Search in sources :

Example 6 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class ThriftTransportKeyTest method testSaslPrincipalIsSignificant.

@Test
public void testSaslPrincipalIsSignificant() throws IOException, InterruptedException {
    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    SaslConnectionParams saslParams1 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", new String[0]);
    SaslConnectionParams saslParams2 = user2.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2);
    assertNotEquals(ttk1, ttk2);
    assertNotEquals(ttk1.hashCode(), ttk2.hashCode());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) SaslConnectionParams(org.apache.accumulo.core.rpc.SaslConnectionParams) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.jupiter.api.Test)

Example 7 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class ThriftTransportKeyTest method testConnectionCaching.

@Test
public void testConnectionCaching() throws IOException, InterruptedException {
    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[0]);
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    // A first instance of the SASL cnxn params
    SaslConnectionParams saslParams1 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    // A second instance of what should be the same SaslConnectionParams
    SaslConnectionParams saslParams2 = user1.doAs((PrivilegedExceptionAction<SaslConnectionParams>) () -> createSaslParams(token));
    ThriftTransportKey ttk1 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams1), ttk2 = new ThriftTransportKey(HostAndPort.fromParts("localhost", 9997), 1L, null, saslParams2);
    // Should equals() and hashCode() to make sure we don't throw away thrift cnxns
    assertEquals(ttk1, ttk2);
    assertEquals(ttk1.hashCode(), ttk2.hashCode());
}
Also used : KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) SaslConnectionParams(org.apache.accumulo.core.rpc.SaslConnectionParams) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.jupiter.api.Test)

Example 8 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class MiniClusterHarness method create.

public MiniAccumuloClusterImpl create(String testClassName, String testMethodName, AuthenticationToken token, MiniClusterConfigurationCallback configCallback, TestingKdc kdc) throws Exception {
    requireNonNull(token);
    checkArgument(token instanceof PasswordToken || token instanceof KerberosToken, "A PasswordToken or KerberosToken is required");
    String rootPasswd;
    if (token instanceof PasswordToken) {
        rootPasswd = new String(((PasswordToken) token).getPassword(), UTF_8);
    } else {
        rootPasswd = UUID.randomUUID().toString();
    }
    File baseDir = AccumuloClusterHarness.createTestDir(testClassName + "_" + testMethodName);
    MiniAccumuloConfigImpl cfg = new MiniAccumuloConfigImpl(baseDir, rootPasswd);
    // Enable native maps by default
    cfg.setNativeLibPaths(NativeMapIT.nativeMapLocation().getAbsolutePath());
    cfg.setProperty(Property.TSERV_NATIVEMAP_ENABLED, Boolean.TRUE.toString());
    Configuration coreSite = new Configuration(false);
    // Setup SSL and credential providers if the properties request such
    configureForEnvironment(cfg, AccumuloClusterHarness.getSslDir(baseDir), coreSite, kdc);
    // Invoke the callback for tests to configure MAC before it starts
    configCallback.configureMiniCluster(cfg, coreSite);
    MiniAccumuloClusterImpl miniCluster = new MiniAccumuloClusterImpl(cfg);
    // classpath)
    if (coreSite.size() > 0) {
        File csFile = new File(miniCluster.getConfig().getConfDir(), "core-site.xml");
        if (csFile.exists())
            throw new RuntimeException(csFile + " already exist");
        OutputStream out = new BufferedOutputStream(new FileOutputStream(new File(miniCluster.getConfig().getConfDir(), "core-site.xml")));
        coreSite.writeXml(out);
        out.close();
    }
    return miniCluster;
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) Configuration(org.apache.hadoop.conf.Configuration) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) FileOutputStream(java.io.FileOutputStream) MiniAccumuloClusterImpl(org.apache.accumulo.miniclusterImpl.MiniAccumuloClusterImpl) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) MiniAccumuloConfigImpl(org.apache.accumulo.miniclusterImpl.MiniAccumuloConfigImpl)

Example 9 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class AccumuloMiniClusterConfiguration method getAdminToken.

@Override
public AuthenticationToken getAdminToken() {
    if (saslEnabled) {
        // Turn on Kerberos authentication so UGI acts properly
        final Configuration conf = new Configuration(false);
        conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
        UserGroupInformation.setConfiguration(conf);
        ClusterUser rootUser = AccumuloClusterHarness.getKdc().getRootUser();
        try {
            UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
            return new KerberosToken();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    } else {
        String password = conf.get(ACCUMULO_MINI_PASSWORD_KEY);
        if (password == null) {
            password = ACCUMULO_MINI_PASSWORD_DEFAULT;
        }
        return new PasswordToken(password);
    }
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) Configuration(org.apache.hadoop.conf.Configuration) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) ClusterUser(org.apache.accumulo.cluster.ClusterUser) IOException(java.io.IOException)

Example 10 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testDelegationToken.

@Test
public void testDelegationToken() throws Exception {
    final String tableName = getUniqueNames(1)[0];
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    final int numRows = 100, numColumns = 10;
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken delegationToken = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        client.tableOperations().create(tableName);
        try (BatchWriter bw = client.createBatchWriter(tableName)) {
            for (int r = 0; r < numRows; r++) {
                Mutation m = new Mutation(Integer.toString(r));
                for (int c = 0; c < numColumns; c++) {
                    String col = Integer.toString(c);
                    m.put(col, col, col);
                }
                bw.addMutation(m);
            }
        }
        return client.securityOperations().getDelegationToken(new DelegationTokenConfig());
    });
    // The above login with keytab doesn't have a way to logout, so make a fake user that won't have
    // krb credentials
    UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]);
    int recordsSeen = userWithoutPrivs.doAs((PrivilegedExceptionAction<Integer>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken);
        try (BatchScanner bs = client.createBatchScanner(tableName)) {
            bs.setRanges(Collections.singleton(new Range()));
            return Iterables.size(bs);
        }
    });
    assertEquals(numRows * numColumns, recordsSeen);
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) BatchScanner(org.apache.accumulo.core.client.BatchScanner) BatchWriter(org.apache.accumulo.core.client.BatchWriter) Mutation(org.apache.accumulo.core.data.Mutation) Range(org.apache.accumulo.core.data.Range) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)46 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)23 Test (org.junit.Test)23 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)21 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)16 IOException (java.io.IOException)15 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)14 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)13 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)12 File (java.io.File)11 Connector (org.apache.accumulo.core.client.Connector)8 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)8 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)7 AccumuloException (org.apache.accumulo.core.client.AccumuloException)7 ClusterUser (org.apache.accumulo.cluster.ClusterUser)6 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)6 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)5 Test (org.junit.jupiter.api.Test)5