Search in sources :

Example 31 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class SharedMiniClusterBase method startMiniClusterWithConfig.

/**
 * Starts a MiniAccumuloCluster instance with the default configuration but also provides the
 * caller the opportunity to update the configuration before the MiniAccumuloCluster is started.
 *
 * @param miniClusterCallback
 *          A callback to configure the minicluster before it is started.
 */
public static void startMiniClusterWithConfig(MiniClusterConfigurationCallback miniClusterCallback) throws Exception {
    File baseDir = new File(System.getProperty("user.dir") + "/target/mini-tests");
    assertTrue(baseDir.mkdirs() || baseDir.isDirectory());
    // Make a shared MAC instance instead of spinning up one per test method
    MiniClusterHarness harness = new MiniClusterHarness();
    if (TRUE.equals(System.getProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION))) {
        krb = new TestingKdc();
        krb.start();
        // Enabled krb auth
        Configuration conf = new Configuration(false);
        conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
        UserGroupInformation.setConfiguration(conf);
        // Login as the client
        ClusterUser rootUser = krb.getRootUser();
        // Get the krb token
        UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
        token = new KerberosToken();
    } else {
        rootPassword = "rootPasswordShared1";
        token = new PasswordToken(rootPassword);
    }
    cluster = harness.create(getTestClassName(), SharedMiniClusterBase.class.getSimpleName(), token, miniClusterCallback, krb);
    cluster.start();
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) Configuration(org.apache.hadoop.conf.Configuration) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) ClusterUser(org.apache.accumulo.cluster.ClusterUser) File(java.io.File)

Example 32 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosReplicationIT method dataReplicatedToCorrectTable.

@Test
public void dataReplicatedToCorrectTable() throws Exception {
    // Login as the root user
    final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().toURI().toString());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        log.info("testing {}", ugi);
        final KerberosToken token = new KerberosToken();
        try (AccumuloClient primaryclient = primary.createAccumuloClient(rootUser.getPrincipal(), token);
            AccumuloClient peerclient = peer.createAccumuloClient(rootUser.getPrincipal(), token)) {
            ClusterUser replicationUser = kdc.getClientPrincipal(0);
            // Create user for replication to the peer
            peerclient.securityOperations().createLocalUser(replicationUser.getPrincipal(), null);
            primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEER_USER.getKey() + PEER_NAME, replicationUser.getPrincipal());
            primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEER_KEYTAB.getKey() + PEER_NAME, replicationUser.getKeytab().getAbsolutePath());
            // ...peer = AccumuloReplicaSystem,instanceName,zookeepers
            ClientInfo info = ClientInfo.from(peerclient.properties());
            primaryclient.instanceOperations().setProperty(Property.REPLICATION_PEERS.getKey() + PEER_NAME, ReplicaSystemFactory.getPeerConfigurationValue(AccumuloReplicaSystem.class, AccumuloReplicaSystem.buildConfiguration(info.getInstanceName(), info.getZooKeepers())));
            String primaryTable1 = "primary", peerTable1 = "peer";
            // Create tables
            peerclient.tableOperations().create(peerTable1);
            String peerTableId1 = peerclient.tableOperations().tableIdMap().get(peerTable1);
            assertNotNull(peerTableId1);
            Map<String, String> props = new HashMap<>();
            props.put(Property.TABLE_REPLICATION.getKey(), "true");
            // Replicate this table to the peerClusterName in a table with the peerTableId table id
            props.put(Property.TABLE_REPLICATION_TARGET.getKey() + PEER_NAME, peerTableId1);
            primaryclient.tableOperations().create(primaryTable1, new NewTableConfiguration().setProperties(props));
            String managerTableId1 = primaryclient.tableOperations().tableIdMap().get(primaryTable1);
            assertNotNull(managerTableId1);
            // Grant write permission
            peerclient.securityOperations().grantTablePermission(replicationUser.getPrincipal(), peerTable1, TablePermission.WRITE);
            // Write some data to table1
            long managerTable1Records = 0L;
            try (BatchWriter bw = primaryclient.createBatchWriter(primaryTable1)) {
                for (int rows = 0; rows < 2500; rows++) {
                    Mutation m = new Mutation(primaryTable1 + rows);
                    for (int cols = 0; cols < 100; cols++) {
                        String value = Integer.toString(cols);
                        m.put(value, "", value);
                        managerTable1Records++;
                    }
                    bw.addMutation(m);
                }
            }
            log.info("Wrote all data to primary cluster");
            Set<String> filesFor1 = primaryclient.replicationOperations().referencedFiles(primaryTable1);
            // Restart the tserver to force a close on the WAL
            for (ProcessReference proc : primary.getProcesses().get(ServerType.TABLET_SERVER)) {
                primary.killProcess(ServerType.TABLET_SERVER, proc);
            }
            primary.exec(TabletServer.class);
            log.info("Restarted the tserver");
            // Read the data -- the tserver is back up and running and tablets are assigned
            Iterators.size(primaryclient.createScanner(primaryTable1, Authorizations.EMPTY).iterator());
            // Wait for both tables to be replicated
            log.info("Waiting for {} for {}", filesFor1, primaryTable1);
            primaryclient.replicationOperations().drain(primaryTable1, filesFor1);
            long countTable = 0L;
            try (var scanner = peerclient.createScanner(peerTable1, Authorizations.EMPTY)) {
                for (Entry<Key, Value> entry : scanner) {
                    countTable++;
                    assertTrue("Found unexpected key-value" + entry.getKey().toStringNoTruncate() + " " + entry.getValue(), entry.getKey().getRow().toString().startsWith(primaryTable1));
                }
            }
            log.info("Found {} records in {}", countTable, peerTable1);
            assertEquals(managerTable1Records, countTable);
            return null;
        }
    });
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) ProcessReference(org.apache.accumulo.miniclusterImpl.ProcessReference) Set(java.util.Set) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) Entry(java.util.Map.Entry) NewTableConfiguration(org.apache.accumulo.core.client.admin.NewTableConfiguration) TabletServer(org.apache.accumulo.tserver.TabletServer) ClusterUser(org.apache.accumulo.cluster.ClusterUser) ClientInfo(org.apache.accumulo.core.clientImpl.ClientInfo) BatchWriter(org.apache.accumulo.core.client.BatchWriter) Mutation(org.apache.accumulo.core.data.Mutation) Map(java.util.Map) HashMap(java.util.HashMap) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 33 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testUserPrivilegesThroughGrant.

@SuppressFBWarnings(value = "PATH_TRAVERSAL_IN", justification = "path provided by test")
@Test
public void testUserPrivilegesThroughGrant() throws Exception {
    String user1 = testName.getMethodName();
    final File user1Keytab = new File(kdc.getKeytabDir(), user1 + ".keytab");
    if (user1Keytab.exists() && !user1Keytab.delete()) {
        log.warn("Unable to delete {}", user1Keytab);
    }
    // Create some new users
    kdc.createPrincipal(user1Keytab, user1);
    final String qualifiedUser1 = kdc.qualifyUser(user1);
    // Log in as user1
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath());
    log.info("Logged in as {}", user1);
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        // Indirectly creates this user when we use it
        AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
        log.info("Created client as {}", qualifiedUser1);
        // The new user should have no system permissions
        for (SystemPermission perm : SystemPermission.values()) {
            assertFalse(client.securityOperations().hasSystemPermission(qualifiedUser1, perm));
        }
        return null;
    });
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        client.securityOperations().grantSystemPermission(qualifiedUser1, SystemPermission.CREATE_TABLE);
        return null;
    });
    // Switch back to the original user
    ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(user1, user1Keytab.getAbsolutePath());
    ugi.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(qualifiedUser1, new KerberosToken());
        // Shouldn't throw an exception since we granted the create table permission
        final String table = testName.getMethodName() + "_user_table";
        client.tableOperations().create(table);
        // Make sure we can actually use the table we made
        try (BatchWriter bw = client.createBatchWriter(table)) {
            Mutation m = new Mutation("a");
            m.put("b", "c", "d");
            bw.addMutation(m);
        }
        client.tableOperations().compact(table, new CompactionConfig().setWait(true).setFlush(true));
        return null;
    });
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) SystemPermission(org.apache.accumulo.core.security.SystemPermission) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) CompactionConfig(org.apache.accumulo.core.client.admin.CompactionConfig) BatchWriter(org.apache.accumulo.core.client.BatchWriter) Mutation(org.apache.accumulo.core.data.Mutation) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test) SuppressFBWarnings(edu.umd.cs.findbugs.annotations.SuppressFBWarnings)

Example 34 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testRestartedManagerReusesSecretKey.

@Test
public void testRestartedManagerReusesSecretKey() throws Exception {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken delegationToken1 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
        return token;
    });
    log.info("Stopping manager");
    mac.getClusterControl().stop(ServerType.MANAGER);
    Thread.sleep(5000);
    log.info("Restarting manager");
    mac.getClusterControl().start(ServerType.MANAGER);
    // Make sure our original token is still good
    root.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), delegationToken1);
        assertTrue("Could not get tables with delegation token", !client.tableOperations().list().isEmpty());
        return null;
    });
    // Get a new token, so we can compare the keyId on the second to the first
    final AuthenticationToken delegationToken2 = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
        log.info("Created client as {}", rootUser.getPrincipal());
        assertEquals(rootUser.getPrincipal(), client.whoami());
        AuthenticationToken token = client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        assertTrue("Could not get tables with delegation token", !mac.createAccumuloClient(rootUser.getPrincipal(), token).tableOperations().list().isEmpty());
        return token;
    });
    // A restarted manager should reuse the same secret key after a restart if the secret key hasn't
    // expired (1day by default)
    DelegationTokenImpl dt1 = (DelegationTokenImpl) delegationToken1;
    DelegationTokenImpl dt2 = (DelegationTokenImpl) delegationToken2;
    assertEquals(dt1.getIdentifier().getKeyId(), dt2.getIdentifier().getKeyId());
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 35 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testDelegationTokenWithReducedLifetime.

@Test
public void testDelegationTokenWithReducedLifetime() throws Throwable {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    // As the "root" user, open up the connection and get a delegation token
    final AuthenticationToken dt = root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
        try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
            log.info("Created client as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), client.whoami());
            return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(5, MINUTES));
        }
    });
    AuthenticationTokenIdentifier identifier = ((DelegationTokenImpl) dt).getIdentifier();
    assertTrue("Expected identifier to expire in no more than 5 minutes: " + identifier, identifier.getExpirationDate() - identifier.getIssueDate() <= MINUTES.toMillis(5));
}
Also used : AccumuloClient(org.apache.accumulo.core.client.AccumuloClient) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) DelegationTokenConfig(org.apache.accumulo.core.client.admin.DelegationTokenConfig) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) AuthenticationTokenIdentifier(org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)46 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)23 Test (org.junit.Test)23 AuthenticationToken (org.apache.accumulo.core.client.security.tokens.AuthenticationToken)21 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)16 IOException (java.io.IOException)15 DelegationTokenConfig (org.apache.accumulo.core.client.admin.DelegationTokenConfig)14 AccumuloClient (org.apache.accumulo.core.client.AccumuloClient)13 AccumuloSecurityException (org.apache.accumulo.core.client.AccumuloSecurityException)12 File (java.io.File)11 Connector (org.apache.accumulo.core.client.Connector)8 DelegationTokenImpl (org.apache.accumulo.core.clientImpl.DelegationTokenImpl)8 SuppressFBWarnings (edu.umd.cs.findbugs.annotations.SuppressFBWarnings)7 AccumuloException (org.apache.accumulo.core.client.AccumuloException)7 ClusterUser (org.apache.accumulo.cluster.ClusterUser)6 ClientContext (org.apache.accumulo.core.clientImpl.ClientContext)6 ClientConfiguration (org.apache.accumulo.core.client.ClientConfiguration)5 TableNotFoundException (org.apache.accumulo.core.client.TableNotFoundException)5 AuthenticationTokenIdentifier (org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier)5 Test (org.junit.jupiter.api.Test)5