use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosProxyIT method proxiedUserAccessWithoutAccumuloProxy.
@Test
public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
final String tableName = getUniqueNames(1)[0];
ClusterUser rootUser = kdc.getRootUser();
final UserGroupInformation rootUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
final UserGroupInformation realUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
final String userWithoutCredentials1 = kdc.qualifyUser(PROXIED_USER1);
final String userWithoutCredentials2 = kdc.qualifyUser(PROXIED_USER2);
final String userWithoutCredentials3 = kdc.qualifyUser(PROXIED_USER3);
final UserGroupInformation proxyUser1 = UserGroupInformation.createProxyUser(userWithoutCredentials1, realUgi);
final UserGroupInformation proxyUser2 = UserGroupInformation.createProxyUser(userWithoutCredentials2, realUgi);
final UserGroupInformation proxyUser3 = UserGroupInformation.createProxyUser(userWithoutCredentials3, realUgi);
// Create a table and user, grant permission to our user to read that table.
rootUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(rootUgi.getUserName(), new KerberosToken());
conn.tableOperations().create(tableName);
conn.securityOperations().createLocalUser(userWithoutCredentials1, new PasswordToken("ignored"));
conn.securityOperations().grantTablePermission(userWithoutCredentials1, tableName, TablePermission.READ);
conn.securityOperations().createLocalUser(userWithoutCredentials3, new PasswordToken("ignored"));
conn.securityOperations().grantTablePermission(userWithoutCredentials3, tableName, TablePermission.READ);
return null;
}
});
realUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(proxyPrincipal, new KerberosToken());
try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
s.iterator().hasNext();
Assert.fail("Expected to see an exception");
} catch (RuntimeException e) {
int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
}
return null;
}
});
// Allowed to be proxied and has read permission
proxyUser1.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(userWithoutCredentials1, new KerberosToken(userWithoutCredentials1));
Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
assertFalse(s.iterator().hasNext());
return null;
}
});
// Allowed to be proxied but does not have read permission
proxyUser2.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(userWithoutCredentials2, new KerberosToken(userWithoutCredentials3));
try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
s.iterator().hasNext();
Assert.fail("Expected to see an exception");
} catch (RuntimeException e) {
int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
}
return null;
}
});
// Has read permission but is not allowed to be proxied
proxyUser3.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
try {
inst.getConnector(userWithoutCredentials3, new KerberosToken(userWithoutCredentials3));
Assert.fail("Should not be able to create a Connector as this user cannot be proxied");
} catch (org.apache.accumulo.core.client.AccumuloSecurityException e) {
// Expected, this user cannot be proxied
}
return null;
}
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class RestartIT method restartMaster.
@Test
public void restartMaster() throws Exception {
Connector c = getConnector();
final String tableName = getUniqueNames(1)[0];
OPTS.setTableName(tableName);
VOPTS.setTableName(tableName);
c.tableOperations().create(tableName);
final AuthenticationToken token = getAdminToken();
final ClusterControl control = getCluster().getClusterControl();
final String[] args;
if (token instanceof PasswordToken) {
byte[] password = ((PasswordToken) token).getPassword();
args = new String[] { "-u", getAdminPrincipal(), "-p", new String(password, UTF_8), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
OPTS.setPrincipal(getAdminPrincipal());
VOPTS.setPrincipal(getAdminPrincipal());
} else if (token instanceof KerberosToken) {
ClusterUser rootUser = getAdminUser();
args = new String[] { "-u", getAdminPrincipal(), "--keytab", rootUser.getKeytab().getAbsolutePath(), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
ClientConfiguration clientConfig = cluster.getClientConfig();
OPTS.updateKerberosCredentials(clientConfig);
VOPTS.updateKerberosCredentials(clientConfig);
} else {
throw new RuntimeException("Unknown token");
}
Future<Integer> ret = svc.submit(new Callable<Integer>() {
@Override
public Integer call() {
try {
return control.exec(TestIngest.class, args);
} catch (IOException e) {
log.error("Error running TestIngest", e);
return -1;
}
}
});
control.stopAllServers(ServerType.MASTER);
control.startAllServers(ServerType.MASTER);
assertEquals(0, ret.get().intValue());
VerifyIngest.verifyIngest(c, VOPTS, SOPTS);
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo-examples by apache.
the class MapReduceClientOpts method getToken.
@Override
public AuthenticationToken getToken() {
AuthenticationToken authToken = super.getToken();
// so we need to request a delegation token and use that instead.
if (authToken instanceof KerberosToken) {
log.info("Received KerberosToken, fetching DelegationToken for MapReduce");
try {
UserGroupInformation user = UserGroupInformation.getCurrentUser();
if (!user.hasKerberosCredentials()) {
throw new IllegalStateException("Expected current user to have Kerberos credentials");
}
String newPrincipal = user.getUserName();
log.info("Obtaining delegation token for {}", newPrincipal);
Connector conn = getConnector();
// Do the explicit check to see if the user has the permission to get a delegation token
if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) {
log.error("{} doesn't have the {} SystemPermission neccesary to obtain a delegation token. MapReduce tasks cannot automatically use the client's" + " credentials on remote servers. Delegation tokens provide a means to run MapReduce without distributing the user's credentials.", user.getUserName(), SystemPermission.OBTAIN_DELEGATION_TOKEN.name());
throw new IllegalStateException(conn.whoami() + " does not have permission to obtain a delegation token");
}
// Get the delegation token from Accumulo
return conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
} catch (Exception e) {
final String msg = "Failed to acquire DelegationToken for use with MapReduce";
log.error(msg, e);
throw new RuntimeException(msg, e);
}
}
return authToken;
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class CreateUserCommand method execute.
@Override
public int execute(final String fullCommand, final CommandLine cl, final Shell shellState) throws AccumuloException, TableNotFoundException, AccumuloSecurityException, TableExistsException, IOException {
final String user = cl.getArgs()[0];
AuthenticationToken userToken = ((ClientContext) shellState.getAccumuloClient()).token();
PasswordToken passwordToken;
if (userToken instanceof KerberosToken) {
passwordToken = new PasswordToken();
} else {
final String password = shellState.readMaskedLine("Enter new password for '" + user + "': ", '*');
if (password == null) {
shellState.getWriter().println();
return 0;
}
// user canceled
String passwordConfirm = shellState.readMaskedLine("Please confirm new password for '" + user + "': ", '*');
if (passwordConfirm == null) {
shellState.getWriter().println();
return 0;
}
if (!password.equals(passwordConfirm)) {
throw new IllegalArgumentException("Passwords do not match");
}
passwordToken = new PasswordToken(password);
}
shellState.getAccumuloClient().securityOperations().createLocalUser(user, passwordToken);
Shell.log.debug("Created user {}", user);
return 0;
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class ShellConfigIT method experimentalPropTest.
@Test
public void experimentalPropTest() throws Exception {
// ensure experimental props do not show up in config output unless set
AuthenticationToken token = getAdminToken();
File clientPropsFile = null;
switch(getClusterType()) {
case MINI:
MiniAccumuloClusterImpl mac = (MiniAccumuloClusterImpl) getCluster();
clientPropsFile = mac.getConfig().getClientPropsFile();
break;
case STANDALONE:
StandaloneAccumuloClusterConfiguration standaloneConf = (StandaloneAccumuloClusterConfiguration) getClusterConfiguration();
clientPropsFile = standaloneConf.getClientPropsFile();
break;
default:
fail("Unknown cluster type");
}
assertNotNull(clientPropsFile);
MockShell ts = null;
if (token instanceof PasswordToken) {
String passwd = new String(((PasswordToken) token).getPassword(), UTF_8);
ts = new MockShell(getAdminPrincipal(), passwd, getCluster().getInstanceName(), getCluster().getZooKeepers(), clientPropsFile);
} else if (token instanceof KerberosToken) {
ts = new MockShell(getAdminPrincipal(), null, getCluster().getInstanceName(), getCluster().getZooKeepers(), clientPropsFile);
} else {
fail("Unknown token type");
}
assertTrue(Property.INSTANCE_CRYPTO_PREFIX.isExperimental());
assertTrue(Property.INSTANCE_CRYPTO_SERVICE.isExperimental());
String configOutput = ts.exec("config");
assertTrue(configOutput.contains(PERTABLE_CHOOSER_PROP));
assertFalse(configOutput.contains(Property.INSTANCE_CRYPTO_SERVICE.getKey()));
}
Aggregations