List of usage examples for org.apache.hadoop.security UserGroupInformation doAs
@InterfaceAudience.Public @InterfaceStability.Evolving public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testAdminUser() throws Exception { // Login as the client (provided to `accumulo init` as the "root" user) UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override//from w w w . ja va 2 s . c om public Void run() throws Exception { final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); // The "root" user should have all system permissions for (SystemPermission perm : SystemPermission.values()) { assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm)); } // and the ability to modify the root and metadata tables for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) { assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE)); } return null; } }); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testNewUser() throws Exception { String newUser = testName.getMethodName(); final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab"); if (newUserKeytab.exists() && !newUserKeytab.delete()) { log.warn("Unable to delete {}", newUserKeytab); }/*from w w w . j a va 2 s. c om*/ // Create a new user kdc.createPrincipal(newUserKeytab, newUser); final String newQualifiedUser = kdc.qualifyUser(newUser); final HashSet<String> users = Sets.newHashSet(rootUser.getPrincipal()); // Login as the "root" user UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); // Make sure the system user doesn't exist -- this will force some RPC to happen server-side createTableWithDataAndCompact(conn); assertEquals(users, conn.securityOperations().listLocalUsers()); return null; } }); // Switch to a new user ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(newQualifiedUser, newUserKeytab.getAbsolutePath()); log.info("Logged in as {}", newQualifiedUser); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(newQualifiedUser, new KerberosToken()); log.info("Created connector as {}", newQualifiedUser); assertEquals(newQualifiedUser, conn.whoami()); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(newQualifiedUser, perm)); } users.add(newQualifiedUser); // Same users as before, plus the new user we just created assertEquals(users, conn.securityOperations().listLocalUsers()); return null; } }); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testUserPrivilegesThroughGrant() throws Exception { String user1 = testName.getMethodName(); final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab"); if (user1Keytab.exists() && !user1Keytab.delete()) { log.warn("Unable to delete {}", user1Keytab); }/*from w ww . ja v a 2 s .com*/ // Create some new users kdc.createPrincipal(user1Keytab, user1); final String qualifiedUser1 = kdc.qualifyUser(user1); // Log in as user1 UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath()); log.info("Logged in as {}", user1); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // Indirectly creates this user when we use it Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); log.info("Created connector as {}", qualifiedUser1); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(qualifiedUser1, perm)); } return null; } }); ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); conn.securityOperations().grantSystemPermission(qualifiedUser1, SystemPermission.CREATE_TABLE); return null; } }); // Switch back to the original user ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); // Shouldn't throw an exception since we granted the create table permission final String table = testName.getMethodName() + "_user_table"; conn.tableOperations().create(table); // Make sure we can actually use the table we made BatchWriter bw = conn.createBatchWriter(table, new BatchWriterConfig()); Mutation m = new Mutation("a"); m.put("b", "c", "d"); bw.addMutation(m); bw.close(); conn.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true)); return null; } }); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testUserPrivilegesForTable() throws Exception { String user1 = testName.getMethodName(); final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab"); if (user1Keytab.exists() && !user1Keytab.delete()) { log.warn("Unable to delete {}", user1Keytab); }/*from w ww . j a va2 s. co m*/ // Create some new users -- cannot contain realm kdc.createPrincipal(user1Keytab, user1); final String qualifiedUser1 = kdc.qualifyUser(user1); // Log in as user1 UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath()); log.info("Logged in as {}", user1); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // Indirectly creates this user when we use it Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); log.info("Created connector as {}", qualifiedUser1); // The new user should have no system permissions for (SystemPermission perm : SystemPermission.values()) { assertFalse(conn.securityOperations().hasSystemPermission(qualifiedUser1, perm)); } return null; } }); final String table = testName.getMethodName() + "_user_table"; final String viz = "viz"; ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); conn.tableOperations().create(table); // Give our unprivileged user permission on the table we made for them conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.READ); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.WRITE); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.ALTER_TABLE); conn.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.DROP_TABLE); conn.securityOperations().changeUserAuthorizations(qualifiedUser1, new Authorizations(viz)); return null; } }); // Switch back to the original user ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath()); ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(qualifiedUser1, new KerberosToken()); // Make sure we can actually use the table we made // Write data final long ts = 1000l; BatchWriter bw = conn.createBatchWriter(table, new BatchWriterConfig()); Mutation m = new Mutation("a"); m.put("b", "c", new ColumnVisibility(viz.getBytes()), ts, "d"); bw.addMutation(m); bw.close(); // Compact conn.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true)); // Alter conn.tableOperations().setProperty(table, Property.TABLE_BLOOM_ENABLED.getKey(), "true"); // Read (and proper authorizations) Scanner s = conn.createScanner(table, new Authorizations(viz)); Iterator<Entry<Key, Value>> iter = s.iterator(); assertTrue("No results from iterator", iter.hasNext()); Entry<Key, Value> entry = iter.next(); assertEquals(new Key("a", "b", "c", viz, ts), entry.getKey()); assertEquals(new Value("d".getBytes()), entry.getValue()); assertFalse("Had more results from iterator", iter.hasNext()); return null; } }); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testDelegationToken() throws Exception { final String tableName = getUniqueNames(1)[0]; // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); final int numRows = 100, numColumns = 10; // As the "root" user, open up the connection and get a delegation token final AuthenticationToken delegationToken = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override/*w ww . j a v a2s. c o m*/ public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); conn.tableOperations().create(tableName); BatchWriter bw = conn.createBatchWriter(tableName, new BatchWriterConfig()); for (int r = 0; r < numRows; r++) { Mutation m = new Mutation(Integer.toString(r)); for (int c = 0; c < numColumns; c++) { String col = Integer.toString(c); m.put(col, col, col); } bw.addMutation(m); } bw.close(); return conn.securityOperations().getDelegationToken(new DelegationTokenConfig()); } }); // The above login with keytab doesn't have a way to logout, so make a fake user that won't have krb credentials UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]); int recordsSeen = userWithoutPrivs.doAs(new PrivilegedExceptionAction<Integer>() { @Override public Integer run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), delegationToken); BatchScanner bs = conn.createBatchScanner(tableName, Authorizations.EMPTY, 2); bs.setRanges(Collections.singleton(new Range())); int recordsSeen = Iterables.size(bs); bs.close(); return recordsSeen; } }); assertEquals(numRows * numColumns, recordsSeen); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testDelegationTokenAsDifferentUser() throws Exception { // Login as the "root" user UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); final AuthenticationToken delegationToken; try {/* w w w .ja v a2 s . c om*/ delegationToken = ugi.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { // As the "root" user, open up the connection and get a delegation token Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); return conn.securityOperations().getDelegationToken(new DelegationTokenConfig()); } }); } catch (UndeclaredThrowableException ex) { throw ex; } // make a fake user that won't have krb credentials UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]); try { // Use the delegation token to try to log in as a different user userWithoutPrivs.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { mac.getConnector("some_other_user", delegationToken); return null; } }); fail("Using a delegation token as a different user should throw an exception"); } catch (UndeclaredThrowableException e) { Throwable cause = e.getCause(); assertNotNull(cause); // We should get an AccumuloSecurityException from trying to use a delegation token for the wrong user assertTrue("Expected cause to be AccumuloSecurityException, but was " + cause.getClass(), cause instanceof AccumuloSecurityException); } }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testGetDelegationTokenDenied() throws Exception { String newUser = testName.getMethodName(); final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab"); if (newUserKeytab.exists() && !newUserKeytab.delete()) { log.warn("Unable to delete {}", newUserKeytab); }//from ww w . j a v a 2 s . c om // Create a new user kdc.createPrincipal(newUserKeytab, newUser); final String qualifiedNewUser = kdc.qualifyUser(newUser); // Login as a normal user UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedNewUser, newUserKeytab.getAbsolutePath()); try { ugi.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { // As the "root" user, open up the connection and get a delegation token Connector conn = mac.getConnector(qualifiedNewUser, new KerberosToken()); log.info("Created connector as {}", qualifiedNewUser); assertEquals(qualifiedNewUser, conn.whoami()); conn.securityOperations().getDelegationToken(new DelegationTokenConfig()); return null; } }); } catch (UndeclaredThrowableException ex) { assertTrue(ex.getCause() instanceof AccumuloSecurityException); } }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testRestartedMasterReusesSecretKey() throws Exception { // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); // As the "root" user, open up the connection and get a delegation token final AuthenticationToken delegationToken1 = root .doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override/*from ww w .j a v a 2 s . co m*/ public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); AuthenticationToken token = conn.securityOperations() .getDelegationToken(new DelegationTokenConfig()); assertTrue("Could not get tables with delegation token", mac .getConnector(rootUser.getPrincipal(), token).tableOperations().list().size() > 0); return token; } }); log.info("Stopping master"); mac.getClusterControl().stop(ServerType.MASTER); Thread.sleep(5000); log.info("Restarting master"); mac.getClusterControl().start(ServerType.MASTER); // Make sure our original token is still good root.doAs(new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), delegationToken1); assertTrue("Could not get tables with delegation token", conn.tableOperations().list().size() > 0); return null; } }); // Get a new token, so we can compare the keyId on the second to the first final AuthenticationToken delegationToken2 = root .doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); AuthenticationToken token = conn.securityOperations() .getDelegationToken(new DelegationTokenConfig()); assertTrue("Could not get tables with delegation token", mac .getConnector(rootUser.getPrincipal(), token).tableOperations().list().size() > 0); return token; } }); // A restarted master should reuse the same secret key after a restart if the secret key hasn't expired (1day by default) DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1; DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2; assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId()); }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test(expected = AccumuloException.class) public void testDelegationTokenWithInvalidLifetime() throws Throwable { // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); // As the "root" user, open up the connection and get a delegation token try {/* w ww . ja v a 2 s . co m*/ root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); // Should fail return conn.securityOperations().getDelegationToken( new DelegationTokenConfig().setTokenLifetime(Long.MAX_VALUE, TimeUnit.MILLISECONDS)); } }); } catch (UndeclaredThrowableException e) { Throwable cause = e.getCause(); if (null != cause) { throw cause; } else { throw e; } } }
From source file:org.apache.accumulo.test.functional.KerberosIT.java
License:Apache License
@Test public void testDelegationTokenWithReducedLifetime() throws Throwable { // Login as the "root" user UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath()); log.info("Logged in as {}", rootUser.getPrincipal()); // As the "root" user, open up the connection and get a delegation token final AuthenticationToken dt = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() { @Override//from ww w.j av a2 s .com public AuthenticationToken run() throws Exception { Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken()); log.info("Created connector as {}", rootUser.getPrincipal()); assertEquals(rootUser.getPrincipal(), conn.whoami()); return conn.securityOperations() .getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, TimeUnit.MINUTES)); } }); AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier(); assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= (5 * 60 * 1000)); }