Example 21 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class SimpleProxyBase method setUpProxy.
/**
* Does the actual test setup, invoked by the concrete test class
*/
public static void setUpProxy() throws Exception {
assertNotNull("Implementations must initialize the TProtocolFactory", factory);
Connector c = SharedMiniClusterBase.getConnector();
Instance inst = c.getInstance();
waitForAccumulo(c);
hostname = InetAddress.getLocalHost().getCanonicalHostName();
Properties props = new Properties();
props.put("instance", inst.getInstanceName());
props.put("zookeepers", inst.getZooKeepers());
final String tokenClass;
if (isKerberosEnabled()) {
tokenClass = KerberosToken.class.getName();
TestingKdc kdc = getKdc();
// Create a principal+keytab for the proxy
proxyKeytab = new File(kdc.getKeytabDir(), "proxy.keytab");
hostname = InetAddress.getLocalHost().getCanonicalHostName();
// Set the primary because the client needs to know it
proxyPrimary = "proxy";
// Qualify with an instance
proxyPrincipal = proxyPrimary + "/" + hostname;
kdc.createPrincipal(proxyKeytab, proxyPrincipal);
// Tack on the realm too
proxyPrincipal = kdc.qualifyUser(proxyPrincipal);
props.setProperty("kerberosPrincipal", proxyPrincipal);
props.setProperty("kerberosKeytab", proxyKeytab.getCanonicalPath());
props.setProperty("thriftServerType", "sasl");
// Enabled kerberos auth
Configuration conf = new Configuration(false);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
// Login for the Proxy itself
UserGroupInformation.loginUserFromKeytab(proxyPrincipal, proxyKeytab.getAbsolutePath());
// User for tests
ClusterUser user = kdc.getRootUser();
clientPrincipal = user.getPrincipal();
clientKeytab = user.getKeytab();
} else {
clientPrincipal = "root";
tokenClass = PasswordToken.class.getName();
properties.put("password", SharedMiniClusterBase.getRootPassword());
hostname = "localhost";
}
props.put("tokenClass", tokenClass);
ClientConfiguration clientConfig = SharedMiniClusterBase.getCluster().getClientConfig();
String clientConfPath = new File(SharedMiniClusterBase.getCluster().getConfig().getConfDir(), "client.conf").getAbsolutePath();
props.put("clientConfigurationFile", clientConfPath);
properties.put("clientConfigurationFile", clientConfPath);
proxyPort = PortUtils.getRandomFreePort();
proxyServer = Proxy.createProxyServer(HostAndPort.fromParts(hostname, proxyPort), factory, props, clientConfig).server;
while (!proxyServer.isServing()) sleepUninterruptibly(100, TimeUnit.MILLISECONDS);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
Configuration(org.apache.hadoop.conf.Configuration)
ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)
DefaultConfiguration(org.apache.accumulo.core.conf.DefaultConfiguration)
Instance(org.apache.accumulo.core.client.Instance)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
TestingKdc(org.apache.accumulo.harness.TestingKdc)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
Properties(java.util.Properties)
File(java.io.File)
ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)
Example 22 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class KerberosReplicationIT method dataReplicatedToCorrectTable.
@Test
public void dataReplicatedToCorrectTable() throws Exception {
// Login as the root user
final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().toURI().toString());
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
log.info("testing {}", ugi);
final KerberosToken token = new KerberosToken();
final Connector primaryConn = primary.getConnector(rootUser.getPrincipal(), token);
final Connector peerConn = peer.getConnector(rootUser.getPrincipal(), token);
ClusterUser replicationUser = kdc.getClientPrincipal(0);
// Create user for replication to the peer
peerConn.securityOperations().createLocalUser(replicationUser.getPrincipal(), null);
primaryConn.instanceOperations().setProperty(Property.REPLICATION_PEER_USER.getKey() + PEER_NAME, replicationUser.getPrincipal());
primaryConn.instanceOperations().setProperty(Property.REPLICATION_PEER_KEYTAB.getKey() + PEER_NAME, replicationUser.getKeytab().getAbsolutePath());
// ...peer = AccumuloReplicaSystem,instanceName,zookeepers
primaryConn.instanceOperations().setProperty(Property.REPLICATION_PEERS.getKey() + PEER_NAME, ReplicaSystemFactory.getPeerConfigurationValue(AccumuloReplicaSystem.class, AccumuloReplicaSystem.buildConfiguration(peerConn.getInstance().getInstanceName(), peerConn.getInstance().getZooKeepers())));
String primaryTable1 = "primary", peerTable1 = "peer";
// Create tables
primaryConn.tableOperations().create(primaryTable1);
String masterTableId1 = primaryConn.tableOperations().tableIdMap().get(primaryTable1);
Assert.assertNotNull(masterTableId1);
peerConn.tableOperations().create(peerTable1);
String peerTableId1 = peerConn.tableOperations().tableIdMap().get(peerTable1);
Assert.assertNotNull(peerTableId1);
// Grant write permission
peerConn.securityOperations().grantTablePermission(replicationUser.getPrincipal(), peerTable1, TablePermission.WRITE);
// Replicate this table to the peerClusterName in a table with the peerTableId table id
primaryConn.tableOperations().setProperty(primaryTable1, Property.TABLE_REPLICATION.getKey(), "true");
primaryConn.tableOperations().setProperty(primaryTable1, Property.TABLE_REPLICATION_TARGET.getKey() + PEER_NAME, peerTableId1);
// Write some data to table1
BatchWriter bw = primaryConn.createBatchWriter(primaryTable1, new BatchWriterConfig());
long masterTable1Records = 0l;
for (int rows = 0; rows < 2500; rows++) {
Mutation m = new Mutation(primaryTable1 + rows);
for (int cols = 0; cols < 100; cols++) {
String value = Integer.toString(cols);
m.put(value, "", value);
masterTable1Records++;
}
bw.addMutation(m);
}
bw.close();
log.info("Wrote all data to primary cluster");
Set<String> filesFor1 = primaryConn.replicationOperations().referencedFiles(primaryTable1);
// Restart the tserver to force a close on the WAL
for (ProcessReference proc : primary.getProcesses().get(ServerType.TABLET_SERVER)) {
primary.killProcess(ServerType.TABLET_SERVER, proc);
}
primary.exec(TabletServer.class);
log.info("Restarted the tserver");
// Read the data -- the tserver is back up and running and tablets are assigned
Iterators.size(primaryConn.createScanner(primaryTable1, Authorizations.EMPTY).iterator());
// Wait for both tables to be replicated
log.info("Waiting for {} for {}", filesFor1, primaryTable1);
primaryConn.replicationOperations().drain(primaryTable1, filesFor1);
long countTable = 0l;
for (Entry<Key, Value> entry : peerConn.createScanner(peerTable1, Authorizations.EMPTY)) {
countTable++;
Assert.assertTrue("Found unexpected key-value" + entry.getKey().toStringNoTruncate() + " " + entry.getValue(), entry.getKey().getRow().toString().startsWith(primaryTable1));
}
log.info("Found {} records in {}", countTable, peerTable1);
Assert.assertEquals(masterTable1Records, countTable);
return null;
}
});
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
ProcessReference(org.apache.accumulo.minicluster.impl.ProcessReference)
Set(java.util.Set)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
Entry(java.util.Map.Entry)
TabletServer(org.apache.accumulo.tserver.TabletServer)
BatchWriterConfig(org.apache.accumulo.core.client.BatchWriterConfig)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
BatchWriter(org.apache.accumulo.core.client.BatchWriter)
Mutation(org.apache.accumulo.core.data.Mutation)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 23 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class ConditionalWriterIT method deleteUsers.
@Before
public void deleteUsers() throws Exception {
Connector conn = getConnector();
Set<String> users = conn.securityOperations().listLocalUsers();
ClusterUser user = getUser(0);
if (users.contains(user.getPrincipal())) {
conn.securityOperations().dropLocalUser(user.getPrincipal());
}
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
Before(org.junit.Before)
Example 24 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class ConditionalWriterIT method testSecurity.
@Test
public void testSecurity() throws Exception {
// test against table user does not have read and/or write permissions for
Connector conn = getConnector();
String user = null;
ClientConfiguration clientConf = cluster.getClientConfig();
final boolean saslEnabled = clientConf.hasSasl();
// Create a new user
ClusterUser user1 = getUser(0);
user = user1.getPrincipal();
if (saslEnabled) {
conn.securityOperations().createLocalUser(user, null);
} else {
conn.securityOperations().createLocalUser(user, new PasswordToken(user1.getPassword()));
}
String[] tables = getUniqueNames(3);
String table1 = tables[0], table2 = tables[1], table3 = tables[2];
// Create three tables
conn.tableOperations().create(table1);
conn.tableOperations().create(table2);
conn.tableOperations().create(table3);
// Grant R on table1, W on table2, R/W on table3
conn.securityOperations().grantTablePermission(user, table1, TablePermission.READ);
conn.securityOperations().grantTablePermission(user, table2, TablePermission.WRITE);
conn.securityOperations().grantTablePermission(user, table3, TablePermission.READ);
conn.securityOperations().grantTablePermission(user, table3, TablePermission.WRITE);
// Login as the user
Connector conn2 = conn.getInstance().getConnector(user, user1.getToken());
ConditionalMutation cm1 = new ConditionalMutation("r1", new Condition("tx", "seq"));
cm1.put("tx", "seq", "1");
cm1.put("data", "x", "a");
try (ConditionalWriter cw1 = conn2.createConditionalWriter(table1, new ConditionalWriterConfig());
ConditionalWriter cw2 = conn2.createConditionalWriter(table2, new ConditionalWriterConfig());
ConditionalWriter cw3 = conn2.createConditionalWriter(table3, new ConditionalWriterConfig())) {
// Should be able to conditional-update a table we have R/W on
Assert.assertEquals(Status.ACCEPTED, cw3.write(cm1).getStatus());
// Conditional-update to a table we only have read on should fail
try {
Status status = cw1.write(cm1).getStatus();
Assert.fail("Expected exception writing conditional mutation to table the user doesn't have write access to, Got status: " + status);
} catch (AccumuloSecurityException ase) {
}
// Conditional-update to a table we only have writer on should fail
try {
Status status = cw2.write(cm1).getStatus();
Assert.fail("Expected exception writing conditional mutation to table the user doesn't have read access to. Got status: " + status);
} catch (AccumuloSecurityException ase) {
}
}
}
Also used :
Condition(org.apache.accumulo.core.data.Condition)
Status(org.apache.accumulo.core.client.ConditionalWriter.Status)
Connector(org.apache.accumulo.core.client.Connector)
ConditionalWriter(org.apache.accumulo.core.client.ConditionalWriter)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
ConditionalMutation(org.apache.accumulo.core.data.ConditionalMutation)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
ConditionalWriterConfig(org.apache.accumulo.core.client.ConditionalWriterConfig)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration)
Test(org.junit.Test)
Example 25 with ClusterUser
use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.
the class NamespacesIT method testPermissions.
/**
* Tests new Namespace permissions as well as modifications to Table permissions because of namespaces. Checks each permission to first make sure the user
* doesn't have permission to perform the action, then root grants them the permission and we check to make sure they could perform the action.
*/
@Test
public void testPermissions() throws Exception {
ClusterUser user1 = getUser(0), user2 = getUser(1), root = getAdminUser();
String u1 = user1.getPrincipal();
String u2 = user2.getPrincipal();
PasswordToken pass = (null != user1.getPassword() ? new PasswordToken(user1.getPassword()) : null);
String n1 = namespace;
String t1 = n1 + ".1";
String t2 = n1 + ".2";
String t3 = n1 + ".3";
String n2 = namespace + "_2";
loginAs(root);
c.namespaceOperations().create(n1);
c.tableOperations().create(t1);
c.securityOperations().createLocalUser(u1, pass);
loginAs(user1);
Connector user1Con = c.getInstance().getConnector(u1, user1.getToken());
try {
user1Con.tableOperations().create(t2);
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.CREATE_TABLE);
loginAs(user1);
user1Con.tableOperations().create(t2);
loginAs(root);
assertTrue(c.tableOperations().list().contains(t2));
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.CREATE_TABLE);
loginAs(user1);
try {
user1Con.tableOperations().delete(t1);
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.DROP_TABLE);
loginAs(user1);
user1Con.tableOperations().delete(t1);
loginAs(root);
assertTrue(!c.tableOperations().list().contains(t1));
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.DROP_TABLE);
c.tableOperations().create(t3);
BatchWriter bw = c.createBatchWriter(t3, null);
Mutation m = new Mutation("row");
m.put("cf", "cq", "value");
bw.addMutation(m);
bw.close();
loginAs(user1);
Iterator<Entry<Key, Value>> i = user1Con.createScanner(t3, new Authorizations()).iterator();
try {
i.next();
fail();
} catch (RuntimeException e) {
assertEquals(AccumuloSecurityException.class.getName(), e.getCause().getClass().getName());
expectPermissionDenied((AccumuloSecurityException) e.getCause());
}
loginAs(user1);
m = new Mutation(u1);
m.put("cf", "cq", "turtles");
bw = user1Con.createBatchWriter(t3, null);
try {
bw.addMutation(m);
bw.close();
fail();
} catch (MutationsRejectedException e) {
assertEquals(1, e.getSecurityErrorCodes().size());
assertEquals(1, e.getSecurityErrorCodes().entrySet().iterator().next().getValue().size());
switch(e.getSecurityErrorCodes().entrySet().iterator().next().getValue().iterator().next()) {
case PERMISSION_DENIED:
break;
default:
fail();
}
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.READ);
loginAs(user1);
i = user1Con.createScanner(t3, new Authorizations()).iterator();
assertTrue(i.hasNext());
loginAs(root);
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.READ);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.WRITE);
loginAs(user1);
m = new Mutation(u1);
m.put("cf", "cq", "turtles");
bw = user1Con.createBatchWriter(t3, null);
bw.addMutation(m);
bw.close();
loginAs(root);
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.WRITE);
loginAs(user1);
try {
user1Con.tableOperations().setProperty(t3, Property.TABLE_FILE_MAX.getKey(), "42");
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.ALTER_TABLE);
loginAs(user1);
user1Con.tableOperations().setProperty(t3, Property.TABLE_FILE_MAX.getKey(), "42");
user1Con.tableOperations().removeProperty(t3, Property.TABLE_FILE_MAX.getKey());
loginAs(root);
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.ALTER_TABLE);
loginAs(user1);
try {
user1Con.namespaceOperations().setProperty(n1, Property.TABLE_FILE_MAX.getKey(), "55");
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.ALTER_NAMESPACE);
loginAs(user1);
user1Con.namespaceOperations().setProperty(n1, Property.TABLE_FILE_MAX.getKey(), "42");
user1Con.namespaceOperations().removeProperty(n1, Property.TABLE_FILE_MAX.getKey());
loginAs(root);
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.ALTER_NAMESPACE);
loginAs(root);
c.securityOperations().createLocalUser(u2, (root.getPassword() == null ? null : new PasswordToken(user2.getPassword())));
loginAs(user1);
try {
user1Con.securityOperations().grantNamespacePermission(u2, n1, NamespacePermission.ALTER_NAMESPACE);
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantNamespacePermission(u1, n1, NamespacePermission.GRANT);
loginAs(user1);
user1Con.securityOperations().grantNamespacePermission(u2, n1, NamespacePermission.ALTER_NAMESPACE);
user1Con.securityOperations().revokeNamespacePermission(u2, n1, NamespacePermission.ALTER_NAMESPACE);
loginAs(root);
c.securityOperations().revokeNamespacePermission(u1, n1, NamespacePermission.GRANT);
loginAs(user1);
try {
user1Con.namespaceOperations().create(n2);
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantSystemPermission(u1, SystemPermission.CREATE_NAMESPACE);
loginAs(user1);
user1Con.namespaceOperations().create(n2);
loginAs(root);
c.securityOperations().revokeSystemPermission(u1, SystemPermission.CREATE_NAMESPACE);
c.securityOperations().revokeNamespacePermission(u1, n2, NamespacePermission.DROP_NAMESPACE);
loginAs(user1);
try {
user1Con.namespaceOperations().delete(n2);
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantSystemPermission(u1, SystemPermission.DROP_NAMESPACE);
loginAs(user1);
user1Con.namespaceOperations().delete(n2);
loginAs(root);
c.securityOperations().revokeSystemPermission(u1, SystemPermission.DROP_NAMESPACE);
loginAs(user1);
try {
user1Con.namespaceOperations().setProperty(n1, Property.TABLE_FILE_MAX.getKey(), "33");
fail();
} catch (AccumuloSecurityException e) {
expectPermissionDenied(e);
}
loginAs(root);
c.securityOperations().grantSystemPermission(u1, SystemPermission.ALTER_NAMESPACE);
loginAs(user1);
user1Con.namespaceOperations().setProperty(n1, Property.TABLE_FILE_MAX.getKey(), "33");
user1Con.namespaceOperations().removeProperty(n1, Property.TABLE_FILE_MAX.getKey());
loginAs(root);
c.securityOperations().revokeSystemPermission(u1, SystemPermission.ALTER_NAMESPACE);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
Entry(java.util.Map.Entry)
Authorizations(org.apache.accumulo.core.security.Authorizations)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
BatchWriter(org.apache.accumulo.core.client.BatchWriter)
Mutation(org.apache.accumulo.core.data.Mutation)
MutationsRejectedException(org.apache.accumulo.core.client.MutationsRejectedException)
Test(org.junit.Test)
Aggregations
ClusterUser (org.apache.accumulo.cluster.ClusterUser)36
Connector (org.apache.accumulo.core.client.Connector)22
Test (org.junit.Test)21
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)19
ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)9
AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)7
Before (org.junit.Before)7
Client (org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)6
IOException (java.io.IOException)5
ByteBuffer (java.nio.ByteBuffer)5
Scanner (org.apache.accumulo.core.client.Scanner)5
Configuration (org.apache.hadoop.conf.Configuration)5
File (java.io.File)4
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)4
ClusterControl (org.apache.accumulo.cluster.ClusterControl)3
BatchWriter (org.apache.accumulo.core.client.BatchWriter)3
Key (org.apache.accumulo.core.data.Key)3
Mutation (org.apache.accumulo.core.data.Mutation)3
