List of usage examples for org.apache.hadoop.security UserGroupInformation createUserForTesting
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createUserForTesting(String user, String[] userGroups)
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testDeleteKeys() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//w w w . ja va 2s. co m } // bob should have permission to delete final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to delete final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to delete final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testRollover() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;/* ww w. j a v a 2s . c o m*/ } // bob should have permission to rollover final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to rollover final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi2, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to rollover final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.ROLLOVER, ugi3, KMSOp.ROLL_NEW_VERSION, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGetKeys() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;// www . j av a2 s . c o m } // bob should have permission to get keys final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to get keys final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi2, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should have permission to get keys final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi3, KMSOp.GET_KEYS, "newkey1", "127.0.0.1"); return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGetMetadata() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//from w w w . j a va 2 s . co m } // bob should have permission to get the metadata final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to get the metadata final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi2, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should have permission to get the metadata final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GET_METADATA, ugi3, KMSOp.GET_METADATA, "newkey1", "127.0.0.1"); return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testGenerateEEK() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//from ww w. ja v a 2 s . com } // bob should have permission to generate EEK final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to generate EEK final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi2, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to generate EEK final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi3, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.authorization.kms.authorizer.RangerKmsAuthorizerTest.java
License:Apache License
@Test public void testDecryptEEK() throws Throwable { if (!UNRESTRICTED_POLICIES_INSTALLED) { return;//from w w w.ja va 2 s. c o m } // bob should have permission to generate EEK final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); return null; } }); // "eve" should not have permission to decrypt EEK final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi2, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to decrypt EEK final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi3, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.ranger.services.hdfs.HDFSRangerTest.java
License:Apache License
@org.junit.Test public void readTest() throws Exception { FileSystem fileSystem = hdfsCluster.getFileSystem(); // Write a file - the AccessControlEnforcer won't be invoked as we are the "superuser" final Path file = new Path("/tmp/tmpdir/data-file2"); FSDataOutputStream out = fileSystem.create(file); for (int i = 0; i < 1024; ++i) { out.write(("data" + i + "\n").getBytes("UTF-8")); out.flush();//from w w w . j a v a 2s . c o m } out.close(); // Change permissions to read-only fileSystem.setPermission(file, new FsPermission(FsAction.READ, FsAction.NONE, FsAction.NONE)); // Now try to read the file as "bob" - this should be allowed (by the policy - user) UserGroupInformation ugi = UserGroupInformation.createUserForTesting("bob", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as "alice" - this should be allowed (by the policy - group) ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as unknown user "eve" - this should not be allowed ugi = UserGroupInformation.createUserForTesting("eve", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file try { fs.open(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); }
From source file:org.apache.ranger.services.hdfs.HDFSRangerTest.java
License:Apache License
@org.junit.Test public void writeTest() throws Exception { FileSystem fileSystem = hdfsCluster.getFileSystem(); // Write a file - the AccessControlEnforcer won't be invoked as we are the "superuser" final Path file = new Path("/tmp/tmpdir2/data-file3"); FSDataOutputStream out = fileSystem.create(file); for (int i = 0; i < 1024; ++i) { out.write(("data" + i + "\n").getBytes("UTF-8")); out.flush();/*w w w . j av a 2s . co m*/ } out.close(); // Now try to write to the file as "bob" - this should be allowed (by the policy - user) UserGroupInformation ugi = UserGroupInformation.createUserForTesting("bob", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Write to the file fs.append(file); fs.close(); return null; } }); // Now try to write to the file as "alice" - this should be allowed (by the policy - group) ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Write to the file fs.append(file); fs.close(); return null; } }); // Now try to read the file as unknown user "eve" - this should not be allowed ugi = UserGroupInformation.createUserForTesting("eve", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Write to the file try { fs.append(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); }
From source file:org.apache.ranger.services.hdfs.HDFSRangerTest.java
License:Apache License
@org.junit.Test public void executeTest() throws Exception { FileSystem fileSystem = hdfsCluster.getFileSystem(); // Write a file - the AccessControlEnforcer won't be invoked as we are the "superuser" final Path file = new Path("/tmp/tmpdir3/data-file2"); FSDataOutputStream out = fileSystem.create(file); for (int i = 0; i < 1024; ++i) { out.write(("data" + i + "\n").getBytes("UTF-8")); out.flush();/*w w w . ja va 2 s. c o m*/ } out.close(); // Change permissions to read-only fileSystem.setPermission(file, new FsPermission(FsAction.READ, FsAction.NONE, FsAction.NONE)); // Change the parent directory permissions to be execute only for the owner Path parentDir = new Path("/tmp/tmpdir3"); fileSystem.setPermission(parentDir, new FsPermission(FsAction.EXECUTE, FsAction.NONE, FsAction.NONE)); // Try to read the directory as "bob" - this should be allowed (by the policy - user) UserGroupInformation ugi = UserGroupInformation.createUserForTesting("bob", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); RemoteIterator<LocatedFileStatus> iter = fs.listFiles(file.getParent(), false); Assert.assertTrue(iter.hasNext()); fs.close(); return null; } }); // Try to read the directory as "alice" - this should be allowed (by the policy - group) ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); RemoteIterator<LocatedFileStatus> iter = fs.listFiles(file.getParent(), false); Assert.assertTrue(iter.hasNext()); fs.close(); return null; } }); // Now try to read the directory as unknown user "eve" - this should not be allowed ugi = UserGroupInformation.createUserForTesting("eve", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Write to the file try { RemoteIterator<LocatedFileStatus> iter = fs.listFiles(file.getParent(), false); Assert.assertTrue(iter.hasNext()); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); }
From source file:org.apache.sentry.hdfs.TestSentryAuthorizationProvider.java
License:Apache License
@Before public void setUp() throws Exception { admin = UserGroupInformation.createUserForTesting(System.getProperty("user.name"), new String[] { "supergroup" }); admin.doAs(new PrivilegedExceptionAction<Void>() { @Override//from w w w . java 2 s .c o m public Void run() throws Exception { System.setProperty(MiniDFSCluster.PROP_TEST_BUILD_DATA, "target/test/data"); Configuration conf = new HdfsConfiguration(); conf.setBoolean("sentry.authorization-provider.include-hdfs-authz-as-acl", true); conf.set(DFSConfigKeys.DFS_NAMENODE_AUTHORIZATION_PROVIDER_KEY, MockSentryAuthorizationProvider.class.getName()); conf.setBoolean(DFSConfigKeys.DFS_NAMENODE_ACLS_ENABLED_KEY, true); EditLogFileOutputStream.setShouldSkipFsyncForTesting(true); miniDFS = new MiniDFSCluster.Builder(conf).build(); return null; } }); }