Example 86 with Connector
use of org.apache.accumulo.core.client.Connector in project accumulo by apache.
the class KerberosIT method testDelegationToken.
@Test
public void testDelegationToken() throws Exception {
final String tableName = getUniqueNames(1)[0];
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
final int numRows = 100, numColumns = 10;
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken delegationToken = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
log.info("Created connector as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), conn.whoami());
conn.tableOperations().create(tableName);
BatchWriter bw = conn.createBatchWriter(tableName, new BatchWriterConfig());
for (int r = 0; r < numRows; r++) {
Mutation m = new Mutation(Integer.toString(r));
for (int c = 0; c < numColumns; c++) {
String col = Integer.toString(c);
m.put(col, col, col);
}
bw.addMutation(m);
}
bw.close();
return conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
}
});
// The above login with keytab doesn't have a way to logout, so make a fake user that won't have krb credentials
UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]);
int recordsSeen = userWithoutPrivs.doAs(new PrivilegedExceptionAction<Integer>() {
@Override
public Integer run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), delegationToken);
try (BatchScanner bs = conn.createBatchScanner(tableName, Authorizations.EMPTY, 2)) {
bs.setRanges(Collections.singleton(new Range()));
int recordsSeen = Iterables.size(bs);
return recordsSeen;
}
}
});
assertEquals(numRows * numColumns, recordsSeen);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
BatchScanner(org.apache.accumulo.core.client.BatchScanner)
Range(org.apache.accumulo.core.data.Range)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
BatchWriterConfig(org.apache.accumulo.core.client.BatchWriterConfig)
BatchWriter(org.apache.accumulo.core.client.BatchWriter)
Mutation(org.apache.accumulo.core.data.Mutation)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 87 with Connector
use of org.apache.accumulo.core.client.Connector in project accumulo by apache.
the class KerberosIT method testRestartedMasterReusesSecretKey.
@Test
public void testRestartedMasterReusesSecretKey() throws Exception {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken delegationToken1 = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
log.info("Created connector as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), conn.whoami());
AuthenticationToken token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", mac.getConnector(rootUser.getPrincipal(), token).tableOperations().list().size() > 0);
return token;
}
});
log.info("Stopping master");
mac.getClusterControl().stop(ServerType.MASTER);
Thread.sleep(5000);
log.info("Restarting master");
mac.getClusterControl().start(ServerType.MASTER);
// Make sure our original token is still good
root.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), delegationToken1);
assertTrue("Could not get tables with delegation token", conn.tableOperations().list().size() > 0);
return null;
}
});
// Get a new token, so we can compare the keyId on the second to the first
final AuthenticationToken delegationToken2 = root.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {
@Override
public AuthenticationToken run() throws Exception {
Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
log.info("Created connector as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), conn.whoami());
AuthenticationToken token = conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", mac.getConnector(rootUser.getPrincipal(), token).tableOperations().list().size() > 0);
return token;
}
});
// A restarted master should reuse the same secret key after a restart if the secret key hasn't expired (1day by default)
DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1;
DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2;
assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId());
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken)
DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
DelegationTokenImpl(org.apache.accumulo.core.client.impl.DelegationTokenImpl)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 88 with Connector
use of org.apache.accumulo.core.client.Connector in project accumulo by apache.
the class KerberosIT method testRootUserHasIrrevocablePermissions.
@Test(expected = AccumuloSecurityException.class)
public void testRootUserHasIrrevocablePermissions() throws Exception {
// Login as the client (provided to `accumulo init` as the "root" user)
UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
// The server-side implementation should prevent the revocation of the 'root' user's systems permissions
// because once they're gone, it's possible that they could never be restored.
conn.securityOperations().revokeSystemPermission(rootUser.getPrincipal(), SystemPermission.GRANT);
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
Test(org.junit.Test)
Example 89 with Connector
use of org.apache.accumulo.core.client.Connector in project accumulo by apache.
the class KerberosIT method testAdminUser.
@Test
public void testAdminUser() throws Exception {
// Login as the client (provided to `accumulo init` as the "root" user)
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
// The "root" user should have all system permissions
for (SystemPermission perm : SystemPermission.values()) {
assertTrue("Expected user to have permission: " + perm, conn.securityOperations().hasSystemPermission(conn.whoami(), perm));
}
// and the ability to modify the root and metadata tables
for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) {
assertTrue(conn.securityOperations().hasTablePermission(conn.whoami(), table, TablePermission.ALTER_TABLE));
}
return null;
}
});
}
Also used :
SystemPermission(org.apache.accumulo.core.security.SystemPermission)
Connector(org.apache.accumulo.core.client.Connector)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
TableNotFoundException(org.apache.accumulo.core.client.TableNotFoundException)
TableExistsException(org.apache.accumulo.core.client.TableExistsException)
AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
AccumuloException(org.apache.accumulo.core.client.AccumuloException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 90 with Connector
use of org.apache.accumulo.core.client.Connector in project accumulo by apache.
the class LargeRowIT method resetMajcDelay.
@After
public void resetMajcDelay() throws Exception {
if (null != tservMajcDelay) {
Connector conn = getConnector();
conn.instanceOperations().setProperty(Property.TSERV_MAJC_DELAY.getKey(), tservMajcDelay);
}
}Aggregations
Connector (org.apache.accumulo.core.client.Connector)622
Test (org.junit.Test)415
BatchWriter (org.apache.accumulo.core.client.BatchWriter)171
Value (org.apache.accumulo.core.data.Value)162
Text (org.apache.hadoop.io.Text)160
Scanner (org.apache.accumulo.core.client.Scanner)158
Mutation (org.apache.accumulo.core.data.Mutation)152
BatchWriterConfig (org.apache.accumulo.core.client.BatchWriterConfig)143
Key (org.apache.accumulo.core.data.Key)139
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)101
AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)87
AccumuloException (org.apache.accumulo.core.client.AccumuloException)83
IteratorSetting (org.apache.accumulo.core.client.IteratorSetting)75
Range (org.apache.accumulo.core.data.Range)74
TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)65
Authorizations (org.apache.accumulo.core.security.Authorizations)60
HashSet (java.util.HashSet)57
Instance (org.apache.accumulo.core.client.Instance)55
ArrayList (java.util.ArrayList)53
Entry (java.util.Map.Entry)53
