Examples with DelegationTokenConfig org.apache.accumulo.core.client.admin.DelegationTokenConfig used on opensource projects

Example 16 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo by apache.

the class KerberosIT method testDelegationTokenAsDifferentUser.

@Test
public void testDelegationTokenAsDifferentUser() throws Exception {
    // Login as the "root" user
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    final AuthenticationToken delegationToken;
    try {
        delegationToken = ugi.doAs(new PrivilegedExceptionAction<AuthenticationToken>() {

            @Override
            public AuthenticationToken run() throws Exception {
                // As the "root" user, open up the connection and get a delegation token
                Connector conn = mac.getConnector(rootUser.getPrincipal(), new KerberosToken());
                log.info("Created connector as {}", rootUser.getPrincipal());
                assertEquals(rootUser.getPrincipal(), conn.whoami());
                return conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
            }
        });
    } catch (UndeclaredThrowableException ex) {
        throw ex;
    }
    // make a fake user that won't have krb credentials
    UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]);
    try {
        // Use the delegation token to try to log in as a different user
        userWithoutPrivs.doAs(new PrivilegedExceptionAction<Void>() {

            @Override
            public Void run() throws Exception {
                mac.getConnector("some_other_user", delegationToken);
                return null;
            }
        });
        fail("Using a delegation token as a different user should throw an exception");
    } catch (UndeclaredThrowableException e) {
        Throwable cause = e.getCause();
        assertNotNull(cause);
        // We should get an AccumuloSecurityException from trying to use a delegation token for the wrong user
        assertTrue("Expected cause to be AccumuloSecurityException, but was " + cause.getClass(), cause instanceof AccumuloSecurityException);
    }
}

Example 17 with DelegationTokenConfig

use of org.apache.accumulo.core.client.admin.DelegationTokenConfig in project accumulo-examples by apache.

the class MapReduceClientOpts method getToken.

@Override
public AuthenticationToken getToken() {
    AuthenticationToken authToken = super.getToken();
    // so we need to request a delegation token and use that instead.
    if (authToken instanceof KerberosToken) {
        log.info("Received KerberosToken, fetching DelegationToken for MapReduce");
        try {
            UserGroupInformation user = UserGroupInformation.getCurrentUser();
            if (!user.hasKerberosCredentials()) {
                throw new IllegalStateException("Expected current user to have Kerberos credentials");
            }
            String newPrincipal = user.getUserName();
            log.info("Obtaining delegation token for {}", newPrincipal);
            Connector conn = getConnector();
            // Do the explicit check to see if the user has the permission to get a delegation token
            if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) {
                log.error("{} doesn't have the {} SystemPermission neccesary to obtain a delegation token. MapReduce tasks cannot automatically use the client's" + " credentials on remote servers. Delegation tokens provide a means to run MapReduce without distributing the user's credentials.", user.getUserName(), SystemPermission.OBTAIN_DELEGATION_TOKEN.name());
                throw new IllegalStateException(conn.whoami() + " does not have permission to obtain a delegation token");
            }
            // Get the delegation token from Accumulo
            return conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            final String msg = "Failed to acquire DelegationToken for use with MapReduce";
            log.error(msg, e);
            throw new RuntimeException(msg, e);
        }
    }
    return authToken;
}