Examples with KerberosToken org.apache.accumulo.core.client.security.tokens.KerberosToken used on opensource projects

Example 36 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testDelegationTokenAsDifferentUser.

@Test
public void testDelegationTokenAsDifferentUser() throws Exception {
    // Login as the "root" user
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    final AuthenticationToken delegationToken;
    try {
        delegationToken = ugi.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
            // As the "root" user, open up the connection and get a delegation token
            AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
            log.info("Created client as {}", rootUser.getPrincipal());
            assertEquals(rootUser.getPrincipal(), client.whoami());
            return client.securityOperations().getDelegationToken(new DelegationTokenConfig());
        });
    } catch (UndeclaredThrowableException ex) {
        throw ex;
    }
    // make a fake user that won't have krb credentials
    UserGroupInformation userWithoutPrivs = UserGroupInformation.createUserForTesting("fake_user", new String[0]);
    // Use the delegation token to try to log in as a different user
    var e = assertThrows("Using a delegation token as a different user should throw an exception", UndeclaredThrowableException.class, () -> userWithoutPrivs.doAs((PrivilegedExceptionAction<Void>) () -> {
        AccumuloClient client = mac.createAccumuloClient("some_other_user", delegationToken);
        client.securityOperations().authenticateUser("some_other_user", delegationToken);
        return null;
    }));
    Throwable cause = e.getCause();
    assertNotNull(cause);
    // We should get an AccumuloSecurityException from trying to use a delegation token for the
    // wrong user
    assertTrue("Expected cause to be AccumuloSecurityException, but was " + cause.getClass(), cause instanceof AccumuloSecurityException);
}

Example 37 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosIT method testDelegationTokenWithInvalidLifetime.

@Test
public void testDelegationTokenWithInvalidLifetime() throws Throwable {
    // Login as the "root" user
    UserGroupInformation root = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    var e = assertThrows(UndeclaredThrowableException.class, () -> {
        // As the "root" user, open up the connection and get a delegation token
        root.doAs((PrivilegedExceptionAction<AuthenticationToken>) () -> {
            try (AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken())) {
                log.info("Created client as {}", rootUser.getPrincipal());
                assertEquals(rootUser.getPrincipal(), client.whoami());
                // Should fail
                return client.securityOperations().getDelegationToken(new DelegationTokenConfig().setTokenLifetime(Long.MAX_VALUE, TimeUnit.MILLISECONDS));
            }
        });
    });
    assertEquals(AccumuloException.class, e.getCause().getClass());
}

Example 38 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class KerberosRenewalIT method testReadAndWriteThroughTicketLifetime.

// Intentionally setting the Test annotation timeout. We do not want to scale the timeout.
@Test(timeout = TEST_DURATION)
public void testReadAndWriteThroughTicketLifetime() throws Exception {
    // Attempt to use Accumulo for a duration of time that exceeds the Kerberos ticket lifetime.
    // This is a functional test to verify that Accumulo services renew their ticket.
    // If the test doesn't finish on its own, this signifies that Accumulo services failed
    // and the test should fail. If Accumulo services renew their ticket, the test case
    // should exit gracefully on its own.
    // Login as the "root" user
    UserGroupInformation.loginUserFromKeytab(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
    log.info("Logged in as {}", rootUser.getPrincipal());
    AccumuloClient client = mac.createAccumuloClient(rootUser.getPrincipal(), new KerberosToken());
    log.info("Created client as {}", rootUser.getPrincipal());
    assertEquals(rootUser.getPrincipal(), client.whoami());
    long duration = 0;
    long last = System.currentTimeMillis();
    // Make sure we have a couple renewals happen
    while (duration < TICKET_TEST_LIFETIME) {
        // Create a table, write a record, compact, read the record, drop the table.
        createReadWriteDrop(client);
        // Wait a bit after
        Thread.sleep(5000);
        // Update the duration
        long now = System.currentTimeMillis();
        duration += now - last;
        last = now;
    }
}

Example 39 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class SaslConnectionParamsTest method testDefaultParams.

@Test
public void testDefaultParams() throws Exception {
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    testUser.doAs((PrivilegedExceptionAction<Void>) () -> {
        final SaslConnectionParams saslParams = createSaslParams(token);
        assertEquals(primary, saslParams.getKerberosServerPrimary());
        final QualityOfProtection defaultQop = QualityOfProtection.get(Property.RPC_SASL_QOP.getDefaultValue());
        assertEquals(defaultQop, saslParams.getQualityOfProtection());
        Map<String, String> properties = saslParams.getSaslProperties();
        assertEquals(1, properties.size());
        assertEquals(defaultQop.getQuality(), properties.get(Sasl.QOP));
        assertEquals(username, saslParams.getPrincipal());
        return null;
    });
}

Example 40 with KerberosToken

use of org.apache.accumulo.core.client.security.tokens.KerberosToken in project accumulo by apache.

the class SaslConnectionParamsTest method testDefaultParamsAsClient.

@Test
public void testDefaultParamsAsClient() throws Exception {
    final KerberosToken token = EasyMock.createMock(KerberosToken.class);
    testUser.doAs((PrivilegedExceptionAction<Void>) () -> {
        final SaslConnectionParams saslParams = createSaslParams(token);
        assertEquals(primary, saslParams.getKerberosServerPrimary());
        final QualityOfProtection defaultQop = QualityOfProtection.get(Property.RPC_SASL_QOP.getDefaultValue());
        assertEquals(defaultQop, saslParams.getQualityOfProtection());
        Map<String, String> properties = saslParams.getSaslProperties();
        assertEquals(1, properties.size());
        assertEquals(defaultQop.getQuality(), properties.get(Sasl.QOP));
        assertEquals(username, saslParams.getPrincipal());
        return null;
    });
}