Example 6 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method namespacePermissions.
@Test
public void namespacePermissions() throws Exception {
String userName;
ClusterUser otherClient = null;
ByteBuffer password = s2bb("password");
ByteBuffer user;
TestProxyClient origProxyClient = null;
Client origClient = null;
TestProxyClient userProxyClient = null;
Client userClient = null;
if (isKerberosEnabled()) {
otherClient = getKdc().getClientPrincipal(1);
userName = otherClient.getPrincipal();
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
userProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi);
origProxyClient = proxyClient;
origClient = client;
userClient = client = userProxyClient.proxy();
user = client.login(userName, Collections.<String, String>emptyMap());
} else {
userName = getUniqueNames(1)[0];
// create a user
client.createLocalUser(creds, userName, password);
user = client.login(userName, s2pp(ByteBufferUtil.toString(password)));
}
// check permission failure
try {
client.createTable(user, namespaceName + ".fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains(namespaceName + ".fail"));
}
// grant permissions and test
assertFalse(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
client.grantNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE);
assertTrue(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, namespaceName + ".success", true, TimeType.MILLIS);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertTrue(client.listTables(creds).contains(namespaceName + ".success"));
// revoke permissions
client.revokeNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE);
assertFalse(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, namespaceName + ".fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains(namespaceName + ".fail"));
}
// delete user
client.dropLocalUser(creds, userName);
Set<String> users = client.listLocalUsers(creds);
assertFalse("Should not see user after they are deleted", users.contains(userName));
if (isKerberosEnabled()) {
userProxyClient.close();
proxyClient = origProxyClient;
client = origClient;
}
// delete table from namespace otherwise we can't delete namespace during teardown
client.deleteTable(creds, namespaceName + ".success");
}
Also used :
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
ByteBuffer(java.nio.ByteBuffer)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 7 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method testConditionalWriter.
@Test
public void testConditionalWriter() throws Exception {
log.debug("Adding constraint {} to {}", tableName, NumericValueConstraint.class.getName());
client.addConstraint(creds, tableName, NumericValueConstraint.class.getName());
sleepUninterruptibly(ZOOKEEPER_PROPAGATION_TIME, TimeUnit.MILLISECONDS);
// Take the table offline and online to force a config update
client.offlineTable(creds, tableName, true);
client.onlineTable(creds, tableName, true);
while (!client.listConstraints(creds, tableName).containsKey(NumericValueConstraint.class.getName())) {
log.info("Failed to see constraint");
Thread.sleep(1000);
}
String cwid = client.createConditionalWriter(creds, tableName, new ConditionalWriterOptions());
Map<ByteBuffer, ConditionalUpdates> updates = new HashMap<>();
updates.put(s2bb("00345"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq")), Arrays.asList(newColUpdate("meta", "seq", 10, "1"), newColUpdate("data", "img", "73435435"))));
Map<ByteBuffer, ConditionalStatus> results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00345")));
assertScan(new String[][] { { "00345", "data", "img", "73435435" }, { "00345", "meta", "seq", "1" } }, tableName);
// test not setting values on conditions
updates.clear();
updates.put(s2bb("00345"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq")), Arrays.asList(newColUpdate("meta", "seq", "2"))));
updates.put(s2bb("00346"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq")), Arrays.asList(newColUpdate("meta", "seq", "1"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(2, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00345")));
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00346")));
assertScan(new String[][] { { "00345", "data", "img", "73435435" }, { "00345", "meta", "seq", "1" }, { "00346", "meta", "seq", "1" } }, tableName);
// test setting values on conditions
updates.clear();
updates.put(s2bb("00345"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq", "1")), Arrays.asList(newColUpdate("meta", "seq", 20, "2"), newColUpdate("data", "img", "567890"))));
updates.put(s2bb("00346"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq", "2")), Arrays.asList(newColUpdate("meta", "seq", "3"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(2, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00345")));
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00346")));
assertScan(new String[][] { { "00345", "data", "img", "567890" }, { "00345", "meta", "seq", "2" }, { "00346", "meta", "seq", "1" } }, tableName);
// test setting timestamp on condition to a non-existant version
updates.clear();
updates.put(s2bb("00345"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq", 10, "2")), Arrays.asList(newColUpdate("meta", "seq", 30, "3"), newColUpdate("data", "img", "1234567890"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00345")));
assertScan(new String[][] { { "00345", "data", "img", "567890" }, { "00345", "meta", "seq", "2" }, { "00346", "meta", "seq", "1" } }, tableName);
// test setting timestamp to an existing version
updates.clear();
updates.put(s2bb("00345"), new ConditionalUpdates(Arrays.asList(newCondition("meta", "seq", 20, "2")), Arrays.asList(newColUpdate("meta", "seq", 30, "3"), newColUpdate("data", "img", "1234567890"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00345")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" } }, tableName);
// run test w/ condition that has iterators
// following should fail w/o iterator
client.updateAndFlush(creds, tableName, Collections.singletonMap(s2bb("00347"), Arrays.asList(newColUpdate("data", "count", "1"))));
client.updateAndFlush(creds, tableName, Collections.singletonMap(s2bb("00347"), Arrays.asList(newColUpdate("data", "count", "1"))));
client.updateAndFlush(creds, tableName, Collections.singletonMap(s2bb("00347"), Arrays.asList(newColUpdate("data", "count", "1"))));
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "count", "3")), Arrays.asList(newColUpdate("data", "img", "1234567890"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00347")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" } }, tableName);
// following test w/ iterator setup should succeed
Condition iterCond = newCondition("data", "count", "3");
Map<String, String> props = new HashMap<>();
props.put("type", "STRING");
props.put("columns", "data:count");
IteratorSetting is = new IteratorSetting(1, "sumc", SummingCombiner.class.getName(), props);
iterCond.setIterators(Arrays.asList(is));
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(iterCond), Arrays.asList(newColUpdate("data", "img", "1234567890"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00347")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" }, { "00347", "data", "img", "1234567890" } }, tableName);
ConditionalStatus status = null;
for (int i = 0; i < 30; i++) {
// test a mutation that violated a constraint
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "img", "1234567890")), Arrays.asList(newColUpdate("data", "count", "A"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
status = results.get(s2bb("00347"));
if (ConditionalStatus.VIOLATED != status) {
log.info("ConditionalUpdate was not rejected by server due to table constraint. Sleeping and retrying");
Thread.sleep(5000);
continue;
}
assertEquals(ConditionalStatus.VIOLATED, status);
break;
}
// Final check to make sure we succeeded and didn't exceed the retries
assertEquals(ConditionalStatus.VIOLATED, status);
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" }, { "00347", "data", "img", "1234567890" } }, tableName);
// run test with two conditions
// both conditions should fail
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "img", "565"), newCondition("data", "count", "2")), Arrays.asList(newColUpdate("data", "count", "3"), newColUpdate("data", "img", "0987654321"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00347")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" }, { "00347", "data", "img", "1234567890" } }, tableName);
// one condition should fail
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "img", "1234567890"), newCondition("data", "count", "2")), Arrays.asList(newColUpdate("data", "count", "3"), newColUpdate("data", "img", "0987654321"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00347")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" }, { "00347", "data", "img", "1234567890" } }, tableName);
// one condition should fail
updates.clear();
updates.put(s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "img", "565"), newCondition("data", "count", "1")), Arrays.asList(newColUpdate("data", "count", "3"), newColUpdate("data", "img", "0987654321"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00347")));
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "1" }, { "00347", "data", "img", "1234567890" } }, tableName);
// both conditions should succeed
ConditionalStatus result = client.updateRowConditionally(creds, tableName, s2bb("00347"), new ConditionalUpdates(Arrays.asList(newCondition("data", "img", "1234567890"), newCondition("data", "count", "1")), Arrays.asList(newColUpdate("data", "count", "3"), newColUpdate("data", "img", "0987654321"))));
assertEquals(ConditionalStatus.ACCEPTED, result);
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "3" }, { "00347", "data", "img", "0987654321" } }, tableName);
client.closeConditionalWriter(cwid);
try {
client.updateRowsConditionally(cwid, updates);
fail("conditional writer not closed");
} catch (UnknownWriter uk) {
}
String principal;
ClusterUser cwuser = null;
if (isKerberosEnabled()) {
cwuser = getKdc().getClientPrincipal(1);
principal = cwuser.getPrincipal();
client.createLocalUser(creds, principal, s2bb("unused"));
} else {
principal = "cwuser";
// run test with colvis
client.createLocalUser(creds, principal, s2bb("bestpasswordever"));
}
client.changeUserAuthorizations(creds, principal, Collections.singleton(s2bb("A")));
client.grantTablePermission(creds, principal, tableName, TablePermission.WRITE);
client.grantTablePermission(creds, principal, tableName, TablePermission.READ);
TestProxyClient cwuserProxyClient = null;
Client origClient = null;
Map<String, String> cwProperties;
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(cwuser.getPrincipal(), cwuser.getKeytab().getAbsolutePath());
final UserGroupInformation cwuserUgi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
cwuserProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, cwuserUgi);
origClient = client;
client = cwuserProxyClient.proxy();
cwProperties = Collections.emptyMap();
} else {
cwProperties = Collections.singletonMap("password", "bestpasswordever");
}
try {
ByteBuffer cwCreds = client.login(principal, cwProperties);
cwid = client.createConditionalWriter(cwCreds, tableName, new ConditionalWriterOptions().setAuthorizations(Collections.singleton(s2bb("A"))));
updates.clear();
updates.put(s2bb("00348"), new ConditionalUpdates(Arrays.asList(new Condition(new Column(s2bb("data"), s2bb("c"), s2bb("A")))), Arrays.asList(newColUpdate("data", "seq", "1"), newColUpdate("data", "c", "1").setColVisibility(s2bb("A")))));
updates.put(s2bb("00349"), new ConditionalUpdates(Arrays.asList(new Condition(new Column(s2bb("data"), s2bb("c"), s2bb("B")))), Arrays.asList(newColUpdate("data", "seq", "1"))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(2, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00348")));
assertEquals(ConditionalStatus.INVISIBLE_VISIBILITY, results.get(s2bb("00349")));
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// Verify that the original user can't see the updates with visibilities set
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "3" }, { "00347", "data", "img", "0987654321" }, { "00348", "data", "seq", "1" } }, tableName);
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(cwuser.getPrincipal(), cwuser.getKeytab().getAbsolutePath());
client = cwuserProxyClient.proxy();
}
updates.clear();
updates.clear();
updates.put(s2bb("00348"), new ConditionalUpdates(Arrays.asList(new Condition(new Column(s2bb("data"), s2bb("c"), s2bb("A"))).setValue(s2bb("0"))), Arrays.asList(newColUpdate("data", "seq", "2"), newColUpdate("data", "c", "2").setColVisibility(s2bb("A")))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.REJECTED, results.get(s2bb("00348")));
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// Same results as the original user
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "3" }, { "00347", "data", "img", "0987654321" }, { "00348", "data", "seq", "1" } }, tableName);
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(cwuser.getPrincipal(), cwuser.getKeytab().getAbsolutePath());
client = cwuserProxyClient.proxy();
}
updates.clear();
updates.put(s2bb("00348"), new ConditionalUpdates(Arrays.asList(new Condition(new Column(s2bb("data"), s2bb("c"), s2bb("A"))).setValue(s2bb("1"))), Arrays.asList(newColUpdate("data", "seq", "2"), newColUpdate("data", "c", "2").setColVisibility(s2bb("A")))));
results = client.updateRowsConditionally(cwid, updates);
assertEquals(1, results.size());
assertEquals(ConditionalStatus.ACCEPTED, results.get(s2bb("00348")));
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertScan(new String[][] { { "00345", "data", "img", "1234567890" }, { "00345", "meta", "seq", "3" }, { "00346", "meta", "seq", "1" }, { "00347", "data", "count", "3" }, { "00347", "data", "img", "0987654321" }, { "00348", "data", "seq", "2" } }, tableName);
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(cwuser.getPrincipal(), cwuser.getKeytab().getAbsolutePath());
client = cwuserProxyClient.proxy();
}
client.closeConditionalWriter(cwid);
try {
client.updateRowsConditionally(cwid, updates);
fail("conditional writer not closed");
} catch (UnknownWriter uk) {
}
} finally {
if (isKerberosEnabled()) {
// Close the other client
if (null != cwuserProxyClient) {
cwuserProxyClient.close();
}
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
// Re-login and restore the original client
client = origClient;
}
client.dropLocalUser(creds, principal);
}
}
Also used :
Condition(org.apache.accumulo.proxy.thrift.Condition)
HashMap(java.util.HashMap)
ByteBuffer(java.nio.ByteBuffer)
NumericValueConstraint(org.apache.accumulo.test.constraints.NumericValueConstraint)
UnknownWriter(org.apache.accumulo.proxy.thrift.UnknownWriter)
ConditionalUpdates(org.apache.accumulo.proxy.thrift.ConditionalUpdates)
IteratorSetting(org.apache.accumulo.proxy.thrift.IteratorSetting)
ConditionalWriterOptions(org.apache.accumulo.proxy.thrift.ConditionalWriterOptions)
Column(org.apache.accumulo.proxy.thrift.Column)
ScanColumn(org.apache.accumulo.proxy.thrift.ScanColumn)
ConditionalStatus(org.apache.accumulo.proxy.thrift.ConditionalStatus)
SummingCombiner(org.apache.accumulo.core.iterators.user.SummingCombiner)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
NumericValueConstraint(org.apache.accumulo.test.constraints.NumericValueConstraint)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 8 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method userPermissions.
@Test
public void userPermissions() throws Exception {
String userName = getUniqueNames(1)[0];
ClusterUser otherClient = null;
ByteBuffer password = s2bb("password");
ByteBuffer user;
TestProxyClient origProxyClient = null;
Client origClient = null;
TestProxyClient userProxyClient = null;
Client userClient = null;
if (isKerberosEnabled()) {
otherClient = getKdc().getClientPrincipal(1);
userName = otherClient.getPrincipal();
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
userProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi);
origProxyClient = proxyClient;
origClient = client;
userClient = client = userProxyClient.proxy();
user = client.login(userName, Collections.<String, String>emptyMap());
} else {
userName = getUniqueNames(1)[0];
// create a user
client.createLocalUser(creds, userName, password);
user = client.login(userName, s2pp(ByteBufferUtil.toString(password)));
}
// check permission failure
try {
client.createTable(user, "fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains("fail"));
}
// grant permissions and test
assertFalse(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
client.grantSystemPermission(creds, userName, SystemPermission.CREATE_TABLE);
assertTrue(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, "success", true, TimeType.MILLIS);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertTrue(client.listTables(creds).contains("success"));
// revoke permissions
client.revokeSystemPermission(creds, userName, SystemPermission.CREATE_TABLE);
assertFalse(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, "fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains("fail"));
}
// denied!
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
String scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 100);
fail("stooge should not read table test");
} catch (AccumuloSecurityException ex) {
}
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// grant
assertFalse(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
client.grantTablePermission(creds, userName, tableName, TablePermission.READ);
assertTrue(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
String scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 10);
client.closeScanner(scanner);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// revoke
client.revokeTablePermission(creds, userName, tableName, TablePermission.READ);
assertFalse(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 100);
fail("stooge should not read table test");
} catch (AccumuloSecurityException ex) {
}
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// delete user
client.dropLocalUser(creds, userName);
Set<String> users = client.listLocalUsers(creds);
assertFalse("Should not see user after they are deleted", users.contains(userName));
if (isKerberosEnabled()) {
userProxyClient.close();
proxyClient = origProxyClient;
client = origClient;
}
}
Also used :
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
ByteBuffer(java.nio.ByteBuffer)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 9 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method setup.
@Before
public void setup() throws Exception {
// Create a new client for each test
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
proxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, UserGroupInformation.getCurrentUser());
client = proxyClient.proxy();
creds = client.login(clientPrincipal, properties);
TestingKdc kdc = getKdc();
final ClusterUser user = kdc.getClientPrincipal(0);
// Create another user
client.createLocalUser(creds, user.getPrincipal(), s2bb("unused"));
// Login in as that user we just created
UserGroupInformation.loginUserFromKeytab(user.getPrincipal(), user.getKeytab().getAbsolutePath());
final UserGroupInformation badUgi = UserGroupInformation.getCurrentUser();
// Get a "Credentials" object for the proxy
TestProxyClient badClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, badUgi);
try {
Client badProxy = badClient.proxy();
badLogin = badProxy.login(user.getPrincipal(), properties);
} finally {
badClient.close();
}
// Log back in as the test user
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
// Drop test user, invalidating the credentials (not to mention not having the krb credentials anymore)
client.dropLocalUser(creds, user.getPrincipal());
} else {
proxyClient = new TestProxyClient(hostname, proxyPort, factory);
client = proxyClient.proxy();
creds = client.login("root", properties);
// Create 'user'
client.createLocalUser(creds, "user", s2bb(SharedMiniClusterBase.getRootPassword()));
// Log in as 'user'
badLogin = client.login("user", properties);
// Drop 'user', invalidating the credentials
client.dropLocalUser(creds, "user");
}
// Create some unique names for tables, namespaces, etc.
String[] uniqueNames = getUniqueNames(2);
// Create a general table to be used
tableName = uniqueNames[0];
client.createTable(creds, tableName, true, TimeType.MILLIS);
// Create a general namespace to be used
namespaceName = uniqueNames[1];
client.createNamespace(creds, namespaceName);
}
Also used :
TestingKdc(org.apache.accumulo.harness.TestingKdc)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Before(org.junit.Before)
Example 10 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class RestartIT method restartMasterSplit.
@Test
public void restartMasterSplit() throws Exception {
Connector c = getConnector();
final String tableName = getUniqueNames(1)[0];
final AuthenticationToken token = getAdminToken();
final ClusterControl control = getCluster().getClusterControl();
VOPTS.setTableName(tableName);
c.tableOperations().create(tableName);
c.tableOperations().setProperty(tableName, Property.TABLE_SPLIT_THRESHOLD.getKey(), "5K");
final String[] args;
if (token instanceof PasswordToken) {
byte[] password = ((PasswordToken) token).getPassword();
args = new String[] { "-u", getAdminPrincipal(), "-p", new String(password, UTF_8), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", Integer.toString(VOPTS.rows), "--table", tableName };
OPTS.setPrincipal(getAdminPrincipal());
VOPTS.setPrincipal(getAdminPrincipal());
} else if (token instanceof KerberosToken) {
ClusterUser rootUser = getAdminUser();
args = new String[] { "-u", getAdminPrincipal(), "--keytab", rootUser.getKeytab().getAbsolutePath(), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", Integer.toString(VOPTS.rows), "--table", tableName };
ClientConfiguration clientConfig = cluster.getClientConfig();
OPTS.updateKerberosCredentials(clientConfig);
VOPTS.updateKerberosCredentials(clientConfig);
} else {
throw new RuntimeException("Unknown token");
}
Future<Integer> ret = svc.submit(new Callable<Integer>() {
@Override
public Integer call() {
try {
return control.exec(TestIngest.class, args);
} catch (Exception e) {
log.error("Error running TestIngest", e);
return -1;
}
}
});
control.stopAllServers(ServerType.MASTER);
ZooReader zreader = new ZooReader(c.getInstance().getZooKeepers(), c.getInstance().getZooKeepersSessionTimeOut());
ZooCache zcache = new ZooCache(zreader, null);
byte[] masterLockData;
do {
masterLockData = ZooLock.getLockData(zcache, ZooUtil.getRoot(c.getInstance()) + Constants.ZMASTER_LOCK, null);
if (null != masterLockData) {
log.info("Master lock is still held");
Thread.sleep(1000);
}
} while (null != masterLockData);
cluster.start();
assertEquals(0, ret.get().intValue());
VerifyIngest.verifyIngest(c, VOPTS, SOPTS);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
ZooCache(org.apache.accumulo.fate.zookeeper.ZooCache)
IOException(java.io.IOException)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
ZooReader(org.apache.accumulo.fate.zookeeper.ZooReader)
TestIngest(org.apache.accumulo.test.TestIngest)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)
ClusterControl(org.apache.accumulo.cluster.ClusterControl)
Test(org.junit.Test)
Aggregations
ClusterUser (org.apache.accumulo.cluster.ClusterUser)36
Connector (org.apache.accumulo.core.client.Connector)22
Test (org.junit.Test)21
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)19
ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)9
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)7
Before (org.junit.Before)7
Client (org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)6
IOException (java.io.IOException)5
ByteBuffer (java.nio.ByteBuffer)5
Scanner (org.apache.accumulo.core.client.Scanner)5
Configuration (org.apache.hadoop.conf.Configuration)5
File (java.io.File)4
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
ClusterControl (org.apache.accumulo.cluster.ClusterControl)3
BatchWriter (org.apache.accumulo.core.client.BatchWriter)3
Key (org.apache.accumulo.core.data.Key)3
Mutation (org.apache.accumulo.core.data.Mutation)3
