1.1"));
conf.Set(ProxyServers.ConfHadoopProxyservers, "2.2.2.2, 3.3.3.3");
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
NUnit.Framework.Assert.IsFalse(ProxyServers.IsProxyServer("1.1.1.1"));
Assert.True(ProxyServers.IsProxyServer("2.2.2.2"));
Assert.True(ProxyServers.IsProxyServer("3.3.3.3"));
}
// Expected
private void AssertAuthorized(UserGroupInformation proxyUgi, string host)
{
try
{
ProxyUsers.Authorize(proxyUgi, host);
}
catch (AuthorizationException)
{
NUnit.Framework.Assert.Fail("Did not allow authorization of " + proxyUgi + " from "
+ host);
}
}
public virtual void TestNoHostsForUsers()
{
Configuration conf = new Configuration(false);
conf.Set("y." + RealUserName + ".users", StringUtils.Join(",", Arrays.AsList(AuthorizedProxyUserName
)));
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf, "y");
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(AuthorizedProxyUserName, realUserUgi, GroupNames);
// IP doesn't matter
AssertNotAuthorized(proxyUserUgi, "1.2.3.4");
}
public virtual void TestWithDuplicateProxyHosts()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(ProxyIp, ProxyIp)));
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
ICollection <string> hosts = ProxyUsers.GetDefaultImpersonationProvider().GetProxyHosts
()[DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey(RealUserName
)];
Assert.Equal(1, hosts.Count);
}
public virtual void TestWithProxyGroupsAndUsersWithSpaces()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserUserConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(ProxyUserName + " ", AuthorizedProxyUserName
, "ONEMORE")));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(GroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
ICollection <string> groupsToBeProxied = ProxyUsers.GetDefaultImpersonationProvider
().GetProxyGroups()[DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName)];
Assert.Equal(GroupNames.Length, groupsToBeProxied.Count);
}
public virtual void TestIPRange()
{
Configuration conf = new Configuration();
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), "*");
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIpRange);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
// First try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, GroupNames);
// From good IP
AssertAuthorized(proxyUserUgi, "10.222.0.0");
// From bad IP
AssertNotAuthorized(proxyUserUgi, "10.221.0.0");
}
public virtual void TestNetgroups()
{
if (!NativeCodeLoader.IsNativeCodeLoaded())
{
Log.Info("Not testing netgroups, " + "this test only runs when native code is compiled"
);
return;
}
string groupMappingClassName = Runtime.GetProperty("TestProxyUsersGroupMapping");
if (groupMappingClassName == null)
{
Log.Info("Not testing netgroups, no group mapping class specified, " + "use -DTestProxyUsersGroupMapping=$className to specify "
+ "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)"
);
return;
}
Log.Info("Testing netgroups using: " + groupMappingClassName);
Configuration conf = new Configuration();
conf.Set(CommonConfigurationKeysPublic.HadoopSecurityGroupMapping, groupMappingClassName
);
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserGroupConfKey
(RealUserName), StringUtils.Join(",", Arrays.AsList(NetgroupNames)));
conf.Set(DefaultImpersonationProvider.GetTestProvider().GetProxySuperuserIpConfKey
(RealUserName), ProxyIp);
ProxyUsers.RefreshSuperUserGroupsConfiguration(conf);
Groups groups = Groups.GetUserToGroupsMappingService(conf);
// try proxying a group that's allowed
UserGroupInformation realUserUgi = UserGroupInformation.CreateRemoteUser(RealUserName
);
UserGroupInformation proxyUserUgi = UserGroupInformation.CreateProxyUserForTesting
(ProxyUserName, realUserUgi, Collections.ToArray(groups.GetGroups(ProxyUserName
), new string[groups.GetGroups(ProxyUserName).Count]));
AssertAuthorized(proxyUserUgi, ProxyIp);
}
/// <exception cref="System.Exception"/>
public virtual void TestProxyUsersWithEmptyPrefix()
{
ProxyUsers.RefreshSuperUserGroupsConfiguration(new Configuration(false), string.Empty
);
}
/// <exception cref="System.Exception"/>
public virtual void TestProxyUsersWithNullPrefix()
{
ProxyUsers.RefreshSuperUserGroupsConfiguration(new Configuration(false), null);
}
