use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testUserPrivilegesForTable.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testUserPrivilegesForTable() throws Exception {
String user1 = testName.getMethodName();
final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab");
if (user1Keytab.exists() && !user1Keytab.delete()) {
log.warn("Unable to delete {}", user1Keytab);
}
// Create some new users -- cannot contain realm
kdc.createPrincipal(user1Keytab, user1);
final String qualifiedUser1 = kdc.qualifyUser(user1);
// Log in as user1
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
log.info("Logged in as {}", user1);
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
// Indirectly creates this user when we use it
AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
log.info("Created client as {}", qualifiedUser1);
// The new user should have no system permissions
for (SystemPermission perm : SystemPermission.values()) {
assertFalse(client.securityOperations().hasSystemPermission(qualifiedUser1, perm));
}
return null;
});
final String table = testName.getMethodName() + "_user_table";
final String viz = "viz";
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
client.tableOperations().create(table);
// Give our unprivileged user permission on the table we made for them
client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.READ);
client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.WRITE);
client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.ALTER_TABLE);
client.securityOperations().grantTablePermission(qualifiedUser1, table, TablePermission.DROP_TABLE);
client.securityOperations().changeUserAuthorizations(qualifiedUser1, new Authorizations(viz));
return null;
});
// Switch back to the original user
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedUser1, user1Keytab.getAbsolutePath());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
// Make sure we can actually use the table we made
// Write data
final long ts = 1000L;
try (BatchWriter bw = client.createBatchWriter(table)) {
Mutation m = new Mutation("a");
m.put("b", "c", new ColumnVisibility(viz.getBytes()), ts, "d");
bw.addMutation(m);
}
// Compact
client.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true));
// Alter
client.tableOperations().setProperty(table, Property.TABLE_BLOOM_ENABLED.getKey(), "true");
// Read (and proper authorizations)
try (Scanner s = client.createScanner(table, new Authorizations(viz))) {
Iterator<Entry<Key, Value>> iter = s.iterator();
assertTrue("No results from iterator", iter.hasNext());
Entry<Key, Value> entry = iter.next();
assertEquals(new Key("a", "b", "c", viz, ts), entry.getKey());
assertEquals(new Value("d"), entry.getValue());
assertFalse("Had more results from iterator", iter.hasNext());
return null;
}
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testAdminUser.
@Test
public void testAdminUser() throws Exception {
// Login as the client (provided to `accumulo init` as the "root" user)
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
final AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
// The "root" user should have all system permissions
for (SystemPermission perm : SystemPermission.values()) {
assertTrue("Expected user to have permission: " + perm, client.securityOperations().hasSystemPermission(client.whoami(), perm));
}
// and the ability to modify the root and metadata tables
for (String table : Arrays.asList(RootTable.NAME, MetadataTable.NAME)) {
assertTrue(client.securityOperations().hasTablePermission(client.whoami(), table, TablePermission.ALTER_TABLE));
}
return null;
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testGetDelegationTokenDenied.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testGetDelegationTokenDenied() throws Exception {
String newUser = testName.getMethodName();
final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab");
if (newUserKeytab.exists() && !newUserKeytab.delete()) {
log.warn("Unable to delete {}", newUserKeytab);
}
// Create a new user
kdc.createPrincipal(newUserKeytab, newUser);
final String qualifiedNewUser = kdc.qualifyUser(newUser);
// Login as a normal user
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(qualifiedNewUser, newUserKeytab.getAbsolutePath());
try {
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
// As the "root" user, open up the connection and get a delegation token
AccumuloClient client = mac.createAccumuloClient(qualifiedNewUser, new KerberosToken());
log.info("Created client as {}", qualifiedNewUser);
assertEquals(qualifiedNewUser, client.whoami());
client.securityOperations().getDelegationToken(new DelegationTokenConfig());
return null;
});
} catch (UndeclaredThrowableException ex) {
assertTrue(ex.getCause() instanceof AccumuloSecurityException);
}
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testNewUser.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testNewUser() throws Exception {
String newUser = testName.getMethodName();
final File newUserKeytab = new File(kdc.getKeytabDir(), newUser + ".keytab");
if (newUserKeytab.exists() && !newUserKeytab.delete()) {
log.warn("Unable to delete {}", newUserKeytab);
}
// Create a new user
kdc.createPrincipal(newUserKeytab, newUser);
final String newQualifiedUser = kdc.qualifyUser(newUser);
final HashSet<String> users = Sets.newHashSet(rootUser.getPrincipal());
// Login as the "root" user
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
// Make sure the system user doesn't exist -- this will force some RPC to happen server-side
createTableWithDataAndCompact(client);
assertEquals(users, client.securityOperations().listLocalUsers());
return null;
});
// Switch to a new user
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(newQualifiedUser, newUserKeytab.getAbsolutePath());
log.info("Logged in as {}", newQualifiedUser);
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(newQualifiedUser, new KerberosToken());
log.info("Created client as {}", newQualifiedUser);
assertEquals(newQualifiedUser, client.whoami());
// The new user should have no system permissions
for (SystemPermission perm : SystemPermission.values()) {
assertFalse(client.securityOperations().hasSystemPermission(newQualifiedUser, perm));
}
users.add(newQualifiedUser);
// Same users as before, plus the new user we just created
assertEquals(users, client.securityOperations().listLocalUsers());
return null;
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosAuthenticator method authenticateUser.
@Override
public boolean authenticateUser(String principal, AuthenticationToken token) throws AccumuloSecurityException {
final String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
if (!rpcPrincipal.equals(principal)) {
// KerberosAuthenticator can't do perform this because KerberosToken is just a shim and
// doesn't contain the actual credentials
// Double check that the rpc user can impersonate as the requested user.
UsersWithHosts usersWithHosts = impersonation.get(rpcPrincipal);
if (usersWithHosts == null) {
throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
}
if (!usersWithHosts.getUsers().contains(principal)) {
throw new AccumuloSecurityException(principal, SecurityErrorCode.AUTHENTICATOR_FAILED);
}
log.debug("Allowing impersonation of {} by {}", principal, rpcPrincipal);
}
// User is authenticated at the transport layer -- nothing extra is necessary
return token instanceof KerberosToken || token instanceof DelegationTokenImpl;
}
Aggregations