use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.
the class ClientServiceHandler method createLocalUser.
@Override
public void createLocalUser(TInfo tinfo, TCredentials credentials, String principal, ByteBuffer password) throws ThriftSecurityException {
AuthenticationToken token;
if (context.getSaslParams() != null) {
try {
token = new KerberosToken();
} catch (IOException e) {
log.warn("Failed to create KerberosToken");
throw new ThriftSecurityException(e.getMessage(), SecurityErrorCode.DEFAULT_SECURITY_ERROR);
}
} else {
token = new PasswordToken(password);
}
Credentials newUser = new Credentials(principal, token);
security.createUser(credentials, newUser, new Authorizations());
}
use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.
the class TCredentialsUpdatingInvocationHandler method updateArgs.
/**
* Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a
* KerberosToken, set the principal from the SASL server as the TCredentials principal. This
* ensures that users can't spoof a different principal into the Credentials than what they used
* to authenticate.
*/
protected void updateArgs(Object[] args) throws ThriftSecurityException {
// If we don't have at least two args
if (args == null || args.length < 2) {
return;
}
TCredentials tcreds = null;
if (args[0] != null && args[0] instanceof TCredentials) {
tcreds = (TCredentials) args[0];
} else if (args[1] != null && args[1] instanceof TCredentials) {
tcreds = (TCredentials) args[1];
}
// If we don't find a tcredentials in the first two positions
if (tcreds == null) {
// Not all calls require authentication (e.g. closeMultiScan). We need to let these pass
// through.
log.trace("Did not find a TCredentials object in the first two positions" + " of the argument list, not updating principal");
return;
}
Class<? extends AuthenticationToken> tokenClass = getTokenClassFromName(tcreds.tokenClassName);
// The Accumulo principal extracted from the SASL transport
final String principal = UGIAssumingProcessor.rpcPrincipal();
// should match
if (UGIAssumingProcessor.rpcMechanism() == SaslMechanism.DIGEST_MD5 && DelegationTokenImpl.class.isAssignableFrom(tokenClass)) {
if (!principal.equals(tcreds.principal)) {
log.warn("{} issued RPC with delegation token over DIGEST-MD5 as the " + "Accumulo principal {}. Disallowing RPC", principal, tcreds.principal);
throw new ThriftSecurityException("RPC principal did not match provided Accumulo principal", SecurityErrorCode.BAD_CREDENTIALS);
}
return;
}
// If the authentication token isn't a KerberosToken
if (!KerberosToken.class.isAssignableFrom(tokenClass) && !SystemToken.class.isAssignableFrom(tokenClass)) {
// Don't include messages about SystemToken since it's internal
log.debug("Will not update principal on authentication tokens other than" + " KerberosToken. Received {}", tokenClass);
throw new ThriftSecurityException("Did not receive a valid token", SecurityErrorCode.BAD_CREDENTIALS);
}
if (principal == null) {
log.debug("Found KerberosToken in TCredentials, but did not receive principal from SASL processor");
throw new ThriftSecurityException("Did not extract principal from Thrift SASL processor", SecurityErrorCode.BAD_CREDENTIALS);
}
// principal
if (!principal.equals(tcreds.principal)) {
UsersWithHosts usersWithHosts = impersonation.get(principal);
if (usersWithHosts == null) {
principalMismatch(principal, tcreds.principal);
}
if (!usersWithHosts.getUsers().contains(tcreds.principal)) {
principalMismatch(principal, tcreds.principal);
}
String clientAddr = TServerUtils.clientAddress.get();
if (!usersWithHosts.getHosts().contains(clientAddr)) {
final String msg = "Principal in credentials object allowed mismatched" + " Kerberos principals, but not on " + clientAddr;
log.warn(msg);
throw new ThriftSecurityException(msg, SecurityErrorCode.BAD_CREDENTIALS);
}
}
}
use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.
the class CompactionCoordinatorTest method testCoordinatorRestartOneRunningCompaction.
@Test
public void testCoordinatorRestartOneRunningCompaction() throws Exception {
PowerMock.resetAll();
PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
PowerMock.suppress(PowerMock.methods(ThriftUtil.class, "returnClient"));
PowerMock.suppress(PowerMock.methods(DeadCompactionDetector.class, "detectDeadCompactions", "detectDanglingFinalStateMarkers"));
AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
ServerContext context = PowerMock.createNiceMock(ServerContext.class);
TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
EasyMock.expect(context.rpcCreds()).andReturn(creds);
CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
TServerInstance instance = PowerMock.createNiceMock(TServerInstance.class);
HostAndPort tserverAddress = HostAndPort.fromString("localhost:9997");
EasyMock.expect(instance.getHostAndPort()).andReturn(tserverAddress).anyTimes();
EasyMock.expect(tservers.getCurrentServers()).andReturn(Sets.newHashSet(instance)).once();
tservers.startListeningForTabletServerChanges();
PowerMock.mockStatic(ExternalCompactionUtil.class);
List<RunningCompaction> runningCompactions = new ArrayList<>();
ExternalCompactionId eci = ExternalCompactionId.generate(UUID.randomUUID());
TExternalCompactionJob job = PowerMock.createNiceMock(TExternalCompactionJob.class);
EasyMock.expect(job.getExternalCompactionId()).andReturn(eci.toString()).anyTimes();
TKeyExtent extent = new TKeyExtent();
extent.setTable("1".getBytes());
runningCompactions.add(new RunningCompaction(job, tserverAddress.toString(), "queue"));
EasyMock.expect(ExternalCompactionUtil.getCompactionsRunningOnCompactors(context)).andReturn(runningCompactions);
ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
HostAndPort address = HostAndPort.fromString("localhost:10240");
EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
EasyMock.expect(instance.getHostPort()).andReturn("localhost:9997").anyTimes();
TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
TCompactionQueueSummary queueSummary = PowerMock.createNiceMock(TCompactionQueueSummary.class);
EasyMock.expect(tsc.getCompactionQueueInfo(EasyMock.anyObject(), EasyMock.anyObject())).andReturn(Collections.singletonList(queueSummary)).anyTimes();
EasyMock.expect(queueSummary.getQueue()).andReturn("R2DQ").anyTimes();
EasyMock.expect(queueSummary.getPriority()).andReturn((short) 1).anyTimes();
AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
PowerMock.replayAll();
TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
coordinator.resetInternals();
assertEquals(0, coordinator.getQueues().size());
assertEquals(0, coordinator.getIndex().size());
assertEquals(0, coordinator.getRunning().size());
coordinator.run();
assertEquals(1, coordinator.getQueues().size());
QueueAndPriority qp = QueueAndPriority.get("R2DQ".intern(), (short) 1);
Map<Short, TreeSet<TServerInstance>> m = coordinator.getQueues().get("R2DQ".intern());
assertNotNull(m);
assertEquals(1, m.size());
assertTrue(m.containsKey((short) 1));
Set<TServerInstance> t = m.get((short) 1);
assertNotNull(t);
assertEquals(1, t.size());
TServerInstance queuedTsi = t.iterator().next();
assertEquals(instance.getHostPortSession(), queuedTsi.getHostPortSession());
assertEquals(1, coordinator.getIndex().size());
assertTrue(coordinator.getIndex().containsKey(queuedTsi));
Set<QueueAndPriority> i = coordinator.getIndex().get(queuedTsi);
assertEquals(1, i.size());
assertEquals(qp, i.iterator().next());
assertEquals(1, coordinator.getRunning().size());
PowerMock.verifyAll();
coordinator.resetInternals();
coordinator.close();
}
use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.
the class CompactionCoordinatorTest method testGetCompactionJobNoJobs.
@Test
public void testGetCompactionJobNoJobs() throws Exception {
PowerMock.resetAll();
PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
ServerContext context = PowerMock.createNiceMock(ServerContext.class);
TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
HostAndPort address = HostAndPort.fromString("localhost:10240");
EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
EasyMock.expect(security.canPerformSystemActions(creds)).andReturn(true);
PowerMock.replayAll();
TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
coordinator.resetInternals();
TExternalCompactionJob job = coordinator.getCompactionJob(TraceUtil.traceInfo(), creds, "R2DQ", "localhost:10240", UUID.randomUUID().toString());
assertNull(job.getExternalCompactionId());
PowerMock.verifyAll();
coordinator.resetInternals();
coordinator.close();
}
use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.
the class CompactionCoordinatorTest method testGetCompactionJob.
@Test
public void testGetCompactionJob() throws Exception {
PowerMock.resetAll();
PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
PowerMock.suppress(PowerMock.methods(ThriftUtil.class, "returnClient"));
PowerMock.suppress(PowerMock.methods(DeadCompactionDetector.class, "detectDeadCompactions", "detectDanglingFinalStateMarkers"));
AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
ServerContext context = PowerMock.createNiceMock(ServerContext.class);
TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
EasyMock.expect(context.rpcCreds()).andReturn(creds).anyTimes();
PowerMock.mockStatic(ExternalCompactionUtil.class);
List<RunningCompaction> runningCompactions = new ArrayList<>();
EasyMock.expect(ExternalCompactionUtil.getCompactionsRunningOnCompactors(context)).andReturn(runningCompactions);
CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
TServerInstance instance = PowerMock.createNiceMock(TServerInstance.class);
EasyMock.expect(tservers.getCurrentServers()).andReturn(Collections.singleton(instance)).once();
HostAndPort tserverAddress = HostAndPort.fromString("localhost:9997");
EasyMock.expect(instance.getHostAndPort()).andReturn(tserverAddress).anyTimes();
ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
HostAndPort address = HostAndPort.fromString("localhost:10240");
EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
TServerInstance tsi = PowerMock.createNiceMock(TServerInstance.class);
EasyMock.expect(tsi.getHostPort()).andReturn("localhost:9997").anyTimes();
TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
TCompactionQueueSummary queueSummary = PowerMock.createNiceMock(TCompactionQueueSummary.class);
EasyMock.expect(tsc.getCompactionQueueInfo(EasyMock.anyObject(), EasyMock.anyObject())).andReturn(Collections.singletonList(queueSummary)).anyTimes();
EasyMock.expect(queueSummary.getQueue()).andReturn("R2DQ").anyTimes();
EasyMock.expect(queueSummary.getPriority()).andReturn((short) 1).anyTimes();
ExternalCompactionId eci = ExternalCompactionId.generate(UUID.randomUUID());
TExternalCompactionJob job = PowerMock.createNiceMock(TExternalCompactionJob.class);
EasyMock.expect(job.getExternalCompactionId()).andReturn(eci.toString()).anyTimes();
TInfo trace = TraceUtil.traceInfo();
EasyMock.expect(tsc.reserveCompactionJob(trace, creds, "R2DQ", 1, "localhost:10241", eci.toString())).andReturn(job).anyTimes();
AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
EasyMock.expect(security.canPerformSystemActions(creds)).andReturn(true);
PowerMock.replayAll();
TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
coordinator.resetInternals();
assertEquals(0, coordinator.getQueues().size());
assertEquals(0, coordinator.getIndex().size());
assertEquals(0, coordinator.getRunning().size());
// Use coordinator.run() to populate the internal data structures. This is tested in a different
// test.
coordinator.run();
assertEquals(1, coordinator.getQueues().size());
QueueAndPriority qp = QueueAndPriority.get("R2DQ".intern(), (short) 1);
Map<Short, TreeSet<TServerInstance>> m = coordinator.getQueues().get("R2DQ".intern());
assertNotNull(m);
assertEquals(1, m.size());
assertTrue(m.containsKey((short) 1));
Set<TServerInstance> t = m.get((short) 1);
assertNotNull(t);
assertEquals(1, t.size());
TServerInstance queuedTsi = t.iterator().next();
assertEquals(tsi.getHostPortSession(), queuedTsi.getHostPortSession());
assertEquals(1, coordinator.getIndex().size());
assertTrue(coordinator.getIndex().containsKey(queuedTsi));
Set<QueueAndPriority> i = coordinator.getIndex().get(queuedTsi);
assertEquals(1, i.size());
assertEquals(qp, i.iterator().next());
assertEquals(0, coordinator.getRunning().size());
// Get the next job
TExternalCompactionJob createdJob = coordinator.getCompactionJob(trace, creds, "R2DQ", "localhost:10241", eci.toString());
assertEquals(eci.toString(), createdJob.getExternalCompactionId());
assertEquals(1, coordinator.getQueues().size());
assertEquals(1, coordinator.getIndex().size());
assertEquals(1, coordinator.getRunning().size());
Entry<ExternalCompactionId, RunningCompaction> entry = coordinator.getRunning().entrySet().iterator().next();
assertEquals(eci.toString(), entry.getKey().toString());
assertEquals("localhost:10241", entry.getValue().getCompactorAddress());
assertEquals(eci.toString(), entry.getValue().getJob().getExternalCompactionId());
PowerMock.verifyAll();
coordinator.resetInternals();
coordinator.close();
}
Aggregations