Examples with ClusterUser org.apache.accumulo.cluster.ClusterUser used on opensource projects

Example 26 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class AccumuloClusterHarness method setupCluster.

@Before
public void setupCluster() throws Exception {
    // Before we try to instantiate the cluster, check to see if the test even wants to run against this type of cluster
    Assume.assumeTrue(canRunTest(type));
    switch(type) {
        case MINI:
            MiniClusterHarness miniClusterHarness = new MiniClusterHarness();
            // Intrinsically performs the callback to let tests alter MiniAccumuloConfig and core-site.xml
            MiniAccumuloClusterImpl impl = miniClusterHarness.create(this, getAdminToken(), krb);
            cluster = impl;
            // MAC makes a ClientConf for us, just set it
            ((AccumuloMiniClusterConfiguration) clusterConf).setClientConf(impl.getClientConfig());
            // Login as the "root" user
            if (null != krb) {
                ClusterUser rootUser = krb.getRootUser();
                // Log in the 'client' user
                UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
            }
            break;
        case STANDALONE:
            StandaloneAccumuloClusterConfiguration conf = (StandaloneAccumuloClusterConfiguration) clusterConf;
            ClientConfiguration clientConf = conf.getClientConf();
            StandaloneAccumuloCluster standaloneCluster = new StandaloneAccumuloCluster(conf.getInstance(), clientConf, conf.getTmpDirectory(), conf.getUsers());
            // If these are provided in the configuration, pass them into the cluster
            standaloneCluster.setAccumuloHome(conf.getAccumuloHome());
            standaloneCluster.setClientAccumuloConfDir(conf.getClientAccumuloConfDir());
            standaloneCluster.setServerAccumuloConfDir(conf.getServerAccumuloConfDir());
            standaloneCluster.setHadoopConfDir(conf.getHadoopConfDir());
            standaloneCluster.setServerCmdPrefix(conf.getServerCmdPrefix());
            standaloneCluster.setClientCmdPrefix(conf.getClientCmdPrefix());
            // For SASL, we need to get the Hadoop configuration files as well otherwise UGI will log in as SIMPLE instead of KERBEROS
            Configuration hadoopConfiguration = standaloneCluster.getHadoopConfiguration();
            if (clientConf.hasSasl()) {
                UserGroupInformation.setConfiguration(hadoopConfiguration);
                // Login as the admin user to start the tests
                UserGroupInformation.loginUserFromKeytab(conf.getAdminPrincipal(), conf.getAdminKeytab().getAbsolutePath());
            }
            // Set the implementation
            cluster = standaloneCluster;
            break;
        default:
            throw new RuntimeException("Unhandled type");
    }
    if (type.isDynamic()) {
        cluster.start();
    } else {
        log.info("Removing tables which appear to be from a previous test run");
        cleanupTables();
        log.info("Removing users which appear to be from a previous test run");
        cleanupUsers();
    }
    switch(type) {
        case MINI:
            if (null != krb) {
                final String traceTable = Property.TRACE_TABLE.getDefaultValue();
                final ClusterUser systemUser = krb.getAccumuloServerUser(), rootUser = krb.getRootUser();
                // Login as the trace user
                UserGroupInformation.loginUserFromKeytab(systemUser.getPrincipal(), systemUser.getKeytab().getAbsolutePath());
                // Open a connector as the system user (ensures the user will exist for us to assign permissions to)
                UserGroupInformation.loginUserFromKeytab(systemUser.getPrincipal(), systemUser.getKeytab().getAbsolutePath());
                Connector conn = cluster.getConnector(systemUser.getPrincipal(), new KerberosToken());
                // Then, log back in as the "root" user and do the grant
                UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
                conn = getConnector();
                // Create the trace table
                conn.tableOperations().create(traceTable);
                // Trace user (which is the same kerberos principal as the system user, but using a normal KerberosToken) needs
                // to have the ability to read, write and alter the trace table
                conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.READ);
                conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.WRITE);
                conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.ALTER_TABLE);
            }
            break;
        default:
    }
}

Example 27 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class SharedMiniClusterBase method startMiniClusterWithConfig.

/**
 * Starts a MiniAccumuloCluster instance with the default configuration but also provides the caller the opportunity to update the configuration before the
 * MiniAccumuloCluster is started.
 *
 * @param miniClusterCallback
 *          A callback to configure the minicluster before it is started.
 */
public static void startMiniClusterWithConfig(MiniClusterConfigurationCallback miniClusterCallback) throws Exception {
    File baseDir = new File(System.getProperty("user.dir") + "/target/mini-tests");
    assertTrue(baseDir.mkdirs() || baseDir.isDirectory());
    // Make a shared MAC instance instead of spinning up one per test method
    MiniClusterHarness harness = new MiniClusterHarness();
    if (TRUE.equals(System.getProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION))) {
        krb = new TestingKdc();
        krb.start();
        // Enabled krb auth
        Configuration conf = new Configuration(false);
        conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
        UserGroupInformation.setConfiguration(conf);
        // Login as the client
        ClusterUser rootUser = krb.getRootUser();
        // Get the krb token
        UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
        token = new KerberosToken();
    } else {
        rootPassword = "rootPasswordShared1";
        token = new PasswordToken(rootPassword);
    }
    cluster = harness.create(SharedMiniClusterBase.class.getName(), System.currentTimeMillis() + "_" + new Random().nextInt(Short.MAX_VALUE), token, miniClusterCallback, krb);
    cluster.start();
    if (null != krb) {
        final String traceTable = Property.TRACE_TABLE.getDefaultValue();
        final ClusterUser systemUser = krb.getAccumuloServerUser(), rootUser = krb.getRootUser();
        // Login as the trace user
        // Open a connector as the system user (ensures the user will exist for us to assign permissions to)
        UserGroupInformation.loginUserFromKeytab(systemUser.getPrincipal(), systemUser.getKeytab().getAbsolutePath());
        Connector conn = cluster.getConnector(systemUser.getPrincipal(), new KerberosToken());
        // Then, log back in as the "root" user and do the grant
        UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
        conn = cluster.getConnector(principal, token);
        // Create the trace table
        conn.tableOperations().create(traceTable);
        // Trace user (which is the same kerberos principal as the system user, but using a normal KerberosToken) needs
        // to have the ability to read, write and alter the trace table
        conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.READ);
        conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.WRITE);
        conn.securityOperations().grantTablePermission(systemUser.getPrincipal(), traceTable, TablePermission.ALTER_TABLE);
    }
}

Example 28 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class PermissionsIT method tablePermissionTest.

@Test
public void tablePermissionTest() throws Exception {
    // create the test user
    ClusterUser testUser = getUser(0), rootUser = getAdminUser();
    String principal = testUser.getPrincipal();
    AuthenticationToken token = testUser.getToken();
    PasswordToken passwordToken = null;
    if (token instanceof PasswordToken) {
        passwordToken = (PasswordToken) token;
    }
    loginAs(rootUser);
    Connector c = getConnector();
    c.securityOperations().createLocalUser(principal, passwordToken);
    loginAs(testUser);
    Connector test_user_conn = c.getInstance().getConnector(principal, token);
    // check for read-only access to metadata table
    loginAs(rootUser);
    verifyHasOnlyTheseTablePermissions(c, c.whoami(), MetadataTable.NAME, TablePermission.READ, TablePermission.ALTER_TABLE);
    verifyHasOnlyTheseTablePermissions(c, principal, MetadataTable.NAME, TablePermission.READ);
    String tableName = getUniqueNames(1)[0] + "__TABLE_PERMISSION_TEST__";
    // test each permission
    for (TablePermission perm : TablePermission.values()) {
        log.debug("Verifying the {} permission", perm);
        // test permission before and after granting it
        createTestTable(c, principal, tableName);
        loginAs(testUser);
        testMissingTablePermission(test_user_conn, testUser, perm, tableName);
        loginAs(rootUser);
        c.securityOperations().grantTablePermission(principal, tableName, perm);
        verifyHasOnlyTheseTablePermissions(c, principal, tableName, perm);
        loginAs(testUser);
        testGrantedTablePermission(test_user_conn, testUser, perm, tableName);
        loginAs(rootUser);
        createTestTable(c, principal, tableName);
        c.securityOperations().revokeTablePermission(principal, tableName, perm);
        verifyHasNoTablePermissions(c, principal, tableName, perm);
    }
}

Example 29 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class PermissionsIT method limitToMini.

@Before
public void limitToMini() throws Exception {
    Assume.assumeTrue(ClusterType.MINI == getClusterType());
    Connector c = getConnector();
    Set<String> users = c.securityOperations().listLocalUsers();
    ClusterUser user = getUser(0);
    if (users.contains(user.getPrincipal())) {
        c.securityOperations().dropLocalUser(user.getPrincipal());
    }
}

Example 30 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class PermissionsIT method systemPermissionsTest.

@Test
public void systemPermissionsTest() throws Exception {
    ClusterUser testUser = getUser(0), rootUser = getAdminUser();
    // verify that the test is being run by root
    Connector c = getConnector();
    verifyHasOnlyTheseSystemPermissions(c, c.whoami(), SystemPermission.values());
    // create the test user
    String principal = testUser.getPrincipal();
    AuthenticationToken token = testUser.getToken();
    PasswordToken passwordToken = null;
    if (token instanceof PasswordToken) {
        passwordToken = (PasswordToken) token;
    }
    loginAs(rootUser);
    c.securityOperations().createLocalUser(principal, passwordToken);
    loginAs(testUser);
    Connector test_user_conn = c.getInstance().getConnector(principal, token);
    loginAs(rootUser);
    verifyHasNoSystemPermissions(c, principal, SystemPermission.values());
    // test each permission
    for (SystemPermission perm : SystemPermission.values()) {
        log.debug("Verifying the {} permission", perm);
        // test permission before and after granting it
        String tableNamePrefix = getUniqueNames(1)[0];
        testMissingSystemPermission(tableNamePrefix, c, rootUser, test_user_conn, testUser, perm);
        loginAs(rootUser);
        c.securityOperations().grantSystemPermission(principal, perm);
        verifyHasOnlyTheseSystemPermissions(c, principal, perm);
        testGrantedSystemPermission(tableNamePrefix, c, rootUser, test_user_conn, testUser, perm);
        loginAs(rootUser);
        c.securityOperations().revokeSystemPermission(principal, perm);
        verifyHasNoSystemPermissions(c, principal, perm);
    }
}