List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.java
License:Apache License
private static void startQueryServer() throws Exception { PQS = new QueryServer(new String[0], UTIL.getConfiguration()); // Get the SPNEGO ident for PQS to use final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(SPNEGO_PRINCIPAL, KEYTAB.getAbsolutePath());/* ww w . j a va2 s.c o m*/ PQS_EXECUTOR = Executors.newSingleThreadExecutor(); // Launch PQS, doing in the Kerberos login instead of letting PQS do it itself (which would // break the HBase/HDFS logins also running in the same test case). PQS_EXECUTOR.submit(new Runnable() { @Override public void run() { ugi.doAs(new PrivilegedAction<Void>() { @Override public Void run() { PQS.run(); return null; } }); } }); PQS.awaitRunning(); PQS_PORT = PQS.getPort(); PQS_URL = ThinClientUtil.getConnectionUrl("localhost", PQS_PORT) + ";authentication=SPNEGO"; }
From source file:org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.java
License:Apache License
@Test public void testSuccessfulImpersonation() throws Exception { final Entry<String, File> user1 = getUser(1); final Entry<String, File> user2 = getUser(2); // Build the JDBC URL by hand with the doAs final String doAsUrlTemplate = Driver.CONNECT_STRING_PREFIX + "url=http://localhost:" + PQS_PORT + "?" + QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM + "=%s;authentication=SPNEGO;serialization=PROTOBUF"; final String tableName = "POSITIVE_IMPERSONATION"; final int numRows = 5; final UserGroupInformation serviceUgi = UserGroupInformation .loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, KEYTAB.getAbsolutePath()); serviceUgi.doAs(new PrivilegedExceptionAction<Void>() { @Override//from w ww .j av a2 s .c o m public Void run() throws Exception { createTable(tableName, numRows); grantUsersToPhoenixSystemTables(Arrays.asList(user1.getKey(), user2.getKey())); return null; } }); UserGroupInformation user1Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1.getKey(), user1.getValue().getAbsolutePath()); user1Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // This user should not be able to read the table readAndExpectPermissionError(PQS_URL, tableName, numRows); // Run the same query with the same credentials, but with a doAs. We should be permitted since the user we're impersonating can run the query final String doAsUrl = String.format(doAsUrlTemplate, serviceUgi.getShortUserName()); try (Connection conn = DriverManager.getConnection(doAsUrl); Statement stmt = conn.createStatement()) { conn.setAutoCommit(true); readRows(stmt, tableName, numRows); } return null; } }); }
From source file:org.apache.phoenix.end2end.HttpParamImpersonationQueryServerIT.java
License:Apache License
@Test public void testDisallowedImpersonation() throws Exception { final Entry<String, File> user2 = getUser(2); // Build the JDBC URL by hand with the doAs final String doAsUrlTemplate = Driver.CONNECT_STRING_PREFIX + "url=http://localhost:" + PQS_PORT + "?" + QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM + "=%s;authentication=SPNEGO;serialization=PROTOBUF"; final String tableName = "DISALLOWED_IMPERSONATION"; final int numRows = 5; final UserGroupInformation serviceUgi = UserGroupInformation .loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, KEYTAB.getAbsolutePath()); serviceUgi.doAs(new PrivilegedExceptionAction<Void>() { @Override/*from w ww .ja v a 2 s. c o m*/ public Void run() throws Exception { createTable(tableName, numRows); grantUsersToPhoenixSystemTables(Arrays.asList(user2.getKey())); return null; } }); UserGroupInformation user2Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user2.getKey(), user2.getValue().getAbsolutePath()); user2Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // This user is disallowed to read this table readAndExpectPermissionError(PQS_URL, tableName, numRows); // This user is also not allowed to impersonate final String doAsUrl = String.format(doAsUrlTemplate, serviceUgi.getShortUserName()); try (Connection conn = DriverManager.getConnection(doAsUrl); Statement stmt = conn.createStatement()) { conn.setAutoCommit(true); readRows(stmt, tableName, numRows); fail("user2 should not be allowed to impersonate the service user"); } catch (Exception e) { LOG.info("Caught expected exception", e); } return null; } }); }
From source file:org.apache.phoenix.end2end.SecureQueryServerIT.java
License:Apache License
@Test public void testBasicReadWrite() throws Exception { final Entry<String, File> user1 = getUser(1); UserGroupInformation user1Ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1.getKey(), user1.getValue().getAbsolutePath()); user1Ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override/* w w w .j av a2 s . c o m*/ public Void run() throws Exception { // Phoenix final String tableName = "phx_table1"; try (java.sql.Connection conn = DriverManager.getConnection(PQS_URL); Statement stmt = conn.createStatement()) { conn.setAutoCommit(true); assertFalse(stmt.execute("CREATE TABLE " + tableName + "(pk integer not null primary key)")); final int numRows = 5; for (int i = 0; i < numRows; i++) { assertEquals(1, stmt.executeUpdate("UPSERT INTO " + tableName + " values(" + i + ")")); } try (ResultSet rs = stmt.executeQuery("SELECT * FROM " + tableName)) { for (int i = 0; i < numRows; i++) { assertTrue(rs.next()); assertEquals(i, rs.getInt(1)); } assertFalse(rs.next()); } } return null; } }); }
From source file:org.apache.phoenix.end2end.SystemTablePermissionsIT.java
License:Apache License
@Test public void testSystemTablePermissions() throws Exception { testUtil = new HBaseTestingUtility(); clientProperties = new Properties(); Configuration conf = testUtil.getConfiguration(); setCommonConfigProperties(conf);/*from ww w . j av a 2 s . com*/ conf.set(QueryServices.IS_NAMESPACE_MAPPING_ENABLED, "false"); clientProperties.setProperty(QueryServices.IS_NAMESPACE_MAPPING_ENABLED, "false"); testUtil.startMiniCluster(1); final UserGroupInformation superUser = UserGroupInformation.createUserForTesting(SUPERUSER, new String[0]); final UserGroupInformation regularUser = UserGroupInformation.createUserForTesting("user", new String[0]); superUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { createTable(); readTable(); return null; } }); Set<String> tables = getHBaseTables(); assertTrue("HBase tables do not include expected Phoenix tables: " + tables, tables.containsAll(PHOENIX_SYSTEM_TABLES)); // Grant permission to the system tables for the unprivileged user superUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try { grantPermissions(regularUser.getShortUserName(), PHOENIX_SYSTEM_TABLES, Action.EXEC, Action.READ); grantPermissions(regularUser.getShortUserName(), Collections.singleton(TABLE_NAME), Action.READ); } catch (Throwable e) { if (e instanceof Exception) { throw (Exception) e; } else { throw new Exception(e); } } return null; } }); // Make sure that the unprivileged user can read the table regularUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // We expect this to not throw an error readTable(); return null; } }); }
From source file:org.apache.phoenix.end2end.SystemTablePermissionsIT.java
License:Apache License
@Test public void testNamespaceMappedSystemTables() throws Exception { testUtil = new HBaseTestingUtility(); clientProperties = new Properties(); Configuration conf = testUtil.getConfiguration(); setCommonConfigProperties(conf);/*from w w w.jav a2 s .c o m*/ testUtil.getConfiguration().set(QueryServices.IS_NAMESPACE_MAPPING_ENABLED, "true"); clientProperties.setProperty(QueryServices.IS_NAMESPACE_MAPPING_ENABLED, "true"); testUtil.startMiniCluster(1); final UserGroupInformation superUser = UserGroupInformation.createUserForTesting(SUPERUSER, new String[0]); final UserGroupInformation regularUser = UserGroupInformation.createUserForTesting("user", new String[0]); superUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { createTable(); readTable(); return null; } }); Set<String> tables = getHBaseTables(); assertTrue("HBase tables do not include expected Phoenix tables: " + tables, tables.containsAll(PHOENIX_NAMESPACE_MAPPED_SYSTEM_TABLES)); // Grant permission to the system tables for the unprivileged user // An unprivileged user should only need to be able to Read and eXecute on them. superUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { try { grantPermissions(regularUser.getShortUserName(), PHOENIX_NAMESPACE_MAPPED_SYSTEM_TABLES, Action.EXEC, Action.READ); grantPermissions(regularUser.getShortUserName(), Collections.singleton(TABLE_NAME), Action.READ); } catch (Throwable e) { if (e instanceof Exception) { throw (Exception) e; } else { throw new Exception(e); } } return null; } }); regularUser.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // We expect this to not throw an error readTable(); return null; } }); }
From source file:org.apache.phoenix.jdbc.SecureUserConnectionsIT.java
License:Apache License
@Test public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception { final HashSet<ConnectionInfo> connections = new HashSet<>(); final String princ1 = getUserPrincipal(1); final File keytab1 = getUserKeytabFile(1); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; }//w w w .j av a2 s . c om }; // Using the same UGI should result in two equivalent ConnectionInfo objects ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); }
From source file:org.apache.phoenix.jdbc.SecureUserConnectionsIT.java
License:Apache License
@Test public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception { final HashSet<ConnectionInfo> connections = new HashSet<>(); final String princ1 = getUserPrincipal(1); final File keytab1 = getUserKeytabFile(1); UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); PrivilegedExceptionAction<Void> callable = new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; }/*from w w w. j av a 2s . co m*/ }; ugi.doAs(callable); assertEquals(1, connections.size()); verifyAllConnectionsAreKerberosBased(connections); // A second, but equivalent, call from the same "real" user but a different UGI instance // is expected functionality (programmer error). UserGroupInformation ugiCopy = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); ugiCopy.doAs(callable); assertEquals(2, connections.size()); verifyAllConnectionsAreKerberosBased(connections); }
From source file:org.apache.phoenix.jdbc.SecureUserConnectionsIT.java
License:Apache License
@Test public void testAlternatingLogins() throws Exception { final HashSet<ConnectionInfo> connections = new HashSet<>(); final String princ1 = getUserPrincipal(1); final File keytab1 = getUserKeytabFile(1); final String princ2 = getUserPrincipal(2); final File keytab2 = getUserKeytabFile(2); UserGroupInformation ugi1 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ1, keytab1.getPath()); UserGroupInformation ugi2 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(princ2, keytab2.getPath()); // Using the same UGI should result in two equivalent ConnectionInfo objects ugi1.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; }//from w w w . ja v a2 s .c o m }); assertEquals(1, connections.size()); // Sanity check verifyAllConnectionsAreKerberosBased(connections); ugi2.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ2, keytab2); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; } }); assertEquals(2, connections.size()); verifyAllConnectionsAreKerberosBased(connections); ugi1.doAs(new PrivilegedExceptionAction<Void>() { public Void run() throws Exception { String url = joinUserAuthentication(BASE_URL, princ1, keytab1); connections.add(ConnectionInfo.create(url).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES)); return null; } }); assertEquals(2, connections.size()); verifyAllConnectionsAreKerberosBased(connections); }
From source file:org.apache.phoenix.queryserver.client.SqllineWrapper.java
License:Apache License
public static void main(String[] args) throws Exception { final Configuration conf = new Configuration(false); conf.addResource("hbase-site.xml"); // Check if the server config says SPNEGO auth is actually disabled. final boolean disableSpnego = conf.getBoolean(QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB, DEFAULT_QUERY_SERVER_SPNEGO_AUTH_DISABLED); if (disableSpnego) { SqlLine.main(args);//from ww w. j a v a 2 s. co m } UserGroupInformation ugi = loginIfNecessary(conf); if (null != ugi) { final String[] updatedArgs = updateArgsForKerberos(args); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { SqlLine.main(updatedArgs); return null; } }); } else { SqlLine.main(args); } }