Search in sources :

Example 36 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project sling by apache.

the class OakSlingRepository method createAdministrativeSession.

@Override
protected Session createAdministrativeSession(String workspace) throws RepositoryException {
    // TODO: use principal provider to retrieve admin principal
    Set<? extends Principal> principals = singleton(new AdminPrincipal() {

        @Override
        public String getName() {
            return OakSlingRepository.this.adminId;
        }
    });
    AuthInfo authInfo = new AuthInfoImpl(this.adminId, Collections.<String, Object>emptyMap(), principals);
    Subject subject = new Subject(true, principals, singleton(authInfo), Collections.<Object>emptySet());
    Session adminSession;
    try {
        adminSession = Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<Session>() {

            @Override
            public Session run() throws Exception {
                Map<String, Object> attrs = new HashMap<String, Object>();
                attrs.put("oak.refresh-interval", 0);
                // TODO OAK-803: Backwards compatibility of long-lived sessions
                JackrabbitRepository repo = (JackrabbitRepository) getRepository();
                return repo.login(null, null, attrs);
            }
        }, null);
    } catch (PrivilegedActionException e) {
        throw new RepositoryException("failed to retrieve admin session.", e);
    }
    return adminSession;
}
Also used : AuthInfo(org.apache.jackrabbit.oak.api.AuthInfo) HashMap(java.util.HashMap) PrivilegedActionException(java.security.PrivilegedActionException) RepositoryException(javax.jcr.RepositoryException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject) AdminPrincipal(org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal) AuthInfoImpl(org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl) JackrabbitRepository(org.apache.jackrabbit.api.JackrabbitRepository) Session(javax.jcr.Session)

Example 37 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testDelegationTokensOps.

private void testDelegationTokensOps(final boolean ssl, final boolean kerb) throws Exception {
    final File confDir = getTestDir();
    final Configuration conf;
    if (kerb) {
        conf = setupConfForKerberos(confDir);
    } else {
        conf = createBaseKMSConf(confDir, null);
    }
    final String keystore;
    final String password;
    if (ssl) {
        final String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestKMS.class);
        KeyStoreTestUtil.setupSSLConfig(confDir.getAbsolutePath(), sslConfDir, conf, false);
        keystore = confDir.getAbsolutePath() + "/serverKS.jks";
        password = "serverP";
    } else {
        keystore = null;
        password = null;
    }
    writeConf(confDir, conf);
    runServer(keystore, password, confDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration clientConf = new Configuration();
            final URI uri = createKMSUri(getKMSUrl());
            clientConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, createKMSUri(getKMSUrl()).toString());
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, clientConf);
                    // test delegation token retrieval
                    KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
                    final Credentials credentials = new Credentials();
                    final Token<?>[] tokens = kpdte.addDelegationTokens("client1", credentials);
                    Assert.assertEquals(1, credentials.getAllTokens().size());
                    InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort());
                    Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
                    // Test non-renewer user cannot renew.
                    for (Token<?> token : tokens) {
                        if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                            LOG.info("Skipping token {}", token);
                            continue;
                        }
                        LOG.info("Got dt for " + uri + "; " + token);
                        try {
                            token.renew(clientConf);
                            Assert.fail("client should not be allowed to renew token with" + "renewer=client1");
                        } catch (Exception e) {
                            final DelegationTokenIdentifier identifier = (DelegationTokenIdentifier) token.decodeIdentifier();
                            GenericTestUtils.assertExceptionContains("tries to renew a token (" + identifier + ") with non-matching renewer", e);
                        }
                    }
                    final UserGroupInformation otherUgi;
                    if (kerb) {
                        UserGroupInformation.loginUserFromKeytab("client1", keytab.getAbsolutePath());
                        otherUgi = UserGroupInformation.getLoginUser();
                    } else {
                        otherUgi = UserGroupInformation.createUserForTesting("client1", new String[] { "other group" });
                        UserGroupInformation.setLoginUser(otherUgi);
                    }
                    try {
                        // test delegation token renewal via renewer
                        otherUgi.doAs(new PrivilegedExceptionAction<Void>() {

                            @Override
                            public Void run() throws Exception {
                                boolean renewed = false;
                                for (Token<?> token : tokens) {
                                    if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                                        LOG.info("Skipping token {}", token);
                                        continue;
                                    }
                                    LOG.info("Got dt for " + uri + "; " + token);
                                    long tokenLife = token.renew(clientConf);
                                    LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), tokenLife);
                                    Thread.sleep(100);
                                    long newTokenLife = token.renew(clientConf);
                                    LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), newTokenLife);
                                    Assert.assertTrue(newTokenLife > tokenLife);
                                    renewed = true;
                                }
                                Assert.assertTrue(renewed);
                                // test delegation token cancellation
                                for (Token<?> token : tokens) {
                                    if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                                        LOG.info("Skipping token {}", token);
                                        continue;
                                    }
                                    LOG.info("Got dt for " + uri + "; " + token);
                                    token.cancel(clientConf);
                                    LOG.info("Cancelled token of kind {}", token.getKind());
                                    try {
                                        token.renew(clientConf);
                                        Assert.fail("should not be able to renew a canceled token");
                                    } catch (Exception e) {
                                        LOG.info("Expected exception when renewing token", e);
                                    }
                                }
                                return null;
                            }
                        });
                        // Close the client provider. We will verify all providers'
                        // Truststore reloader threads are closed later.
                        kp.close();
                        return null;
                    } finally {
                        otherUgi.logoutUserFromKeytab();
                    }
                }
            });
            return null;
        }
    });
    // verify that providers created by KMSTokenRenewer are closed.
    if (ssl) {
        GenericTestUtils.waitFor(new Supplier<Boolean>() {

            @Override
            public Boolean get() {
                final Set<Thread> threadSet = Thread.getAllStackTraces().keySet();
                for (Thread t : threadSet) {
                    if (t.getName().contains(SSL_RELOADER_THREAD_NAME)) {
                        return false;
                    }
                }
                return true;
            }
        }, 1000, 10000);
    }
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Set(java.util.Set) HashSet(java.util.HashSet) Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) InetSocketAddress(java.net.InetSocketAddress) KMSDelegationToken(org.apache.hadoop.crypto.key.kms.KMSDelegationToken) Token(org.apache.hadoop.security.token.Token) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 38 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testKeyACLs.

@Test
@SuppressWarnings("checkstyle:methodlength")
public void testKeyACLs() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), type.toString());
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
    conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
    conf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
    conf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "test_key.MANAGEMENT", "CREATE");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "some_key.MANAGEMENT", "ROLLOVER");
    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "MANAGEMENT", "DECRYPT_EEK");
    conf.set(KMSConfiguration.WHITELIST_KEY_ACL_PREFIX + "ALL", "DECRYPT_EEK");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.ALL", "GENERATE_EEK");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "all_access.DECRYPT_EEK", "ROLLOVER");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "ROLLOVER");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "SOMEBODY");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "ALL", "ROLLOVER");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("CREATE", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        Options options = new KeyProvider.Options(conf);
                        Map<String, String> attributes = options.getAttributes();
                        HashMap<String, String> newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "test_key");
                        options.setAttributes(newAttribs);
                        KeyProvider.KeyVersion kv = kp.createKey("k0", options);
                        Assert.assertNull(kv.getMaterial());
                        KeyVersion rollVersion = kp.rollNewVersion("k0");
                        Assert.assertNull(rollVersion.getMaterial());
                        KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        try {
                            kpce.generateEncryptedKey("k0");
                            Assert.fail("User [CREATE] should not be allowed to generate_eek on k0");
                        } catch (Exception e) {
                        // Ignore
                        }
                        newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "all_access");
                        options.setAttributes(newAttribs);
                        try {
                            kp.createKey("kx", options);
                            Assert.fail("User [CREATE] should not be allowed to create kx");
                        } catch (Exception e) {
                        // Ignore
                        }
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            // Test whitelist key access..
            // DECRYPT_EEK is whitelisted for MANAGEMENT operations only
            doAs("DECRYPT_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        Options options = new KeyProvider.Options(conf);
                        Map<String, String> attributes = options.getAttributes();
                        HashMap<String, String> newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "some_key");
                        options.setAttributes(newAttribs);
                        KeyProvider.KeyVersion kv = kp.createKey("kk0", options);
                        Assert.assertNull(kv.getMaterial());
                        KeyVersion rollVersion = kp.rollNewVersion("kk0");
                        Assert.assertNull(rollVersion.getMaterial());
                        KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        try {
                            kpce.generateEncryptedKey("kk0");
                            Assert.fail("User [DECRYPT_EEK] should not be allowed to generate_eek on kk0");
                        } catch (Exception e) {
                        // Ignore
                        }
                        newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "all_access");
                        options.setAttributes(newAttribs);
                        kp.createKey("kkx", options);
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        Options options = new KeyProvider.Options(conf);
                        Map<String, String> attributes = options.getAttributes();
                        HashMap<String, String> newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "test_key2");
                        options.setAttributes(newAttribs);
                        KeyProvider.KeyVersion kv = kp.createKey("k1", options);
                        Assert.assertNull(kv.getMaterial());
                        KeyVersion rollVersion = kp.rollNewVersion("k1");
                        Assert.assertNull(rollVersion.getMaterial());
                        try {
                            kp.rollNewVersion("k0");
                            Assert.fail("User [ROLLOVER] should not be allowed to rollover k0");
                        } catch (Exception e) {
                        // Ignore
                        }
                        KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        try {
                            kpce.generateEncryptedKey("k1");
                            Assert.fail("User [ROLLOVER] should not be allowed to generate_eek on k1");
                        } catch (Exception e) {
                        // Ignore
                        }
                        newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "all_access");
                        options.setAttributes(newAttribs);
                        try {
                            kp.createKey("kx", options);
                            Assert.fail("User [ROLLOVER] should not be allowed to create kx");
                        } catch (Exception e) {
                        // Ignore
                        }
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("GET", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        Options options = new KeyProvider.Options(conf);
                        Map<String, String> attributes = options.getAttributes();
                        HashMap<String, String> newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "test_key");
                        options.setAttributes(newAttribs);
                        try {
                            kp.createKey("k2", options);
                            Assert.fail("User [GET] should not be allowed to create key..");
                        } catch (Exception e) {
                        // Ignore
                        }
                        newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "all_access");
                        options.setAttributes(newAttribs);
                        try {
                            kp.createKey("kx", options);
                            Assert.fail("User [GET] should not be allowed to create kx");
                        } catch (Exception e) {
                        // Ignore
                        }
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            final EncryptedKeyVersion ekv = doAs("GENERATE_EEK", new PrivilegedExceptionAction<EncryptedKeyVersion>() {

                @Override
                public EncryptedKeyVersion run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        Options options = new KeyProvider.Options(conf);
                        Map<String, String> attributes = options.getAttributes();
                        HashMap<String, String> newAttribs = new HashMap<String, String>(attributes);
                        newAttribs.put("key.acl.name", "all_access");
                        options.setAttributes(newAttribs);
                        kp.createKey("kx", options);
                        KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        try {
                            return kpce.generateEncryptedKey("kx");
                        } catch (Exception e) {
                            Assert.fail("User [GENERATE_EEK] should be allowed to generate_eek on kx");
                        }
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    try {
                        KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                        kpce.decryptEncryptedKey(ekv);
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            return null;
        }
    });
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "GENERATE_EEK", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    KeyProviderCryptoExtension kpce = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp);
                    EncryptedKeyVersion ekv = kpce.generateEncryptedKey("k1");
                    kpce.reencryptEncryptedKey(ekv);
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) HashMap(java.util.HashMap) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) File(java.io.File) Test(org.junit.Test)

Example 39 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testDelegationTokensUpdatedInUGI.

@Test
public void testDelegationTokensUpdatedInUGI() throws Exception {
    Configuration conf = new Configuration();
    File confDir = getTestDir();
    conf = createBaseKMSConf(confDir, conf);
    conf.set("hadoop.kms.authentication.delegation-token.max-lifetime.sec", "5");
    conf.set("hadoop.kms.authentication.delegation-token.renew-interval.sec", "5");
    writeConf(confDir, conf);
    // Running as a service (e.g. Yarn in practice).
    runServer(null, null, confDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration clientConf = new Configuration();
            final URI uri = createKMSUri(getKMSUrl());
            clientConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, createKMSUri(getKMSUrl()).toString());
            final KeyProvider kp = createProvider(uri, clientConf);
            final KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
            final InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort());
            // Job 1 (e.g. Yarn log aggregation job), with user DT.
            final Collection<Token<?>> job1Token = new HashSet<>();
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    // Get a DT and use it.
                    final Credentials credentials = new Credentials();
                    kpdte.addDelegationTokens("client", credentials);
                    Assert.assertEquals(1, credentials.getAllTokens().size());
                    Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
                    UserGroupInformation.getCurrentUser().addCredentials(credentials);
                    LOG.info("Added kms dt to credentials: {}", UserGroupInformation.getCurrentUser().getCredentials().getAllTokens());
                    Token<?> token = UserGroupInformation.getCurrentUser().getCredentials().getToken(SecurityUtil.buildTokenService(kmsAddr));
                    Assert.assertNotNull(token);
                    job1Token.add(token);
                    // Decode the token to get max time.
                    ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
                    DataInputStream dis = new DataInputStream(buf);
                    DelegationTokenIdentifier id = new DelegationTokenIdentifier(token.getKind());
                    id.readFields(dis);
                    dis.close();
                    final long maxTime = id.getMaxDate();
                    // wait for token to expire.
                    Thread.sleep(5100);
                    Assert.assertTrue("maxTime " + maxTime + " is not less than now.", maxTime > 0 && maxTime < Time.now());
                    try {
                        kp.getKeys();
                        Assert.fail("Operation should fail since dt is expired.");
                    } catch (Exception e) {
                        LOG.info("Expected error.", e);
                    }
                    return null;
                }
            });
            Assert.assertFalse(job1Token.isEmpty());
            // job 2 (e.g. Another Yarn log aggregation job, with user DT.
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    // Get a new DT, but don't use it yet.
                    final Credentials newCreds = new Credentials();
                    kpdte.addDelegationTokens("client", newCreds);
                    Assert.assertEquals(1, newCreds.getAllTokens().size());
                    Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, newCreds.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
                    // Using job 1's DT should fail.
                    final Credentials oldCreds = new Credentials();
                    for (Token<?> token : job1Token) {
                        if (token.getKind().equals(KMSDelegationToken.TOKEN_KIND)) {
                            oldCreds.addToken(SecurityUtil.buildTokenService(kmsAddr), token);
                        }
                    }
                    UserGroupInformation.getCurrentUser().addCredentials(oldCreds);
                    LOG.info("Added old kms dt to credentials: {}", UserGroupInformation.getCurrentUser().getCredentials().getAllTokens());
                    try {
                        kp.getKeys();
                        Assert.fail("Operation should fail since dt is expired.");
                    } catch (Exception e) {
                        LOG.info("Expected error.", e);
                    }
                    // Using the new DT should succeed.
                    Assert.assertEquals(1, newCreds.getAllTokens().size());
                    Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, newCreds.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
                    UserGroupInformation.getCurrentUser().addCredentials(newCreds);
                    LOG.info("Credetials now are: {}", UserGroupInformation.getCurrentUser().getCredentials().getAllTokens());
                    kp.getKeys();
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) InetSocketAddress(java.net.InetSocketAddress) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) DataInputStream(java.io.DataInputStream) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) ByteArrayInputStream(java.io.ByteArrayInputStream) Collection(java.util.Collection) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) Test(org.junit.Test)

Example 40 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testDelegationTokenAccess.

@Test
public void testDelegationTokenAccess() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    final String keyA = "key_a";
    final String keyD = "key_d";
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            final Credentials credentials = new Credentials();
            final UserGroupInformation nonKerberosUgi = UserGroupInformation.getCurrentUser();
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
                    kpdte.addDelegationTokens("foo", credentials);
                    return null;
                }
            });
            nonKerberosUgi.addCredentials(credentials);
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey(keyD, new KeyProvider.Options(conf));
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) IOException(java.io.IOException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)390 IOException (java.io.IOException)200 PrivilegedActionException (java.security.PrivilegedActionException)138 Test (org.junit.Test)104 Connection (org.apache.hadoop.hbase.client.Connection)81 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)76 Table (org.apache.hadoop.hbase.client.Table)62 TableName (org.apache.hadoop.hbase.TableName)57 Result (org.apache.hadoop.hbase.client.Result)56 Scan (org.apache.hadoop.hbase.client.Scan)55 ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)53 Delete (org.apache.hadoop.hbase.client.Delete)48 InterruptedIOException (java.io.InterruptedIOException)47 Cell (org.apache.hadoop.hbase.Cell)38 CellScanner (org.apache.hadoop.hbase.CellScanner)38 Configuration (org.apache.hadoop.conf.Configuration)36 File (java.io.File)34 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)33 Path (org.apache.hadoop.fs.Path)23 ArrayList (java.util.ArrayList)22