Search in sources :

Example 26 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosProxyIT method proxiedUserAccessWithoutAccumuloProxy.

@Test
public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
    final String tableName = getUniqueNames(1)[0];
    ClusterUser rootUser = kdc.getRootUser();
    final UserGroupInformation rootUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    final UserGroupInformation realUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
    final String userWithoutCredentials1 = kdc.qualifyUser(PROXIED_USER1);
    final String userWithoutCredentials2 = kdc.qualifyUser(PROXIED_USER2);
    final String userWithoutCredentials3 = kdc.qualifyUser(PROXIED_USER3);
    final UserGroupInformation proxyUser1 = UserGroupInformation.createProxyUser(userWithoutCredentials1, realUgi);
    final UserGroupInformation proxyUser2 = UserGroupInformation.createProxyUser(userWithoutCredentials2, realUgi);
    final UserGroupInformation proxyUser3 = UserGroupInformation.createProxyUser(userWithoutCredentials3, realUgi);
    // Create a table and user, grant permission to our user to read that table.
    rootUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(rootUgi.getUserName(), new KerberosToken());
            conn.tableOperations().create(tableName);
            conn.securityOperations().createLocalUser(userWithoutCredentials1, new PasswordToken("ignored"));
            conn.securityOperations().grantTablePermission(userWithoutCredentials1, tableName, TablePermission.READ);
            conn.securityOperations().createLocalUser(userWithoutCredentials3, new PasswordToken("ignored"));
            conn.securityOperations().grantTablePermission(userWithoutCredentials3, tableName, TablePermission.READ);
            return null;
        }
    });
    realUgi.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(proxyPrincipal, new KerberosToken());
            try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
                s.iterator().hasNext();
                Assert.fail("Expected to see an exception");
            } catch (RuntimeException e) {
                int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
                assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
            }
            return null;
        }
    });
    // Allowed to be proxied and has read permission
    proxyUser1.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(userWithoutCredentials1, new KerberosToken(userWithoutCredentials1));
            Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
            assertFalse(s.iterator().hasNext());
            return null;
        }
    });
    // Allowed to be proxied but does not have read permission
    proxyUser2.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            Connector conn = inst.getConnector(userWithoutCredentials2, new KerberosToken(userWithoutCredentials3));
            try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
                s.iterator().hasNext();
                Assert.fail("Expected to see an exception");
            } catch (RuntimeException e) {
                int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
                assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
            }
            return null;
        }
    });
    // Has read permission but is not allowed to be proxied
    proxyUser3.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
            try {
                inst.getConnector(userWithoutCredentials3, new KerberosToken(userWithoutCredentials3));
                Assert.fail("Should not be able to create a Connector as this user cannot be proxied");
            } catch (org.apache.accumulo.core.client.AccumuloSecurityException e) {
            // Expected, this user cannot be proxied
            }
            return null;
        }
    });
}
Also used : Connector(org.apache.accumulo.core.client.Connector) Scanner(org.apache.accumulo.core.client.Scanner) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) TTransportException(org.apache.thrift.transport.TTransportException) AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException) ConnectException(java.net.ConnectException) ExpectedException(org.junit.rules.ExpectedException) IOException(java.io.IOException) ZooKeeperInstance(org.apache.accumulo.core.client.ZooKeeperInstance) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) ClusterUser(org.apache.accumulo.cluster.ClusterUser) AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 27 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class RestartIT method restartMaster.

@Test
public void restartMaster() throws Exception {
    Connector c = getConnector();
    final String tableName = getUniqueNames(1)[0];
    OPTS.setTableName(tableName);
    VOPTS.setTableName(tableName);
    c.tableOperations().create(tableName);
    final AuthenticationToken token = getAdminToken();
    final ClusterControl control = getCluster().getClusterControl();
    final String[] args;
    if (token instanceof PasswordToken) {
        byte[] password = ((PasswordToken) token).getPassword();
        args = new String[] { "-u", getAdminPrincipal(), "-p", new String(password, UTF_8), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
        OPTS.setPrincipal(getAdminPrincipal());
        VOPTS.setPrincipal(getAdminPrincipal());
    } else if (token instanceof KerberosToken) {
        ClusterUser rootUser = getAdminUser();
        args = new String[] { "-u", getAdminPrincipal(), "--keytab", rootUser.getKeytab().getAbsolutePath(), "-i", cluster.getInstanceName(), "-z", cluster.getZooKeepers(), "--rows", "" + OPTS.rows, "--table", tableName };
        ClientConfiguration clientConfig = cluster.getClientConfig();
        OPTS.updateKerberosCredentials(clientConfig);
        VOPTS.updateKerberosCredentials(clientConfig);
    } else {
        throw new RuntimeException("Unknown token");
    }
    Future<Integer> ret = svc.submit(new Callable<Integer>() {

        @Override
        public Integer call() {
            try {
                return control.exec(TestIngest.class, args);
            } catch (IOException e) {
                log.error("Error running TestIngest", e);
                return -1;
            }
        }
    });
    control.stopAllServers(ServerType.MASTER);
    control.startAllServers(ServerType.MASTER);
    assertEquals(0, ret.get().intValue());
    VerifyIngest.verifyIngest(c, VOPTS, SOPTS);
}
Also used : Connector(org.apache.accumulo.core.client.Connector) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) IOException(java.io.IOException) PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) TestIngest(org.apache.accumulo.test.TestIngest) ClusterUser(org.apache.accumulo.cluster.ClusterUser) ClientConfiguration(org.apache.accumulo.core.client.ClientConfiguration) ClusterControl(org.apache.accumulo.cluster.ClusterControl) Test(org.junit.Test)

Example 28 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo-examples by apache.

the class MapReduceClientOpts method getToken.

@Override
public AuthenticationToken getToken() {
    AuthenticationToken authToken = super.getToken();
    // so we need to request a delegation token and use that instead.
    if (authToken instanceof KerberosToken) {
        log.info("Received KerberosToken, fetching DelegationToken for MapReduce");
        try {
            UserGroupInformation user = UserGroupInformation.getCurrentUser();
            if (!user.hasKerberosCredentials()) {
                throw new IllegalStateException("Expected current user to have Kerberos credentials");
            }
            String newPrincipal = user.getUserName();
            log.info("Obtaining delegation token for {}", newPrincipal);
            Connector conn = getConnector();
            // Do the explicit check to see if the user has the permission to get a delegation token
            if (!conn.securityOperations().hasSystemPermission(conn.whoami(), SystemPermission.OBTAIN_DELEGATION_TOKEN)) {
                log.error("{} doesn't have the {} SystemPermission neccesary to obtain a delegation token. MapReduce tasks cannot automatically use the client's" + " credentials on remote servers. Delegation tokens provide a means to run MapReduce without distributing the user's credentials.", user.getUserName(), SystemPermission.OBTAIN_DELEGATION_TOKEN.name());
                throw new IllegalStateException(conn.whoami() + " does not have permission to obtain a delegation token");
            }
            // Get the delegation token from Accumulo
            return conn.securityOperations().getDelegationToken(new DelegationTokenConfig());
        } catch (Exception e) {
            final String msg = "Failed to acquire DelegationToken for use with MapReduce";
            log.error(msg, e);
            throw new RuntimeException(msg, e);
        }
    }
    return authToken;
}
Also used : Connector(org.apache.accumulo.core.client.Connector) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) AccumuloSecurityException(org.apache.accumulo.core.client.AccumuloSecurityException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 29 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class CreateUserCommand method execute.

@Override
public int execute(final String fullCommand, final CommandLine cl, final Shell shellState) throws AccumuloException, TableNotFoundException, AccumuloSecurityException, TableExistsException, IOException {
    final String user = cl.getArgs()[0];
    AuthenticationToken userToken = ((ClientContext) shellState.getAccumuloClient()).token();
    PasswordToken passwordToken;
    if (userToken instanceof KerberosToken) {
        passwordToken = new PasswordToken();
    } else {
        final String password = shellState.readMaskedLine("Enter new password for '" + user + "': ", '*');
        if (password == null) {
            shellState.getWriter().println();
            return 0;
        }
        // user canceled
        String passwordConfirm = shellState.readMaskedLine("Please confirm new password for '" + user + "': ", '*');
        if (passwordConfirm == null) {
            shellState.getWriter().println();
            return 0;
        }
        if (!password.equals(passwordConfirm)) {
            throw new IllegalArgumentException("Passwords do not match");
        }
        passwordToken = new PasswordToken(password);
    }
    shellState.getAccumuloClient().securityOperations().createLocalUser(user, passwordToken);
    Shell.log.debug("Created user {}", user);
    return 0;
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) ClientContext(org.apache.accumulo.core.clientImpl.ClientContext)

Example 30 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class ShellConfigIT method experimentalPropTest.

@Test
public void experimentalPropTest() throws Exception {
    // ensure experimental props do not show up in config output unless set
    AuthenticationToken token = getAdminToken();
    File clientPropsFile = null;
    switch(getClusterType()) {
        case MINI:
            MiniAccumuloClusterImpl mac = (MiniAccumuloClusterImpl) getCluster();
            clientPropsFile = mac.getConfig().getClientPropsFile();
            break;
        case STANDALONE:
            StandaloneAccumuloClusterConfiguration standaloneConf = (StandaloneAccumuloClusterConfiguration) getClusterConfiguration();
            clientPropsFile = standaloneConf.getClientPropsFile();
            break;
        default:
            fail("Unknown cluster type");
    }
    assertNotNull(clientPropsFile);
    MockShell ts = null;
    if (token instanceof PasswordToken) {
        String passwd = new String(((PasswordToken) token).getPassword(), UTF_8);
        ts = new MockShell(getAdminPrincipal(), passwd, getCluster().getInstanceName(), getCluster().getZooKeepers(), clientPropsFile);
    } else if (token instanceof KerberosToken) {
        ts = new MockShell(getAdminPrincipal(), null, getCluster().getInstanceName(), getCluster().getZooKeepers(), clientPropsFile);
    } else {
        fail("Unknown token type");
    }
    assertTrue(Property.INSTANCE_CRYPTO_PREFIX.isExperimental());
    assertTrue(Property.INSTANCE_CRYPTO_SERVICE.isExperimental());
    String configOutput = ts.exec("config");
    assertTrue(configOutput.contains(PERTABLE_CHOOSER_PROP));
    assertFalse(configOutput.contains(Property.INSTANCE_CRYPTO_SERVICE.getKey()));
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) StandaloneAccumuloClusterConfiguration(org.apache.accumulo.harness.conf.StandaloneAccumuloClusterConfiguration) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) MiniAccumuloClusterImpl(org.apache.accumulo.miniclusterImpl.MiniAccumuloClusterImpl) File(java.io.File) Test(org.junit.Test)

Aggregations

KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)46 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)23 Test (org.junit.Test)23 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)21 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)16 IOException (java.io.IOException)15 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)14 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)13 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)12 File (java.io.File)11 Connector (org.apache.accumulo.core.client.Connector)8 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)8 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)7 AccumuloException (org.apache.accumulo.core.client.AccumuloException)7 ClusterUser (org.apache.accumulo.cluster.ClusterUser)6 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)6 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)5 Test (org.junit.jupiter.api.Test)5