Search in sources :

Example 11 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testUserPrivilegesForTable.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testUserPrivilegesForTable() throws Exception {
    String user1 = testName.getMethodName();
    final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab");
    if (user1Keytab.exists() && !user1Keytab.delete()) {
        log.warn("Unable to delete {}", user1Keytab);
    }
    // Create some new users -- cannot contain realm
    kdc.createPrincipal(user1Keytab, user1);
    final String qualifiedUser1 = kdc.qualifyUser(user1);
    // Log in as user1
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
    log.info("Logged in as {}", user1);
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        // Indirectly creates this user when we use it
        AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
        log.info("Created client as {}", qualifiedUser1);
        // The new user should have no system permissions
        for (SystemPermission perm : SystemPermission.values()) {
            assertFalse(client.securityOperations().hasSystemPermission(qualifiedUser1, perm));
        }
        return null;
    });
    final String table = testName.getMethodName() + "_user_table";
    final String viz = "viz";
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        client.tableOperations().create(table);
        // Give our unprivileged user permission on the table we made for them
        client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.READ);
        client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.WRITE);
        client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.ALTER_TABLE);
        client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.DROP_TABLE);
        client.securityOperations().changeUserAuthorizations(qualifiedUser1, new Authorizations(viz));
        return null;
    });
    // Switch back to the original user
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
        // Make sure we can actually use the table we made
        // Write data
        final long ts = 1000L;
        try (BatchWriter bw = client.createBatchWriter(table)) {
            Mutation m = new Mutation("a");
            m.put("b", "c", new ColumnVisibility(viz.getBytes()), ts, "d");
            bw.addMutation(m);
        }
        // Compact
        client.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true));
        // Alter
        client.tableOperations().setProperty(table, Property.TABLE_BLOOM_ENABLED.getKey(), "true");
        // Read (and proper authorizations)
        try (Scanner s = client.createScanner(table, new Authorizations(viz))) {
            Iterator<Entry<Key, Value>> iter = s.iterator();
            assertTrue("No results from iterator", iter.hasNext());
            Entry<Key, Value> entry = iter.next();
            assertEquals(new Key("a", "b", "c", viz, ts), entry.getKey());
            assertEquals(new Value("d"), entry.getValue());
            assertFalse("Had more results from iterator", iter.hasNext());
            return null;
        }
    });
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) BatchScanner(org.apache.accumulo.core.client.BatchScanner) Scanner(org.apache.accumulo.core.client.Scanner) Authorizations(org.apache.accumulo.core.security.Authorizations) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) SystemPermission(org.apache.accumulo.core.security.SystemPermission) Entry(java.util.Map.Entry) CompactionConfig(org.apache.accumulo.core.client.admin.CompactionConfig) Iterator(java.util.Iterator) Value(org.apache.accumulo.core.data.Value) BatchWriter(org.apache.accumulo.core.client.BatchWriter) Mutation(org.apache.accumulo.core.data.Mutation) ColumnVisibility(org.apache.accumulo.core.security.ColumnVisibility) File(java.io.File) Key(org.apache.accumulo.core.data.Key) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 12 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testAdminUser.

@Test
public void testAdminUser() throws Exception {
    // Login as the client (provided to `accumulo init` as the "root" user)
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        final AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        // The "root" user should have all system permissions
        for (SystemPermission perm : SystemPermission.values()) {
            assertTrue("Expected user to have permission: " + perm, client.securityOperations().hasSystemPermission(client.whoami(), perm));
        }
        // and the ability to modify the root and metadata tables
        for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) {
            assertTrue(client.securityOperations().hasTablePermission(client.whoami(), table, TablePermission.ALTER_TABLE));
        }
        return null;
    });
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) SystemPermission(org.apache.accumulo.core.security.SystemPermission) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 13 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testGetDelegationTokenDenied.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testGetDelegationTokenDenied() throws Exception {
    String newUser = testName.getMethodName();
    final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab");
    if (newUserKeytab.exists() && !newUserKeytab.delete()) {
        log.warn("Unable to delete {}", newUserKeytab);
    }
    // Create a new user
    kdc.createPrincipal(newUserKeytab, newUser);
    final String qualifiedNewUser = kdc.qualifyUser(newUser);
    // Login as a normal user
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedNewUser, newUserKeytab.getAbsolutePath());
    try {
        ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
            // As the "root" user, open up the connection and get a delegation token
            AccumuloClient client = mac.createAccumuloClient(qualifiedNewUser, new KerberosToken());
            log.info("Created client as {}", qualifiedNewUser);
            assertEquals(qualifiedNewUser, client.whoami());
            client.securityOperations().getDelegationToken(new DelegationTokenConfig());
            return null;
        });
    } catch (UndeclaredThrowableException ex) {
        assertTrue(ex.getCause() instanceof AccumuloSecurityException);
    }
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 14 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testNewUser.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testNewUser() throws Exception {
    String newUser = testName.getMethodName();
    final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab");
    if (newUserKeytab.exists() && !newUserKeytab.delete()) {
        log.warn("Unable to delete {}", newUserKeytab);
    }
    // Create a new user
    kdc.createPrincipal(newUserKeytab, newUser);
    final String newQualifiedUser = kdc.qualifyUser(newUser);
    final HashSet<String> users = Sets.newHashSet(rootUser.getPrincipal());
    // Login as the "root" user
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        // Make sure the system user doesn't exist -- this will force some RPC to happen server-side
        createTableWithDataAndCompact(client);
        assertEquals(users, client.securityOperations().listLocalUsers());
        return null;
    });
    // Switch to a new user
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(newQualifiedUser, newUserKeytab.getAbsolutePath());
    log.info("Logged in as {}", newQualifiedUser);
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(newQualifiedUser, new KerberosToken());
        log.info("Created client as {}", newQualifiedUser);
        assertEquals(newQualifiedUser, client.whoami());
        // The new user should have no system permissions
        for (SystemPermission perm : SystemPermission.values()) {
            assertFalse(client.securityOperations().hasSystemPermission(newQualifiedUser, perm));
        }
        users.add(newQualifiedUser);
        // Same users as before, plus the new user we just created
        assertEquals(users, client.securityOperations().listLocalUsers());
        return null;
    });
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) SystemPermission(org.apache.accumulo.core.security.SystemPermission) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 15 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosAuthenticator method authenticateUser.

@Override
public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
    final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
    if (!rpcPrincipal.equals(principal)) {
        // KerberosAuthenticator can't do perform this because KerberosToken is just a shim and
        // doesn't contain the actual credentials
        // Double check that the rpc user can impersonate as the requested user.
        UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal);
        if (usersWithHosts == null) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        if (!usersWithHosts.getUsers().contains(principal)) {
            throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
        }
        log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal);
    }
    // User is authenticated at the transport layer -- nothing extra is necessary
    return token instanceof KerberosToken || token instanceof DelegationTokenImpl;
}
Also used : UsersWithHosts(org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException)

Aggregations

KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)46 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)23 Test (org.junit.Test)23 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)21 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)16 IOException (java.io.IOException)15 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)14 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)13 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)12 File (java.io.File)11 Connector (org.apache.accumulo.core.client.Connector)8 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)8 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)7 AccumuloException (org.apache.accumulo.core.client.AccumuloException)7 ClusterUser (org.apache.accumulo.cluster.ClusterUser)6 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)6 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)5 Test (org.junit.jupiter.api.Test)5