List of usage examples for org.apache.hadoop.security UserGroupInformation createRemoteUser
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createRemoteUser(String user)
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testDeleteKeys() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//w ww. ja va 2s . c o m } // bob should have permission to delete final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to delete final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to delete final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testRollover() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;/*www . ja va 2 s. c o m*/ } // bob should have permission to rollover final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to rollover final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi2, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to rollover final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi3, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGetKeys() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;/*from w ww .j a v a 2s . c o m*/ } // bob should have permission to get keys final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to get keys final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi2, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should have permission to get keys final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi3, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGetMetadata() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;/*from w w w.j ava 2 s . c om*/ } // bob should have permission to get the metadata final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to get the metadata final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi2, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should have permission to get the metadata final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi3, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGenerateEEK() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//from w w w .j a v a2s .co m } // bob should have permission to generate EEK final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to generate EEK final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi2, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to generate EEK final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi3, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testDecryptEEK() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;/*from w w w .j av a2 s .c o m*/ } // bob should have permission to generate EEK final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to decrypt EEK final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi2, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to decrypt EEK final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi3, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.storm.authorizer.RangerStormAuthorizer.java
License:Apache License
/** * permit() method is invoked for each incoming Thrift request. * @param context request context includes info about * @param operation operation name/*ww w. j a v a2 s . c o m*/ * @param topology_storm configuration of targeted topology * @return true if the request is authorized, false if reject */ @Override public boolean permit(ReqContext aRequestContext, String aOperationName, Map aTopologyConfigMap) { boolean accessAllowed = false; boolean isAuditEnabled = false; String topologyName = null; try { topologyName = (aTopologyConfigMap == null ? "" : (String) aTopologyConfigMap.get(Config.TOPOLOGY_NAME)); if (LOG.isDebugEnabled()) { LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "]"); if (aTopologyConfigMap != null) { for (Object keyObj : aTopologyConfigMap.keySet()) { Object valObj = aTopologyConfigMap.get(keyObj); LOG.debug("TOPOLOGY CONFIG MAP [" + keyObj + "] => [" + valObj + "]"); } } else { LOG.debug("TOPOLOGY CONFIG MAP is passed as null."); } } if (noAuthzOperations.contains(aOperationName)) { accessAllowed = true; } else if (plugin == null) { LOG.info("Ranger plugin not initialized yet! Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } else { String userName = null; String[] groups = null; Principal user = aRequestContext.principal(); if (user != null) { userName = user.getName(); if (userName != null) { UserGroupInformation ugi = UserGroupInformation.createRemoteUser(userName); userName = ugi.getShortUserName(); groups = ugi.getGroupNames(); if (LOG.isDebugEnabled()) { LOG.debug("User found from principal [" + user.getName() + "] => user:[" + userName + "], groups:[" + StringUtil.toString(groups) + "]"); } } } if (userName != null) { String clientIp = (aRequestContext.remoteAddress() == null ? null : aRequestContext.remoteAddress().getHostAddress()); RangerAccessRequest accessRequest = plugin.buildAccessRequest(userName, groups, clientIp, topologyName, aOperationName); RangerAccessResult result = plugin.isAccessAllowed(accessRequest); accessAllowed = result != null && result.getIsAllowed(); isAuditEnabled = result != null && result.getIsAudited(); if (LOG.isDebugEnabled()) { LOG.debug("User found from principal [" + userName + "], groups [" + StringUtil.toString(groups) + "]: verifying using [" + plugin.getClass().getName() + "], allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } else { LOG.info("NULL User found from principal [" + user + "]: Skipping authorization; allowedFlag => [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } } catch (Throwable t) { LOG.error("RangerStormAuthorizer found this exception", t); } finally { if (LOG.isDebugEnabled()) { LOG.debug("[req " + aRequestContext.requestID() + "] Access " + " from: [" + aRequestContext.remoteAddress() + "]" + " user: [" + aRequestContext.principal() + "]," + " op: [" + aOperationName + "]," + "topology: [" + topologyName + "] => returns [" + accessAllowed + "], Audit Enabled:" + isAuditEnabled); } } return accessAllowed; }
From source file:org.apache.sentry.tests.e2e.hive.Context.java
License:Apache License
public HiveMetaStoreClient getMetaStoreClient(String userName) throws Exception { UserGroupInformation clientUgi = UserGroupInformation.createRemoteUser(userName); HiveMetaStoreClient client = null;/*from w w w . j ava 2 s . c om*/ try { client = clientUgi.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>() { @Override public HiveMetaStoreClient run() throws Exception { return new HiveMetaStoreClient(new HiveConf()); } }); } catch (Throwable e) { // The metastore may don't finish the initialization, wait for 10s for the // initialization. Thread.sleep(10 * 1000); client = clientUgi.doAs(new PrivilegedExceptionAction<HiveMetaStoreClient>() { @Override public HiveMetaStoreClient run() throws Exception { return new HiveMetaStoreClient(new HiveConf()); } }); } return client; }
From source file:org.apache.sentry.tests.e2e.hive.Context.java
License:Apache License
public PigServer getPigServer(String userName, final ExecType exType) throws Exception { UserGroupInformation clientUgi = UserGroupInformation.createRemoteUser(userName); PigServer pigServer = (PigServer) clientUgi.doAs(new PrivilegedExceptionAction<Object>() { @Override/*from ww w . j a va 2s. co m*/ public PigServer run() throws Exception { return new PigServer(exType, new HiveConf()); } }); return pigServer; }
From source file:org.apache.sentry.tests.e2e.metastore.AbstractMetastoreTestWithStaticConfiguration.java
License:Apache License
public void execHiveSQLwithOverlay(final String sqlStmt, final String userName, Map<String, String> overLay) throws Exception { final HiveConf hiveConf = new HiveConf(); for (Map.Entry<String, String> entry : overLay.entrySet()) { hiveConf.set(entry.getKey(), entry.getValue()); }//from w w w. ja v a2 s. c om UserGroupInformation clientUgi = UserGroupInformation.createRemoteUser(userName); clientUgi.doAs(new PrivilegedExceptionAction<Object>() { @Override public Void run() throws Exception { Driver driver = new Driver(hiveConf, userName); SessionState.start(new CliSessionState(hiveConf)); CommandProcessorResponse cpr = driver.run(sqlStmt); if (cpr.getResponseCode() != 0) { throw new IOException("Failed to execute \"" + sqlStmt + "\". Driver returned " + cpr.getResponseCode() + " Error: " + cpr.getErrorMessage()); } driver.close(); SessionState.get().close(); return null; } }); }