Example 16 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class ArbitraryTablePropertiesIT method userSetGetRemoveTablePropertyWithPermission.
// Tests set, get, and remove of user added arbitrary properties using a non-root account with permissions to alter tables
@Test
public void userSetGetRemoveTablePropertyWithPermission() throws Exception {
log.debug("Starting userSetGetRemoveTablePropertyWithPermission test ------------------------");
// Make a test username and password
ClusterUser user = getUser(0);
String testUser = user.getPrincipal();
AuthenticationToken testToken = user.getToken();
// Create a root user and create the table
// Create a test user and grant that user permission to alter the table
final String tableName = getUniqueNames(1)[0];
final Connector c = getConnector();
c.securityOperations().createLocalUser(testUser, (testToken instanceof PasswordToken ? (PasswordToken) testToken : null));
c.tableOperations().create(tableName);
c.securityOperations().grantTablePermission(testUser, tableName, TablePermission.ALTER_TABLE);
// Set variables for the property name to use and the initial value
String propertyName = "table.custom.description";
String description1 = "Description";
// Make sure the property name is valid
Assert.assertTrue(Property.isValidPropertyKey(propertyName));
// Getting a fresh token will ensure we're logged in as this user (if necessary)
Connector testConn = c.getInstance().getConnector(testUser, user.getToken());
// Set the property to the desired value
testConn.tableOperations().setProperty(tableName, propertyName, description1);
// Loop through properties to make sure the new property is added to the list
int count = 0;
for (Entry<String, String> property : testConn.tableOperations().getProperties(tableName)) {
if (property.getKey().equals(propertyName) && property.getValue().equals(description1))
count++;
}
Assert.assertEquals(count, 1);
// Set the property as something different
String description2 = "set second";
testConn.tableOperations().setProperty(tableName, propertyName, description2);
// / Loop through properties to make sure the new property is added to the list
count = 0;
for (Entry<String, String> property : testConn.tableOperations().getProperties(tableName)) {
if (property.getKey().equals(propertyName) && property.getValue().equals(description2))
count++;
}
Assert.assertEquals(count, 1);
// Remove the property and make sure there is no longer a value associated with it
testConn.tableOperations().removeProperty(tableName, propertyName);
// / Loop through properties to make sure the new property is added to the list
count = 0;
for (Entry<String, String> property : testConn.tableOperations().getProperties(tableName)) {
if (property.getKey().equals(propertyName))
count++;
}
Assert.assertEquals(count, 0);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
Test(org.junit.Test)
Example 17 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class MiniClusterHarness method configureForKerberos.
protected void configureForKerberos(MiniAccumuloConfigImpl cfg, File folder, Configuration coreSite, TestingKdc kdc) throws Exception {
Map<String, String> siteConfig = cfg.getSiteConfig();
if (TRUE.equals(siteConfig.get(Property.INSTANCE_RPC_SSL_ENABLED.getKey()))) {
throw new RuntimeException("Cannot use both SSL and SASL/Kerberos");
}
if (TRUE.equals(siteConfig.get(Property.INSTANCE_RPC_SASL_ENABLED.getKey()))) {
// already enabled
return;
}
if (null == kdc) {
throw new IllegalStateException("MiniClusterKdc was null");
}
log.info("Enabling Kerberos/SASL for minicluster");
// Turn on SASL and set the keytab/principal information
cfg.setProperty(Property.INSTANCE_RPC_SASL_ENABLED, "true");
ClusterUser serverUser = kdc.getAccumuloServerUser();
cfg.setProperty(Property.GENERAL_KERBEROS_KEYTAB, serverUser.getKeytab().getAbsolutePath());
cfg.setProperty(Property.GENERAL_KERBEROS_PRINCIPAL, serverUser.getPrincipal());
cfg.setProperty(Property.INSTANCE_SECURITY_AUTHENTICATOR, KerberosAuthenticator.class.getName());
cfg.setProperty(Property.INSTANCE_SECURITY_AUTHORIZOR, KerberosAuthorizor.class.getName());
cfg.setProperty(Property.INSTANCE_SECURITY_PERMISSION_HANDLER, KerberosPermissionHandler.class.getName());
// Piggy-back on the "system user" credential, but use it as a normal KerberosToken, not the SystemToken.
cfg.setProperty(Property.TRACE_USER, serverUser.getPrincipal());
cfg.setProperty(Property.TRACE_TOKEN_TYPE, KerberosToken.CLASS_NAME);
// Pass down some KRB5 debug properties
Map<String, String> systemProperties = cfg.getSystemProperties();
systemProperties.put(JAVA_SECURITY_KRB5_CONF, System.getProperty(JAVA_SECURITY_KRB5_CONF, ""));
systemProperties.put(SUN_SECURITY_KRB5_DEBUG, System.getProperty(SUN_SECURITY_KRB5_DEBUG, "false"));
cfg.setSystemProperties(systemProperties);
// Make sure UserGroupInformation will do the correct login
coreSite.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
cfg.setRootUserName(kdc.getRootUser().getPrincipal());
}
Also used :
KerberosAuthenticator(org.apache.accumulo.server.security.handler.KerberosAuthenticator)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
KerberosAuthorizor(org.apache.accumulo.server.security.handler.KerberosAuthorizor)
KerberosPermissionHandler(org.apache.accumulo.server.security.handler.KerberosPermissionHandler)
Example 18 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class CredentialsIT method createLocalUser.
@Before
public void createLocalUser() throws AccumuloException, AccumuloSecurityException {
Connector conn = getConnector();
inst = conn.getInstance();
ClientConfiguration clientConf = cluster.getClientConfig();
ClusterUser user = getUser(0);
username = user.getPrincipal();
saslEnabled = clientConf.hasSasl();
// Create the user if it doesn't exist
Set<String> users = conn.securityOperations().listLocalUsers();
if (!users.contains(username)) {
PasswordToken passwdToken = null;
if (!saslEnabled) {
password = user.getPassword();
passwdToken = new PasswordToken(password);
}
conn.securityOperations().createLocalUser(username, passwdToken);
}
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)
Before(org.junit.Before)
Example 19 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class StatusCombinerMacIT method test.
@Test
public void test() throws Exception {
Connector conn = getConnector();
ClusterUser user = getAdminUser();
ReplicationTable.setOnline(conn);
conn.securityOperations().grantTablePermission(user.getPrincipal(), ReplicationTable.NAME, TablePermission.WRITE);
BatchWriter bw = ReplicationTable.getBatchWriter(conn);
long createTime = System.currentTimeMillis();
try {
Mutation m = new Mutation("file:/accumulo/wal/HW10447.local+56808/93cdc17e-7521-44fa-87b5-37f45bcb92d3");
StatusSection.add(m, Table.ID.of("1"), StatusUtil.fileCreatedValue(createTime));
bw.addMutation(m);
} finally {
bw.close();
}
Entry<Key, Value> entry;
try (Scanner s = ReplicationTable.getScanner(conn)) {
entry = Iterables.getOnlyElement(s);
Assert.assertEquals(StatusUtil.fileCreatedValue(createTime), entry.getValue());
bw = ReplicationTable.getBatchWriter(conn);
try {
Mutation m = new Mutation("file:/accumulo/wal/HW10447.local+56808/93cdc17e-7521-44fa-87b5-37f45bcb92d3");
StatusSection.add(m, Table.ID.of("1"), ProtobufUtil.toValue(StatusUtil.replicated(Long.MAX_VALUE)));
bw.addMutation(m);
} finally {
bw.close();
}
}
try (Scanner s = ReplicationTable.getScanner(conn)) {
entry = Iterables.getOnlyElement(s);
Status stat = Status.parseFrom(entry.getValue().get());
Assert.assertEquals(Long.MAX_VALUE, stat.getBegin());
}
}
Also used :
Status(org.apache.accumulo.server.replication.proto.Replication.Status)
Connector(org.apache.accumulo.core.client.Connector)
Scanner(org.apache.accumulo.core.client.Scanner)
Value(org.apache.accumulo.core.data.Value)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
BatchWriter(org.apache.accumulo.core.client.BatchWriter)
Mutation(org.apache.accumulo.core.data.Mutation)
Key(org.apache.accumulo.core.data.Key)
Test(org.junit.Test)
Example 20 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method userManagement.
@Test
public void userManagement() throws Exception {
String user;
ClusterUser otherClient = null;
ByteBuffer password = s2bb("password");
if (isKerberosEnabled()) {
otherClient = getKdc().getClientPrincipal(1);
user = otherClient.getPrincipal();
} else {
user = getUniqueNames(1)[0];
}
// create a user
client.createLocalUser(creds, user, password);
// change auths
Set<String> users = client.listLocalUsers(creds);
Set<String> expectedUsers = new HashSet<>(Arrays.asList(clientPrincipal, user));
assertTrue("Did not find all expected users: " + expectedUsers, users.containsAll(expectedUsers));
HashSet<ByteBuffer> auths = new HashSet<>(Arrays.asList(s2bb("A"), s2bb("B")));
client.changeUserAuthorizations(creds, user, auths);
List<ByteBuffer> update = client.getUserAuthorizations(creds, user);
assertEquals(auths, new HashSet<>(update));
// change password
if (!isKerberosEnabled()) {
password = s2bb("");
client.changeLocalUserPassword(creds, user, password);
assertTrue(client.authenticateUser(creds, user, s2pp(ByteBufferUtil.toString(password))));
}
if (isKerberosEnabled()) {
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
TestProxyClient otherProxyClient = null;
try {
otherProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi);
otherProxyClient.proxy().login(user, Collections.<String, String>emptyMap());
} finally {
if (null != otherProxyClient) {
otherProxyClient.close();
}
}
} else {
// check login with new password
client.login(user, s2pp(ByteBufferUtil.toString(password)));
}
}
Also used :
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
ByteBuffer(java.nio.ByteBuffer)
HashSet(java.util.HashSet)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
ClusterUser (org.apache.accumulo.cluster.ClusterUser)36
Connector (org.apache.accumulo.core.client.Connector)22
Test (org.junit.Test)21
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)19
ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)9
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)7
Before (org.junit.Before)7
Client (org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)6
IOException (java.io.IOException)5
ByteBuffer (java.nio.ByteBuffer)5
Scanner (org.apache.accumulo.core.client.Scanner)5
Configuration (org.apache.hadoop.conf.Configuration)5
File (java.io.File)4
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
ClusterControl (org.apache.accumulo.cluster.ClusterControl)3
BatchWriter (org.apache.accumulo.core.client.BatchWriter)3
Key (org.apache.accumulo.core.data.Key)3
Mutation (org.apache.accumulo.core.data.Mutation)3
