Examples with ClusterUser org.apache.accumulo.cluster.ClusterUser used on opensource projects

Example 31 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class KerberosProxyIT method proxiedUserAccessWithoutAccumuloProxy.

@Test
public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
    final String tableName = getUniqueNames(1)[0];
    ClusterUser rootUser = kdc.getRootUser();
    final UserGroupInformation rootUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    final UserGroupInformation realUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
    final String userWithoutCredentials1 = kdc.qualifyUser(PROXIED_USER1);
    final String userWithoutCredentials2 = kdc.qualifyUser(PROXIED_USER2);
    final String userWithoutCredentials3 = kdc.qualifyUser(PROXIED_USER3);
    final UserGroupInformation proxyUser1 = UserGroupInformation.createProxyUser(userWithoutCredentials1, realUgi);
    final UserGroupInformation proxyUser2 = UserGroupInformation.createProxyUser(userWithoutCredentials2, realUgi);
    final UserGroupInformation proxyUser3 = UserGroupInformation.createProxyUser(userWithoutCredentials3, realUgi);
    // Create a table and user, grant permission to our user to read that table.
    rootUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(rootUgi.getUserName(), new KerberosToken());
            conn.tableOperations().create(tableName);
            conn.securityOperations().createLocalUser(userWithoutCredentials1, new PasswordToken("ignored"));
            conn.securityOperations().grantTablePermission(userWithoutCredentials1, tableName, TablePermission.READ);
            conn.securityOperations().createLocalUser(userWithoutCredentials3, new PasswordToken("ignored"));
            conn.securityOperations().grantTablePermission(userWithoutCredentials3, tableName, TablePermission.READ);
            return null;
        }
    });
    realUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(proxyPrincipal, new KerberosToken());
            try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
                s.iterator().hasNext();
                Assert.fail("Expected to see an exception");
            } catch (RuntimeException e) {
                int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
                assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
            }
            return null;
        }
    });
    // Allowed to be proxied and has read permission
    proxyUser1.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(userWithoutCredentials1, new KerberosToken(userWithoutCredentials1));
            Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
            assertFalse(s.iterator().hasNext());
            return null;
        }
    });
    // Allowed to be proxied but does not have read permission
    proxyUser2.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(userWithoutCredentials2, new KerberosToken(userWithoutCredentials3));
            try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
                s.iterator().hasNext();
                Assert.fail("Expected to see an exception");
            } catch (RuntimeException e) {
                int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
                assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
            }
            return null;
        }
    });
    // Has read permission but is not allowed to be proxied
    proxyUser3.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            try {
                inst.getConnector(userWithoutCredentials3, new KerberosToken(userWithoutCredentials3));
                Assert.fail("Should not be able to create a Connector as this user cannot be proxied");
            } catch (org.apache.accumulo.core.client.AccumuloSecurityException e) {
            // Expected, this user cannot be proxied
            }
            return null;
        }
    });
}

Example 32 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class RestartIT method restartMaster.

@Test
public void restartMaster() throws Exception {
    Connector c = getConnector();
    final String tableName = getUniqueNames(1)[0];
    OPTS.setTableName(tableName);
    VOPTS.setTableName(tableName);
    c.tableOperations().create(tableName);
    final AuthenticationToken token = getAdminToken();
    final ClusterControl control = getCluster().getClusterControl();
    final String[] args;
    if (token instanceof PasswordToken) {
        byte[] password = ((PasswordToken) token).getPassword();
        args = new String[] { "-u", getAdminPrincipal(), "-p", new String(password, UTF_8), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
        OPTS.setPrincipal(getAdminPrincipal());
        VOPTS.setPrincipal(getAdminPrincipal());
    } else if (token instanceof KerberosToken) {
        ClusterUser rootUser = getAdminUser();
        args = new String[] { "-u", getAdminPrincipal(), "--keytab", rootUser.getKeytab().getAbsolutePath(), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
        ClientConfiguration clientConfig = cluster.getClientConfig();
        OPTS.updateKerberosCredentials(clientConfig);
        VOPTS.updateKerberosCredentials(clientConfig);
    } else {
        throw new RuntimeException("Unknown token");
    }
    Future<Integer> ret = svc.submit(new Callable<Integer>() {

        @Override
        public Integer call() {
            try {
                return control.exec(TestIngest.class, args);
            } catch (IOException e) {
                log.error("Error running TestIngest", e);
                return -1;
            }
        }
    });
    control.stopAllServers(ServerType.MASTER);
    control.startAllServers(ServerType.MASTER);
    assertEquals(0, ret.get().intValue());
    VerifyIngest.verifyIngest(c, VOPTS, SOPTS);
}

Example 33 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class RestartStressIT method test.

@Test
public void test() throws Exception {
    final Connector c = getConnector();
    final String tableName = getUniqueNames(1)[0];
    final AuthenticationToken token = getAdminToken();
    c.tableOperations().create(tableName);
    c.tableOperations().setProperty(tableName, Property.TABLE_SPLIT_THRESHOLD.getKey(), "500K");
    final ClusterControl control = getCluster().getClusterControl();
    final String[] args;
    if (token instanceof PasswordToken) {
        byte[] password = ((PasswordToken) token).getPassword();
        args = new String[] { "-u", getAdminPrincipal(), "-p", new String(password, UTF_8), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + VOPTS.rows, "--table", tableName };
    } else if (token instanceof KerberosToken) {
        ClusterUser rootUser = getAdminUser();
        args = new String[] { "-u", getAdminPrincipal(), "--keytab", rootUser.getKeytab().getAbsolutePath(), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + VOPTS.rows, "--table", tableName };
    } else {
        throw new RuntimeException("Unrecognized token");
    }
    Future<Integer> retCode = svc.submit(new Callable<Integer>() {

        @Override
        public Integer call() {
            try {
                return control.exec(TestIngest.class, args);
            } catch (Exception e) {
                log.error("Error running TestIngest", e);
                return -1;
            }
        }
    });
    for (int i = 0; i < 2; i++) {
        sleepUninterruptibly(10, TimeUnit.SECONDS);
        control.stopAllServers(ServerType.TABLET_SERVER);
        control.startAllServers(ServerType.TABLET_SERVER);
    }
    assertEquals(0, retCode.get().intValue());
    VOPTS.setTableName(tableName);
    if (token instanceof PasswordToken) {
        VOPTS.setPrincipal(getAdminPrincipal());
    } else if (token instanceof KerberosToken) {
        VOPTS.updateKerberosCredentials(cluster.getClientConfig());
    } else {
        throw new RuntimeException("Unrecognized token");
    }
    VerifyIngest.verifyIngest(c, VOPTS, SOPTS);
}

Example 34 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class ScanIteratorIT method setup.

@Before
public void setup() throws Exception {
    connector = getConnector();
    tableName = getUniqueNames(1)[0];
    connector.tableOperations().create(tableName);
    ClientConfiguration clientConfig = cluster.getClientConfig();
    ClusterUser clusterUser = getUser(0);
    user = clusterUser.getPrincipal();
    PasswordToken userToken;
    if (clientConfig.hasSasl()) {
        userToken = null;
        saslEnabled = true;
    } else {
        userToken = new PasswordToken(clusterUser.getPassword());
        saslEnabled = false;
    }
    if (connector.securityOperations().listLocalUsers().contains(user)) {
        log.info("Dropping {}", user);
        connector.securityOperations().dropLocalUser(user);
    }
    connector.securityOperations().createLocalUser(user, userToken);
    connector.securityOperations().grantTablePermission(user, tableName, TablePermission.READ);
    connector.securityOperations().grantTablePermission(user, tableName, TablePermission.WRITE);
    connector.securityOperations().changeUserAuthorizations(user, AuthsIterator.AUTHS);
}

Example 35 with ClusterUser

use of org.apache.accumulo.cluster.ClusterUser in project accumulo by apache.

the class ScanIteratorIT method runTest.

private void runTest(Authorizations auths, boolean shouldFail) throws Exception {
    ClusterUser clusterUser = getUser(0);
    Connector userC = getCluster().getConnector(clusterUser.getPrincipal(), clusterUser.getToken());
    writeTestMutation(userC);
    IteratorSetting setting = new IteratorSetting(10, AuthsIterator.class);
    try (Scanner scanner = userC.createScanner(tableName, auths);
        BatchScanner batchScanner = userC.createBatchScanner(tableName, auths, 1)) {
        scanner.addScanIterator(setting);
        batchScanner.setRanges(Collections.singleton(new Range("1")));
        batchScanner.addScanIterator(setting);
        runTest(scanner, auths, shouldFail);
        runTest(batchScanner, auths, shouldFail);
    }
}