use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class SharedMiniClusterBase method startMiniClusterWithConfig.
/**
* Starts a MiniAccumuloCluster instance with the default configuration but also provides the
* caller the opportunity to update the configuration before the MiniAccumuloCluster is started.
*
* @param miniClusterCallback
* A callback to configure the minicluster before it is started.
*/
public static void startMiniClusterWithConfig(MiniClusterConfigurationCallback miniClusterCallback) throws Exception {
File baseDir = new File(System.getProperty("user.dir") + "/target/mini-tests");
assertTrue(baseDir.mkdirs() || baseDir.isDirectory());
// Make a shared MAC instance instead of spinning up one per test method
MiniClusterHarness harness = new MiniClusterHarness();
if (TRUE.equals(System.getProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION))) {
krb = new TestingKdc();
krb.start();
// Enabled krb auth
Configuration conf = new Configuration(false);
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
UserGroupInformation.setConfiguration(conf);
// Login as the client
ClusterUser rootUser = krb.getRootUser();
// Get the krb token
UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
token = new KerberosToken();
} else {
rootPassword = "rootPasswordShared1";
token = new PasswordToken(rootPassword);
}
cluster = harness.create(getTestClassName(), SharedMiniClusterBase.class.getSimpleName(), token, miniClusterCallback, krb);
cluster.start();
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosReplicationIT method dataReplicatedToCorrectTable.
@Test
public void dataReplicatedToCorrectTable() throws Exception {
// Login as the root user
final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().toURI().toString());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
log.info("testing {}", ugi);
final KerberosToken token = new KerberosToken();
try (AccumuloClient primaryclient = primary.createAccumuloClient(rootUser.getPrincipal(), token);
AccumuloClient peerclient = peer.createAccumuloClient(rootUser.getPrincipal(), token)) {
ClusterUser replicationUser = kdc.getClientPrincipal(0);
// Create user for replication to the peer
peerclient.securityOperations().createLocalUser(replicationUser.getPrincipal(), null);
primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEER_USER.getKey() + PEER_NAME, replicationUser.getPrincipal());
primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEER_KEYTAB.getKey() + PEER_NAME, replicationUser.getKeytab().getAbsolutePath());
// ...peer = AccumuloReplicaSystem,instanceName,zookeepers
ClientInfo info = ClientInfo.from(peerclient.properties());
primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEERS.getKey() + PEER_NAME, ReplicaSystemFactory.getPeerConfigurationValue(AccumuloReplicaSystem.class, AccumuloReplicaSystem.buildConfiguration(info.getInstanceName(), info.getZooKeepers())));
String primaryTable1 = "primary", peerTable1 = "peer";
// Create tables
peerclient.tableOperations().create(peerTable1);
String peerTableId1 = peerclient.tableOperations().tableIdMap().get(peerTable1);
assertNotNull(peerTableId1);
Map<String, String> props = new HashMap<>();
props.put(Property.TABLE_REPLICATION.getKey(), "true");
// Replicate this table to the peerClusterName in a table with the peerTableId table id
props.put(Property.TABLE_REPLICATION_TARGET.getKey() + PEER_NAME, peerTableId1);
primaryclient.tableOperations().create(primaryTable1, new NewTableConfiguration().setProperties(props));
String managerTableId1 = primaryclient.tableOperations().tableIdMap().get(primaryTable1);
assertNotNull(managerTableId1);
// Grant write permission
peerclient.securityOperations().grantTablePermission(replicationUser.getPrincipal(), peerTable1, TablePermission.WRITE);
// Write some data to table1
long managerTable1Records = 0L;
try (BatchWriter bw = primaryclient.createBatchWriter(primaryTable1)) {
for (int rows = 0; rows < 2500; rows++) {
Mutation m = new Mutation(primaryTable1 + rows);
for (int cols = 0; cols < 100; cols++) {
String value = Integer.toString(cols);
m.put(value, "", value);
managerTable1Records++;
}
bw.addMutation(m);
}
}
log.info("Wrote all data to primary cluster");
Set<String> filesFor1 = primaryclient.replicationOperations().referencedFiles(primaryTable1);
// Restart the tserver to force a close on the WAL
for (ProcessReference proc : primary.getProcesses().get(ServerType.TABLET_SERVER)) {
primary.killProcess(ServerType.TABLET_SERVER, proc);
}
primary.exec(TabletServer.class);
log.info("Restarted the tserver");
// Read the data -- the tserver is back up and running and tablets are assigned
Iterators.size(primaryclient.createScanner(primaryTable1, Authorizations.EMPTY).iterator());
// Wait for both tables to be replicated
log.info("Waiting for {} for {}", filesFor1, primaryTable1);
primaryclient.replicationOperations().drain(primaryTable1, filesFor1);
long countTable = 0L;
try (var scanner = peerclient.createScanner(peerTable1, Authorizations.EMPTY)) {
for (Entry<Key, Value> entry : scanner) {
countTable++;
assertTrue("Found unexpected key-value" + entry.getKey().toStringNoTruncate() + " " + entry.getValue(), entry.getKey().getRow().toString().startsWith(primaryTable1));
}
}
log.info("Found {} records in {}", countTable, peerTable1);
assertEquals(managerTable1Records, countTable);
return null;
}
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testUserPrivilegesThroughGrant.
@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testUserPrivilegesThroughGrant() throws Exception {
String user1 = testName.getMethodName();
final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab");
if (user1Keytab.exists() && !user1Keytab.delete()) {
log.warn("Unable to delete {}", user1Keytab);
}
// Create some new users
kdc.createPrincipal(user1Keytab, user1);
final String qualifiedUser1 = kdc.qualifyUser(user1);
// Log in as user1
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath());
log.info("Logged in as {}", user1);
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
// Indirectly creates this user when we use it
AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
log.info("Created client as {}", qualifiedUser1);
// The new user should have no system permissions
for (SystemPermission perm : SystemPermission.values()) {
assertFalse(client.securityOperations().hasSystemPermission(qualifiedUser1, perm));
}
return null;
});
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
client.securityOperations().grantSystemPermission(qualifiedUser1, SystemPermission.CREATE_TABLE);
return null;
});
// Switch back to the original user
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath());
ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
// Shouldn't throw an exception since we granted the create table permission
final String table = testName.getMethodName() + "_user_table";
client.tableOperations().create(table);
// Make sure we can actually use the table we made
try (BatchWriter bw = client.createBatchWriter(table)) {
Mutation m = new Mutation("a");
m.put("b", "c", "d");
bw.addMutation(m);
}
client.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true));
return null;
});
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testRestartedManagerReusesSecretKey.
@Test
public void testRestartedManagerReusesSecretKey() throws Exception {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken delegationToken1 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
return token;
});
log.info("Stopping manager");
mac.getClusterControl().stop(ServerType.MANAGER);
Thread.sleep(5000);
log.info("Restarting manager");
mac.getClusterControl().start(ServerType.MANAGER);
// Make sure our original token is still good
root.doAs((PrivilegedExceptionAction<Void>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken1);
assertTrue("Could not get tables with delegation token", !client.tableOperations().list().isEmpty());
return null;
});
// Get a new token, so we can compare the keyId on the second to the first
final AuthenticationToken delegationToken2 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
return token;
});
// A restarted manager should reuse the same secret key after a restart if the secret key hasn't
// expired (1day by default)
DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1;
DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2;
assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId());
}
use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.
the class KerberosIT method testDelegationTokenWithReducedLifetime.
@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
// Login as the "root" user
UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
log.info("Logged in as {}", rootUser.getPrincipal());
// As the "root" user, open up the connection and get a delegation token
final AuthenticationToken dt = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
log.info("Created client as {}", rootUser.getPrincipal());
assertEquals(rootUser.getPrincipal(), client.whoami());
return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, MINUTES));
}
});
AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= MINUTES.toMillis(5));
}
Aggregations