Example 16 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class BlobStoreTest method testWithAuthentication.
// Check for Blobstore with authentication
public void testWithAuthentication(BlobStore store) throws Exception {
//Test for Nimbus Admin
Subject admin = getSubject("admin");
assertStoreHasExactly(store);
SettableBlobMeta metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
AtomicOutputStream out = store.createBlob("test", metadata, admin);
assertStoreHasExactly(store, "test");
out.write(1);
out.close();
store.deleteBlob("test", admin);
//Test for Supervisor Admin
Subject supervisor = getSubject("supervisor");
assertStoreHasExactly(store);
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
out = store.createBlob("test", metadata, supervisor);
assertStoreHasExactly(store, "test");
out.write(1);
out.close();
store.deleteBlob("test", supervisor);
//Test for Nimbus itself as a user
Subject nimbus = getNimbusSubject();
assertStoreHasExactly(store);
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
out = store.createBlob("test", metadata, nimbus);
assertStoreHasExactly(store, "test");
out.write(1);
out.close();
store.deleteBlob("test", nimbus);
// Test with a dummy test_subject for cases where subject !=null (security turned on)
Subject who = getSubject("test_subject");
assertStoreHasExactly(store);
// Tests for case when subject != null (security turned on) and
// acls for the blob are set to WORLD_EVERYTHING
metadata = new SettableBlobMeta(BlobStoreAclHandler.WORLD_EVERYTHING);
out = store.createBlob("test", metadata, who);
out.write(1);
out.close();
assertStoreHasExactly(store, "test");
// Testing whether acls are set to WORLD_EVERYTHING
assertTrue("ACL does not contain WORLD_EVERYTHING", metadata.toString().contains("AccessControl(type:OTHER, access:7)"));
readAssertEqualsWithAuth(store, who, "test", 1);
LOG.info("Deleting test");
store.deleteBlob("test", who);
assertStoreHasExactly(store);
// Tests for case when subject != null (security turned on) and
// acls are not set for the blob (DEFAULT)
LOG.info("Creating test again");
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
out = store.createBlob("test", metadata, who);
out.write(2);
out.close();
assertStoreHasExactly(store, "test");
// Testing whether acls are set to WORLD_EVERYTHING. Here the acl should not contain WORLD_EVERYTHING because
// the subject is neither null nor empty. The ACL should however contain USER_EVERYTHING as user needs to have
// complete access to the blob
assertTrue("ACL does not contain WORLD_EVERYTHING", !metadata.toString().contains("AccessControl(type:OTHER, access:7)"));
readAssertEqualsWithAuth(store, who, "test", 2);
LOG.info("Updating test");
out = store.updateBlob("test", who);
out.write(3);
out.close();
assertStoreHasExactly(store, "test");
readAssertEqualsWithAuth(store, who, "test", 3);
LOG.info("Updating test again");
out = store.updateBlob("test", who);
out.write(4);
out.flush();
LOG.info("SLEEPING");
Thread.sleep(2);
assertStoreHasExactly(store, "test");
readAssertEqualsWithAuth(store, who, "test", 3);
//Test for subject with no principals and acls set to WORLD_EVERYTHING
who = new Subject();
metadata = new SettableBlobMeta(BlobStoreAclHandler.WORLD_EVERYTHING);
LOG.info("Creating test");
out = store.createBlob("test-empty-subject-WE", metadata, who);
out.write(2);
out.close();
assertStoreHasExactly(store, "test-empty-subject-WE", "test");
// Testing whether acls are set to WORLD_EVERYTHING
assertTrue("ACL does not contain WORLD_EVERYTHING", metadata.toString().contains("AccessControl(type:OTHER, access:7)"));
readAssertEqualsWithAuth(store, who, "test-empty-subject-WE", 2);
//Test for subject with no principals and acls set to DEFAULT
who = new Subject();
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
LOG.info("Creating other");
out = store.createBlob("test-empty-subject-DEF", metadata, who);
out.write(2);
out.close();
assertStoreHasExactly(store, "test-empty-subject-DEF", "test", "test-empty-subject-WE");
// Testing whether acls are set to WORLD_EVERYTHING
assertTrue("ACL does not contain WORLD_EVERYTHING", metadata.toString().contains("AccessControl(type:OTHER, access:7)"));
readAssertEqualsWithAuth(store, who, "test-empty-subject-DEF", 2);
if (store instanceof HdfsBlobStore) {
((HdfsBlobStore) store).fullCleanup(1);
} else {
fail("Error the blobstore is of unknowntype");
}
try {
out.close();
} catch (IOException e) {
//This is likely to happen when we try to commit something that
// was cleaned up. This is expected and acceptable.
}
}
Also used :
AtomicOutputStream(org.apache.storm.blobstore.AtomicOutputStream)
IOException(java.io.IOException)
SettableBlobMeta(org.apache.storm.generated.SettableBlobMeta)
Subject(javax.security.auth.Subject)
Example 17 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class BlobStoreTest method testReplication.
// Test for replication.
public void testReplication(String path, BlobStore store) throws Exception {
SettableBlobMeta metadata = new SettableBlobMeta(BlobStoreAclHandler.WORLD_EVERYTHING);
metadata.set_replication_factor(4);
AtomicOutputStream out = store.createBlob("test", metadata, null);
out.write(1);
out.close();
assertStoreHasExactly(store, "test");
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", null), 4);
store.deleteBlob("test", null);
//Test for replication with NIMBUS as user
Subject admin = getSubject("admin");
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
metadata.set_replication_factor(4);
out = store.createBlob("test", metadata, admin);
out.write(1);
out.close();
assertStoreHasExactly(store, "test");
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", admin), 4);
store.updateBlobReplication("test", 5, admin);
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", admin), 5);
store.deleteBlob("test", admin);
//Test for replication using SUPERVISOR access
Subject supervisor = getSubject("supervisor");
metadata = new SettableBlobMeta(BlobStoreAclHandler.DEFAULT);
metadata.set_replication_factor(4);
out = store.createBlob("test", metadata, supervisor);
out.write(1);
out.close();
assertStoreHasExactly(store, "test");
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", supervisor), 4);
store.updateBlobReplication("test", 5, supervisor);
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", supervisor), 5);
store.deleteBlob("test", supervisor);
//Test for a user having read or write or admin access to read replication for a blob
String createSubject = "createSubject";
String writeSubject = "writeSubject";
String adminSubject = "adminSubject";
Subject who = getSubject(createSubject);
AccessControl writeAccess = new AccessControl(AccessControlType.USER, READ);
AccessControl adminAccess = new AccessControl(AccessControlType.USER, ADMIN);
writeAccess.set_name(writeSubject);
adminAccess.set_name(adminSubject);
List<AccessControl> acl = Arrays.asList(writeAccess, adminAccess);
metadata = new SettableBlobMeta(acl);
metadata.set_replication_factor(4);
out = store.createBlob("test", metadata, who);
out.write(1);
out.close();
assertStoreHasExactly(store, "test");
who = getSubject(writeSubject);
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", who), 4);
//Test for a user having WRITE or ADMIN privileges to change replication of a blob
who = getSubject(adminSubject);
store.updateBlobReplication("test", 5, who);
assertEquals("Blobstore replication not matching", store.getBlobReplication("test", who), 5);
store.deleteBlob("test", getSubject(createSubject));
}
Also used :
AtomicOutputStream(org.apache.storm.blobstore.AtomicOutputStream)
SettableBlobMeta(org.apache.storm.generated.SettableBlobMeta)
Subject(javax.security.auth.Subject)
AccessControl(org.apache.storm.generated.AccessControl)
Example 18 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class Nimbus method setupStormCode.
private void setupStormCode(Map<String, Object> conf, String topoId, String tmpJarLocation, Map<String, Object> topoConf, StormTopology topology) throws Exception {
Subject subject = getSubject();
IStormClusterState clusterState = stormClusterState;
BlobStore store = blobStore;
String jarKey = ConfigUtils.masterStormJarKey(topoId);
String codeKey = ConfigUtils.masterStormCodeKey(topoId);
String confKey = ConfigUtils.masterStormConfKey(topoId);
NimbusInfo hostPortInfo = nimbusHostPortInfo;
if (tmpJarLocation != null) {
//in local mode there is no jar
try (FileInputStream fin = new FileInputStream(tmpJarLocation)) {
store.createBlob(jarKey, fin, new SettableBlobMeta(BlobStoreAclHandler.DEFAULT), subject);
}
if (store instanceof LocalFsBlobStore) {
clusterState.setupBlobstore(jarKey, hostPortInfo, getVersionForKey(jarKey, hostPortInfo, conf));
}
}
store.createBlob(confKey, Utils.toCompressedJsonConf(topoConf), new SettableBlobMeta(BlobStoreAclHandler.DEFAULT), subject);
if (store instanceof LocalFsBlobStore) {
clusterState.setupBlobstore(confKey, hostPortInfo, getVersionForKey(confKey, hostPortInfo, conf));
}
store.createBlob(codeKey, Utils.serialize(topology), new SettableBlobMeta(BlobStoreAclHandler.DEFAULT), subject);
if (store instanceof LocalFsBlobStore) {
clusterState.setupBlobstore(codeKey, hostPortInfo, getVersionForKey(codeKey, hostPortInfo, conf));
}
}
Also used :
LocalFsBlobStore(org.apache.storm.blobstore.LocalFsBlobStore)
IStormClusterState(org.apache.storm.cluster.IStormClusterState)
SettableBlobMeta(org.apache.storm.generated.SettableBlobMeta)
Subject(javax.security.auth.Subject)
BlobStore(org.apache.storm.blobstore.BlobStore)
LocalFsBlobStore(org.apache.storm.blobstore.LocalFsBlobStore)
FileInputStream(java.io.FileInputStream)
NimbusInfo(org.apache.storm.nimbus.NimbusInfo)
Example 19 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class SingleUserSimpleTransport method getDefaultSubject.
@Override
protected Subject getDefaultSubject() {
HashSet<Principal> principals = new HashSet<Principal>();
principals.add(new Principal() {
public String getName() {
return "user";
}
public String toString() {
return "user";
}
});
return new Subject(true, principals, new HashSet<Object>(), new HashSet<Object>());
}Example 20 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class DRPCTest method testNotStrict.
@Test
public void testNotStrict() throws Exception {
ReqContext jt = new ReqContext(new Subject());
SingleUserPrincipal jumpTopo = new SingleUserPrincipal("jump_topo");
jt.subject().getPrincipals().add(jumpTopo);
ReqContext jc = new ReqContext(new Subject());
SingleUserPrincipal jumpClient = new SingleUserPrincipal("jump_client");
jc.subject().getPrincipals().add(jumpClient);
ReqContext other = new ReqContext(new Subject());
SingleUserPrincipal otherUser = new SingleUserPrincipal("other");
other.subject().getPrincipals().add(otherUser);
Map<String, AclFunctionEntry> acl = new HashMap<>();
acl.put("jump", new AclFunctionEntry(Arrays.asList(jumpClient.getName()), jumpTopo.getName()));
Map<String, Object> conf = new HashMap<>();
conf.put(Config.DRPC_AUTHORIZER_ACL_STRICT, false);
conf.put(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, DefaultPrincipalToLocal.class.getName());
DRPCSimpleACLAuthorizer auth = new DRPCSimpleACLAuthorizer() {
@Override
protected Map<String, AclFunctionEntry> readAclFromConfig() {
return acl;
}
};
auth.prepare(conf);
//JUMP
DRPC.checkAuthorization(jt, auth, "fetchRequest", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jt, auth, "result", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jc, auth, "execute", "jump");
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "jump"), AuthorizationException.class);
//not_jump (open in not strict mode)
DRPC.checkAuthorization(jt, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(jc, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(other, auth, "fetchRequest", "not_jump");
DRPC.checkAuthorization(jt, auth, "result", "not_jump");
DRPC.checkAuthorization(jc, auth, "result", "not_jump");
DRPC.checkAuthorization(other, auth, "result", "not_jump");
DRPC.checkAuthorization(jt, auth, "execute", "not_jump");
DRPC.checkAuthorization(jc, auth, "execute", "not_jump");
DRPC.checkAuthorization(other, auth, "execute", "not_jump");
}
Also used :
HashMap(java.util.HashMap)
AclFunctionEntry(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)
DRPCSimpleACLAuthorizer(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
SingleUserPrincipal(org.apache.storm.security.auth.SingleUserPrincipal)
Subject(javax.security.auth.Subject)
DefaultPrincipalToLocal(org.apache.storm.security.auth.DefaultPrincipalToLocal)
Test(org.junit.Test)
Aggregations
Subject (javax.security.auth.Subject)669
Test (org.testng.annotations.Test)131
Test (org.junit.Test)122
HashMap (java.util.HashMap)120
Principal (java.security.Principal)114
HashSet (java.util.HashSet)109
Set (java.util.Set)82
EntitlementException (com.sun.identity.entitlement.EntitlementException)64
LoginContext (javax.security.auth.login.LoginContext)62
LoginException (javax.security.auth.login.LoginException)49
ConditionDecision (com.sun.identity.entitlement.ConditionDecision)47
ResourceResponse (org.forgerock.json.resource.ResourceResponse)47
RealmContext (org.forgerock.openam.rest.RealmContext)46
Context (org.forgerock.services.context.Context)41
SSOToken (com.iplanet.sso.SSOToken)40
IOException (java.io.IOException)40
ClientContext (org.forgerock.services.context.ClientContext)40
Map (java.util.Map)38
SSOTokenContext (org.forgerock.openam.rest.resource.SSOTokenContext)38
ResourceException (org.forgerock.json.resource.ResourceException)37
