Search in sources :

Example 41 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testStartStop.

public void testStartStop(final boolean ssl, final boolean kerberos) throws Exception {
    Configuration conf = new Configuration();
    if (kerberos) {
        conf.set("hadoop.security.authentication", "kerberos");
    }
    File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    final String keystore;
    final String password;
    if (ssl) {
        String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestKMS.class);
        KeyStoreTestUtil.setupSSLConfig(testDir.getAbsolutePath(), sslConfDir, conf, false);
        keystore = testDir.getAbsolutePath() + "/serverKS.jks";
        password = "serverP";
    } else {
        keystore = null;
        password = null;
    }
    conf.set("hadoop.kms.authentication.token.validity", "1");
    if (kerberos) {
        conf.set("hadoop.kms.authentication.type", "kerberos");
        conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    }
    writeConf(testDir, conf);
    runServer(keystore, password, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            URL url = getKMSUrl();
            Assert.assertEquals(keystore != null, url.getProtocol().equals("https"));
            final URI uri = createKMSUri(getKMSUrl());
            if (ssl) {
                KeyProvider testKp = createProvider(uri, conf);
                ThreadGroup threadGroup = Thread.currentThread().getThreadGroup();
                while (threadGroup.getParent() != null) {
                    threadGroup = threadGroup.getParent();
                }
                Thread[] threads = new Thread[threadGroup.activeCount()];
                threadGroup.enumerate(threads);
                Thread reloaderThread = null;
                for (Thread thread : threads) {
                    if ((thread.getName() != null) && (thread.getName().contains(SSL_RELOADER_THREAD_NAME))) {
                        reloaderThread = thread;
                    }
                }
                Assert.assertTrue("Reloader is not alive", reloaderThread.isAlive());
                testKp.close();
                boolean reloaderStillAlive = true;
                for (int i = 0; i < 10; i++) {
                    reloaderStillAlive = reloaderThread.isAlive();
                    if (!reloaderStillAlive)
                        break;
                    Thread.sleep(1000);
                }
                Assert.assertFalse("Reloader is still alive", reloaderStillAlive);
            }
            if (kerberos) {
                for (String user : new String[] { "client", "client/host" }) {
                    doAs(user, new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            final KeyProvider kp = createProvider(uri, conf);
                            // getKeys() empty
                            Assert.assertTrue(kp.getKeys().isEmpty());
                            Thread.sleep(4000);
                            Token<?>[] tokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) kp).addDelegationTokens("myuser", new Credentials());
                            Assert.assertEquals(1, tokens.length);
                            Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
                            kp.close();
                            return null;
                        }
                    });
                }
            } else {
                KeyProvider kp = createProvider(uri, conf);
                // getKeys() empty
                Assert.assertTrue(kp.getKeys().isEmpty());
                Thread.sleep(4000);
                Token<?>[] tokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) kp).addDelegationTokens("myuser", new Credentials());
                Assert.assertEquals(1, tokens.length);
                Assert.assertEquals("kms-dt", tokens[0].getKind().toString());
                kp.close();
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) KMSDelegationToken(org.apache.hadoop.crypto.key.kms.KMSDelegationToken) Token(org.apache.hadoop.security.token.Token) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) URL(java.net.URL) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials)

Example 42 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testServicePrincipalACLs.

@Test
public void testServicePrincipalACLs() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), " ");
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "client");
    conf.set(KMSConfiguration.DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "client,client/host");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck0", new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            doAs("client/host", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    try {
                        KeyProvider kp = createProvider(uri, conf);
                        KeyProvider.KeyVersion kv = kp.createKey("ck1", new KeyProvider.Options(conf));
                        Assert.assertNull(kv.getMaterial());
                    } catch (Exception ex) {
                        Assert.fail(ex.getMessage());
                    }
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Test(org.junit.Test)

Example 43 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method doProxyUserTest.

public void doProxyUserTest(final boolean kerberos) throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    if (kerberos) {
        conf.set("hadoop.kms.authentication.type", "kerberos");
    }
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    conf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
    conf.set("hadoop.kms.proxyuser.client.hosts", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kaa.ALL", "client");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kbb.ALL", "foo");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL", "foo1");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kdd.ALL", "bar");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            UserGroupInformation proxyUgi = null;
            if (kerberos) {
                // proxyuser client using kerberos credentials
                proxyUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
            } else {
                proxyUgi = UserGroupInformation.createRemoteUser("client");
                UserGroupInformation.setLoginUser(proxyUgi);
            }
            final UserGroupInformation clientUgi = proxyUgi;
            clientUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    final KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("kaa", new KeyProvider.Options(conf));
                    // authorized proxyuser
                    UserGroupInformation fooUgi = UserGroupInformation.createProxyUser("foo", clientUgi);
                    fooUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kbb", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    // unauthorized proxyuser
                    UserGroupInformation foo1Ugi = UserGroupInformation.createProxyUser("foo1", clientUgi);
                    foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            try {
                                kp.createKey("kcc", new KeyProvider.Options(conf));
                                Assert.fail();
                            } catch (AuthorizationException ex) {
                            // OK
                            } catch (Exception ex) {
                                Assert.fail(ex.getMessage());
                            }
                            return null;
                        }
                    });
                    // authorized proxyuser
                    UserGroupInformation barUgi = UserGroupInformation.createProxyUser("bar", clientUgi);
                    barUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kdd", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 44 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestKMS method testKMSAuthFailureRetry.

@Test
public void testKMSAuthFailureRetry() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    conf.set("hadoop.kms.authentication.token.validity", "1");
    for (KMSACLs.Type type : KMSACLs.Type.values()) {
        conf.set(type.getAclConfigKey(), type.toString());
    }
    conf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
    conf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k0.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k1.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k2.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k3.ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "k4.ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("k0", new byte[16], new KeyProvider.Options(conf));
                    // This happens before rollover
                    kp.createKey("k1", new byte[16], new KeyProvider.Options(conf));
                    // Atleast 2 rollovers.. so should induce signer Exception
                    Thread.sleep(3500);
                    kp.createKey("k2", new byte[16], new KeyProvider.Options(conf));
                    return null;
                }
            });
            return null;
        }
    });
    // Test retry count
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            conf.setInt(KMSClientProvider.AUTH_RETRY, 0);
            final URI uri = createKMSUri(getKMSUrl());
            doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("k3", new byte[16], new KeyProvider.Options(conf));
                    // Atleast 2 rollovers.. so should induce signer Exception
                    Thread.sleep(3500);
                    try {
                        kp.createKey("k4", new byte[16], new KeyProvider.Options(conf));
                        Assert.fail("This should not succeed..");
                    } catch (IOException e) {
                        Assert.assertTrue("HTTP exception must be a 401 : " + e.getMessage(), e.getMessage().contains("401"));
                    }
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IOException(java.io.IOException) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Test(org.junit.Test)

Example 45 with PrivilegedExceptionAction

use of java.security.PrivilegedExceptionAction in project hadoop by apache.

the class TestFSMainOperationsWebHdfs method setupCluster.

@BeforeClass
public static void setupCluster() {
    final Configuration conf = new Configuration();
    conf.setLong(DFSConfigKeys.DFS_BLOCK_SIZE_KEY, 1024);
    try {
        cluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
        cluster.waitActive();
        //change root permission to 777
        cluster.getFileSystem().setPermission(new Path("/"), new FsPermission((short) 0777));
        final String uri = WebHdfsConstants.WEBHDFS_SCHEME + "://" + conf.get(DFSConfigKeys.DFS_NAMENODE_HTTP_ADDRESS_KEY);
        //get file system as a non-superuser
        final UserGroupInformation current = UserGroupInformation.getCurrentUser();
        final UserGroupInformation ugi = UserGroupInformation.createUserForTesting(current.getShortUserName() + "x", new String[] { "user" });
        fileSystem = ugi.doAs(new PrivilegedExceptionAction<FileSystem>() {

            @Override
            public FileSystem run() throws Exception {
                return FileSystem.get(new URI(uri), conf);
            }
        });
        defaultWorkingDirectory = fileSystem.getWorkingDirectory();
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : Path(org.apache.hadoop.fs.Path) MiniDFSCluster(org.apache.hadoop.hdfs.MiniDFSCluster) Configuration(org.apache.hadoop.conf.Configuration) FsPermission(org.apache.hadoop.fs.permission.FsPermission) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) IOException(java.io.IOException) AccessControlException(org.apache.hadoop.security.AccessControlException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) BeforeClass(org.junit.BeforeClass)

Aggregations

PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)390 IOException (java.io.IOException)200 PrivilegedActionException (java.security.PrivilegedActionException)138 Test (org.junit.Test)104 Connection (org.apache.hadoop.hbase.client.Connection)81 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)76 Table (org.apache.hadoop.hbase.client.Table)62 TableName (org.apache.hadoop.hbase.TableName)57 Result (org.apache.hadoop.hbase.client.Result)56 Scan (org.apache.hadoop.hbase.client.Scan)55 ResultScanner (org.apache.hadoop.hbase.client.ResultScanner)53 Delete (org.apache.hadoop.hbase.client.Delete)48 InterruptedIOException (java.io.InterruptedIOException)47 Cell (org.apache.hadoop.hbase.Cell)38 CellScanner (org.apache.hadoop.hbase.CellScanner)38 Configuration (org.apache.hadoop.conf.Configuration)36 File (java.io.File)34 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)33 Path (org.apache.hadoop.fs.Path)23 ArrayList (java.util.ArrayList)22