use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class ThriftTransportKeyTest method testSaslPrincipalIsSignificant.
@Test
public void testSaslPrincipalIsSignificant() throws IOException, InterruptedException {
UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
final KerberosToken token = EasyMock.createMock(KerberosToken.class);
SaslConnectionParams saslParams1 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", new String[0]);
SaslConnectionParams saslParams2 = user2.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2);
assertNotEquals(ttk1, ttk2);
assertNotEquals(ttk1.hashCode(), ttk2.hashCode());
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class ThriftTransportKeyTest method testConnectionCaching.
@Test
public void testConnectionCaching() throws IOException, InterruptedException {
UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
final KerberosToken token = EasyMock.createMock(KerberosToken.class);
// A first instance of the SASL cnxn params
SaslConnectionParams saslParams1 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
// A second instance of what should be the same SaslConnectionParams
SaslConnectionParams saslParams2 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2);
// Should equals() and hashCode() to make sure we don't throw away thrift cnxns
assertEquals(ttk1, ttk2);
assertEquals(ttk1.hashCode(), ttk2.hashCode());
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class MiniClusterHarness method create.
public MiniAccumuloClusterImpl create(String testClassName, String testMethodName, AuthenticationToken token, MiniClusterConfigurationCallback configCallback, TestingKdc kdc) throws Exception {
requireNonNull(token);
checkArgument(token instanceof PasswordToken || token instanceof KerberosToken, "A PasswordToken or KerberosToken is required");
String rootPasswd;
if (token instanceof PasswordToken) {
rootPasswd = new String(((PasswordToken) token).getPassword(), UTF_8);
} else {
rootPasswd = UUID.randomUUID().toString();
}
File baseDir = AccumuloClusterHarness.createTestDir(testClassName + "_" + testMethodName);
MiniAccumuloConfigImpl cfg = new MiniAccumuloConfigImpl(baseDir, rootPasswd);
// Enable native maps by default
cfg.setNativeLibPaths(NativeMapIT.nativeMapLocation().getAbsolutePath());
cfg.setProperty(Property.TSERV_NATIVEMAP_ENABLED, Boolean.TRUE.toString());
Configuration coreSite = new Configuration(false);
// Setup SSL and credential providers if the properties request such
configureForEnvironment(cfg, AccumuloClusterHarness.getSslDir(baseDir), coreSite, kdc);
// Invoke the callback for tests to configure MAC before it starts
configCallback.configureMiniCluster(cfg, coreSite);
MiniAccumuloClusterImpl miniCluster = new MiniAccumuloClusterImpl(cfg);
// classpath)
if (coreSite.size() > 0) {
File csFile = new File(miniCluster.getConfig().getConfDir(), "core-site.xml");
if (csFile.exists())
throw new RuntimeException(csFile + " already exist");
OutputStream out = new BufferedOutputStream(new FileOutputStream(new File(miniCluster.getConfig().getConfDir(), "core-site.xml")));
coreSite.writeXml(out);
out.close();
}
return miniCluster;
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class AccumuloMiniClusterConfiguration method getAdminToken.
@Override
public AuthenticationToken getAdminToken() {
if (saslEnabled) {
// Turn on Kerberos authentication so UGI acts properly
final Configuration conf = new Configuration(false);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
ClusterUser rootUser = AccumuloClusterHarness.getKdc().getRootUser();
try {
UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
return new KerberosToken();
} catch (IOException e) {
throw new RuntimeException(e);
}
} else {
String password = conf.get(ACCUMULO_MINI_PASSWORD_KEY);
if (password == null) {
password = ACCUMULO_MINI_PASSWORD_DEFAULT;
}
return new PasswordToken(password);
}
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testDelegationToken.
@Test
public void testDelegationToken() throws Exception {
final String tableName = getUniqueNames(1)[0];
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
final int numRows = 100, numColumns = 10;
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken delegationToken = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
client.tableOperations().create(tableName);
try (BatchWriter bw = client.createBatchWriter(tableName)) {
for (int r = 0; r < numRows; r++) {
Mutation m = new Mutation(Integer.toString(r));
for (int c = 0; c < numColumns; c++) {
String col = Integer.toString(c);
m.put(col, col, col);
}
bw.addMutation(m);
}
}
return client.securityOperations().getDelegationToken(new DelegationTokenConfig());
});
// The above login with keytab doesn't have a way to logout, so make a fake user that won't have
// krb credentials
UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]);
int recordsSeen = userWithoutPrivs.doAs((PrivilegedExceptionAction<Integer>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken);
try (BatchScanner bs = client.createBatchScanner(tableName)) {
bs.setRanges(Collections.singleton(new Range()));
return Iterables.size(bs);
}
});
assertEquals(numRows * numColumns, recordsSeen);
}
Aggregations