List of usage examples for org.apache.hadoop.security UserGroupInformation createUserForTesting
@InterfaceAudience.Public @InterfaceStability.Evolving public static UserGroupInformation createUserForTesting(String user, String[] userGroups)
From source file:org.apache.coheigea.bigdata.hdfs.ranger.HDFSRangerTest.java
License:Apache License
@org.junit.Test public void readTestUsingTagPolicy() throws Exception { FileSystem fileSystem = hdfsCluster.getFileSystem(); // Write a file - the AccessControlEnforcer won't be invoked as we are the "superuser" final Path file = new Path("/tmp/tmpdir6/data-file2"); FSDataOutputStream out = fileSystem.create(file); for (int i = 0; i < 1024; ++i) { out.write(("data" + i + "\n").getBytes("UTF-8")); out.flush();/*w ww . ja va2 s. c o m*/ } out.close(); // Change permissions to read-only fileSystem.setPermission(file, new FsPermission(FsAction.READ, FsAction.NONE, FsAction.NONE)); // Now try to read the file as "bob" - this should be allowed (by the policy - user) UserGroupInformation ugi = UserGroupInformation.createUserForTesting("bob", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as "alice" - this should be allowed (by the policy - group) ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as unknown user "eve" - this should not be allowed ugi = UserGroupInformation.createUserForTesting("eve", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file try { fs.open(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); // Now try to read the file as known user "dave" - this should not be allowed, as he doesn't have the correct permissions ugi = UserGroupInformation.createUserForTesting("dave", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file try { fs.open(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectAllAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.executeQuery("SELECT * FROM words where count == '100'"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }//from w ww . j a va 2 s . com statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectSpecificColumnAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT count FROM words where count == '100'"); resultSet.next();//from ww w .j a v a 2s . c o m Assert.assertEquals(100, resultSet.getInt(1)); statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectSpecificColumnAsAliceWrongGroup() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "DevOps" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.executeQuery("SELECT count FROM words where count == '100'"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }/*from w ww . ja va 2s.c o m*/ statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveUpdateAllAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.execute("insert into words (word, count) values ('newword2', 5)"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }//from w w w . ja v a2 s . co m statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForTable() throws Exception { String url = "jdbc:hive2://localhost:" + port; // Create a database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();//from ww w . ja va2s . c o m connection.close(); // Create a "words" table in "hivetable" final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable"; connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("CREATE TABLE WORDS (word STRING, count INT)"); statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)"); statement.close(); connection.close(); // Now try to read it as the "public" group UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "dev" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Connection connection = DriverManager.getConnection(tableUrl, "alice", "alice"); Statement statement = connection.createStatement(); // "words" should work ResultSet resultSet = statement.executeQuery("SELECT * FROM words"); Assert.assertNotNull(resultSet); statement.close(); statement = connection.createStatement(); try { // "words2" should not statement.executeQuery("SELECT * FROM words2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the table and database as "admin" connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("drop TABLE words"); statement.execute("drop TABLE words2"); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForDatabase() throws Exception { final String url = "jdbc:hive2://localhost:" + port; UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "dev" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { // Create a database Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();/*www. j a v a 2s . co m*/ statement = connection.createStatement(); try { // "hivetable2" should not be allowed to be created by the "dev" group statement.execute("CREATE DATABASE hivetable2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForColumn() throws Exception { String url = "jdbc:hive2://localhost:" + port; // Create a database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();/*ww w. j a v a 2 s. c om*/ connection.close(); // Create a "words" table in "hivetable" final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable"; connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("CREATE TABLE WORDS (word STRING, count INT)"); statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)"); statement.close(); connection.close(); // Now try to read it as the user "frank" UserGroupInformation ugi = UserGroupInformation.createUserForTesting("frank", new String[] { "unknown" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Connection connection = DriverManager.getConnection(tableUrl, "frank", "frank"); // we can select "word" from "words" Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT word FROM words"); Assert.assertNotNull(resultSet); statement.close(); try { // we can't select "word" from "words2" as "frank" statement.executeQuery("SELECT word FROM words2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the table and database as "admin" connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("drop TABLE words"); statement.execute("drop TABLE words2"); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.kafka.ranger.KafkaRangerAuthorizerTest.java
License:Apache License
@org.junit.BeforeClass public static void setup() throws Exception { zkServer = new TestingServer(); // Get a random port ServerSocket serverSocket = new ServerSocket(0); port = serverSocket.getLocalPort();/*from w ww . j a v a 2s . c om*/ serverSocket.close(); final Properties props = new Properties(); props.put("broker.id", 1); props.put("host.name", "localhost"); props.put("port", port); props.put("log.dir", "/tmp/kafka"); props.put("zookeeper.connect", zkServer.getConnectString()); props.put("replica.socket.timeout.ms", "1500"); props.put("controlled.shutdown.enable", Boolean.TRUE.toString()); // Enable SSL props.put("listeners", "SSL://localhost:" + port); props.put("ssl.keystore.location", KafkaAuthorizerTest.class.getResource("/servicestore.jks").getPath()); props.put("ssl.keystore.password", "sspass"); props.put("ssl.key.password", "skpass"); props.put("ssl.truststore.location", KafkaAuthorizerTest.class.getResource("/truststore.jks").getPath()); props.put("ssl.truststore.password", "security"); props.put("security.inter.broker.protocol", "SSL"); props.put("ssl.client.auth", "required"); // Plug in Apache Ranger authorizer props.put("authorizer.class.name", "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer"); // Create users for testing UserGroupInformation.createUserForTesting("CN=Client,O=Apache,L=Dublin,ST=Leinster,C=IE", new String[] { "public" }); UserGroupInformation.createUserForTesting("CN=Service,O=Apache,L=Dublin,ST=Leinster,C=IE", new String[] { "IT" }); KafkaConfig config = new KafkaConfig(props); kafkaServer = new KafkaServerStartable(config); kafkaServer.startup(); // Create some topics ZkClient zkClient = new ZkClient(zkServer.getConnectString(), 30000, 30000, ZKStringSerializer$.MODULE$); final ZkUtils zkUtils = new ZkUtils(zkClient, new ZkConnection(zkServer.getConnectString()), false); AdminUtils.createTopic(zkUtils, "test", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); AdminUtils.createTopic(zkUtils, "dev", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); AdminUtils.createTopic(zkUtils, "messages", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); }
From source file:org.apache.coheigea.bigdata.kafka.ranger.KafkaRangerGSSAuthorizerTest.java
License:Apache License
@org.junit.BeforeClass public static void setup() throws Exception { String basedir = System.getProperty("basedir"); if (basedir == null) { basedir = new File(".").getCanonicalPath(); }/*from w w w . ja v a 2 s .c om*/ configureKerby(basedir); // JAAS Config file - We need to point to the correct keytab files Path path = FileSystems.getDefault().getPath(basedir, "/src/test/resources/kafka_kerberos.jaas"); String content = new String(Files.readAllBytes(path), StandardCharsets.UTF_8); content = content.replaceAll("<basedir>", basedir); Path path2 = FileSystems.getDefault().getPath(basedir, "/target/test-classes/kafka_kerberos.jaas"); Files.write(path2, content.getBytes(StandardCharsets.UTF_8)); System.setProperty("java.security.auth.login.config", path2.toString()); // Set up Zookeeper to require SASL Map<String, Object> zookeeperProperties = new HashMap<>(); zookeeperProperties.put("authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider"); zookeeperProperties.put("requireClientAuthScheme", "sasl"); zookeeperProperties.put("jaasLoginRenew", "3600000"); InstanceSpec instanceSpec = new InstanceSpec(null, -1, -1, -1, true, 1, -1, -1, zookeeperProperties); zkServer = new TestingServer(instanceSpec, true); // Get a random port ServerSocket serverSocket = new ServerSocket(0); port = serverSocket.getLocalPort(); serverSocket.close(); final Properties props = new Properties(); props.put("broker.id", 1); props.put("host.name", "localhost"); props.put("port", port); props.put("log.dir", "/tmp/kafka"); props.put("zookeeper.connect", zkServer.getConnectString()); props.put("replica.socket.timeout.ms", "1500"); props.put("controlled.shutdown.enable", Boolean.TRUE.toString()); // Enable SASL_PLAINTEXT props.put("listeners", "SASL_PLAINTEXT://localhost:" + port); props.put("security.inter.broker.protocol", "SASL_PLAINTEXT"); props.put("sasl.enabled.mechanisms", "GSSAPI"); props.put("sasl.mechanism.inter.broker.protocol", "GSSAPI"); props.put("sasl.kerberos.service.name", "kafka"); // Plug in Apache Ranger authorizer props.put("authorizer.class.name", "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer"); // Create users for testing UserGroupInformation.createUserForTesting("client@kafka.apache.org", new String[] { "public" }); UserGroupInformation.createUserForTesting("kafka/localhost@kafka.apache.org", new String[] { "IT" }); KafkaConfig config = new KafkaConfig(props); kafkaServer = new KafkaServerStartable(config); kafkaServer.startup(); // Create some topics ZkClient zkClient = new ZkClient(zkServer.getConnectString(), 30000, 30000, ZKStringSerializer$.MODULE$); final ZkUtils zkUtils = new ZkUtils(zkClient, new ZkConnection(zkServer.getConnectString()), false); AdminUtils.createTopic(zkUtils, "test", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); AdminUtils.createTopic(zkUtils, "dev", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); AdminUtils.createTopic(zkUtils, "messages", 1, 1, new Properties(), RackAwareMode.Enforced$.MODULE$); }