List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.coheigea.bigdata.hdfs.ranger.HDFSRangerTest.java
License:Apache License
@org.junit.Test public void readTestUsingTagPolicy() throws Exception { FileSystem fileSystem = hdfsCluster.getFileSystem(); // Write a file - the AccessControlEnforcer won't be invoked as we are the "superuser" final Path file = new Path("/tmp/tmpdir6/data-file2"); FSDataOutputStream out = fileSystem.create(file); for (int i = 0; i < 1024; ++i) { out.write(("data" + i + "\n").getBytes("UTF-8")); out.flush();/*w ww . j a v a 2s. c o m*/ } out.close(); // Change permissions to read-only fileSystem.setPermission(file, new FsPermission(FsAction.READ, FsAction.NONE, FsAction.NONE)); // Now try to read the file as "bob" - this should be allowed (by the policy - user) UserGroupInformation ugi = UserGroupInformation.createUserForTesting("bob", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as "alice" - this should be allowed (by the policy - group) ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file FSDataInputStream in = fs.open(file); ByteArrayOutputStream output = new ByteArrayOutputStream(); IOUtils.copy(in, output); String content = new String(output.toByteArray()); Assert.assertTrue(content.startsWith("data0")); fs.close(); return null; } }); // Now try to read the file as unknown user "eve" - this should not be allowed ugi = UserGroupInformation.createUserForTesting("eve", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file try { fs.open(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); // Now try to read the file as known user "dave" - this should not be allowed, as he doesn't have the correct permissions ugi = UserGroupInformation.createUserForTesting("dave", new String[] {}); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Configuration conf = new Configuration(); conf.set("fs.defaultFS", defaultFs); FileSystem fs = FileSystem.get(conf); // Read the file try { fs.open(file); Assert.fail("Failure expected on an incorrect permission"); } catch (RemoteException ex) { // expected Assert.assertTrue(RangerAccessControlException.class.getName().equals(ex.getClassName())); } fs.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectAllAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.executeQuery("SELECT * FROM words where count == '100'"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }//from w w w .java 2 s . c o m statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectSpecificColumnAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT count FROM words where count == '100'"); resultSet.next();/*from w ww . jav a 2s. c om*/ Assert.assertEquals(100, resultSet.getInt(1)); statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveSelectSpecificColumnAsAliceWrongGroup() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "DevOps" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.executeQuery("SELECT count FROM words where count == '100'"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }/*from w ww. j av a 2 s . c o m*/ statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testHiveUpdateAllAsAlice() throws Exception { UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = "jdbc:hive2://localhost:" + port + "/rangerauthz"; Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); try { statement.execute("insert into words (word, count) values ('newword2', 5)"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected }/*from www. ja va 2 s . co m*/ statement.close(); connection.close(); return null; } }); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForTable() throws Exception { String url = "jdbc:hive2://localhost:" + port; // Create a database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();//w w w .j a v a 2 s . c om connection.close(); // Create a "words" table in "hivetable" final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable"; connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("CREATE TABLE WORDS (word STRING, count INT)"); statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)"); statement.close(); connection.close(); // Now try to read it as the "public" group UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "dev" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Connection connection = DriverManager.getConnection(tableUrl, "alice", "alice"); Statement statement = connection.createStatement(); // "words" should work ResultSet resultSet = statement.executeQuery("SELECT * FROM words"); Assert.assertNotNull(resultSet); statement.close(); statement = connection.createStatement(); try { // "words2" should not statement.executeQuery("SELECT * FROM words2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the table and database as "admin" connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("drop TABLE words"); statement.execute("drop TABLE words2"); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForDatabase() throws Exception { final String url = "jdbc:hive2://localhost:" + port; UserGroupInformation ugi = UserGroupInformation.createUserForTesting("alice", new String[] { "dev" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { // Create a database Connection connection = DriverManager.getConnection(url, "alice", "alice"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();/* www.j a va 2s. c o m*/ statement = connection.createStatement(); try { // "hivetable2" should not be allowed to be created by the "dev" group statement.execute("CREATE DATABASE hivetable2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.hive.ranger.HIVERangerAuthorizerTest.java
License:Apache License
@org.junit.Test public void testTagBasedPolicyForColumn() throws Exception { String url = "jdbc:hive2://localhost:" + port; // Create a database as "admin" Connection connection = DriverManager.getConnection(url, "admin", "admin"); Statement statement = connection.createStatement(); statement.execute("CREATE DATABASE hivetable"); statement.close();//w w w. j av a2 s. c o m connection.close(); // Create a "words" table in "hivetable" final String tableUrl = "jdbc:hive2://localhost:" + port + "/hivetable"; connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("CREATE TABLE WORDS (word STRING, count INT)"); statement.execute("CREATE TABLE WORDS2 (word STRING, count INT)"); statement.close(); connection.close(); // Now try to read it as the user "frank" UserGroupInformation ugi = UserGroupInformation.createUserForTesting("frank", new String[] { "unknown" }); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { Connection connection = DriverManager.getConnection(tableUrl, "frank", "frank"); // we can select "word" from "words" Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery("SELECT word FROM words"); Assert.assertNotNull(resultSet); statement.close(); try { // we can't select "word" from "words2" as "frank" statement.executeQuery("SELECT word FROM words2"); Assert.fail("Failure expected on an unauthorized call"); } catch (SQLException ex) { // expected } statement.close(); connection.close(); return null; } }); // Drop the table and database as "admin" connection = DriverManager.getConnection(tableUrl, "admin", "admin"); statement = connection.createStatement(); statement.execute("drop TABLE words"); statement.execute("drop TABLE words2"); statement.execute("drop DATABASE hivetable"); statement.close(); connection.close(); }
From source file:org.apache.coheigea.bigdata.kms.ranger.RangerKmsAuthorizerTest.java
License:Apache License
@org.junit.Test public void testCreateKeys() throws Throwable { // bob should have permission to create final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1"); return null; }/* w w w . j ava2s. c om*/ }); // "eve" should not have permission to create final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi2, KMSOp.CREATE_KEY, "newkey2", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to create final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.CREATE, ugi3, KMSOp.CREATE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }
From source file:org.apache.coheigea.bigdata.kms.ranger.RangerKmsAuthorizerTest.java
License:Apache License
@org.junit.Test public void testDeleteKeys() throws Throwable { // bob should have permission to delete final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob"); ugi.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); return null; }//w w w. j a v a 2 s . c om }); // "eve" should not have permission to delete final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve"); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); // the IT group should not have permission to delete final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" }); ugi3.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { try { KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1"); Assert.fail("Failure expected"); } catch (AuthorizationException ex) { // expected } return null; } }); }