Search in sources :

Example 16 with TCredentials

use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.

the class ClientServiceHandler method createLocalUser.

@Override
public void createLocalUser(TInfo tinfo, TCredentials credentials, String principal, ByteBuffer password) throws ThriftSecurityException {
    AuthenticationToken token;
    if (context.getSaslParams() != null) {
        try {
            token = new KerberosToken();
        } catch (IOException e) {
            log.warn("Failed to create KerberosToken");
            throw new ThriftSecurityException(e.getMessage(), SecurityErrorCode.DEFAULT_SECURITY_ERROR);
        }
    } else {
        token = new PasswordToken(password);
    }
    Credentials newUser = new Credentials(principal, token);
    security.createUser(credentials, newUser, new Authorizations());
}
Also used : PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken) Authorizations(org.apache.accumulo.core.security.Authorizations) AuthenticationToken(org.apache.accumulo.core.client.security.tokens.AuthenticationToken) KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken) IOException(java.io.IOException) ThriftSecurityException(org.apache.accumulo.core.clientImpl.thrift.ThriftSecurityException) TCredentials(org.apache.accumulo.core.securityImpl.thrift.TCredentials) Credentials(org.apache.accumulo.core.clientImpl.Credentials)

Example 17 with TCredentials

use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.

the class TCredentialsUpdatingInvocationHandler method updateArgs.

/**
 * Try to find a TCredentials object in the argument list, and, when the AuthenticationToken is a
 * KerberosToken, set the principal from the SASL server as the TCredentials principal. This
 * ensures that users can't spoof a different principal into the Credentials than what they used
 * to authenticate.
 */
protected void updateArgs(Object[] args) throws ThriftSecurityException {
    // If we don't have at least two args
    if (args == null || args.length < 2) {
        return;
    }
    TCredentials tcreds = null;
    if (args[0] != null && args[0] instanceof TCredentials) {
        tcreds = (TCredentials) args[0];
    } else if (args[1] != null && args[1] instanceof TCredentials) {
        tcreds = (TCredentials) args[1];
    }
    // If we don't find a tcredentials in the first two positions
    if (tcreds == null) {
        // Not all calls require authentication (e.g. closeMultiScan). We need to let these pass
        // through.
        log.trace("Did not find a TCredentials object in the first two positions" + " of the argument list, not updating principal");
        return;
    }
    Class<? extends AuthenticationToken> tokenClass = getTokenClassFromName(tcreds.tokenClassName);
    // The Accumulo principal extracted from the SASL transport
    final String principal = UGIAssumingProcessor.rpcPrincipal();
    // should match
    if (UGIAssumingProcessor.rpcMechanism() == SaslMechanism.DIGEST_MD5 && DelegationTokenImpl.class.isAssignableFrom(tokenClass)) {
        if (!principal.equals(tcreds.principal)) {
            log.warn("{} issued RPC with delegation token over DIGEST-MD5 as the " + "Accumulo principal {}. Disallowing RPC", principal, tcreds.principal);
            throw new ThriftSecurityException("RPC principal did not match provided Accumulo principal", SecurityErrorCode.BAD_CREDENTIALS);
        }
        return;
    }
    // If the authentication token isn't a KerberosToken
    if (!KerberosToken.class.isAssignableFrom(tokenClass) && !SystemToken.class.isAssignableFrom(tokenClass)) {
        // Don't include messages about SystemToken since it's internal
        log.debug("Will not update principal on authentication tokens other than" + " KerberosToken. Received {}", tokenClass);
        throw new ThriftSecurityException("Did not receive a valid token", SecurityErrorCode.BAD_CREDENTIALS);
    }
    if (principal == null) {
        log.debug("Found KerberosToken in TCredentials, but did not receive principal from SASL processor");
        throw new ThriftSecurityException("Did not extract principal from Thrift SASL processor", SecurityErrorCode.BAD_CREDENTIALS);
    }
    // principal
    if (!principal.equals(tcreds.principal)) {
        UsersWithHosts usersWithHosts = impersonation.get(principal);
        if (usersWithHosts == null) {
            principalMismatch(principal, tcreds.principal);
        }
        if (!usersWithHosts.getUsers().contains(tcreds.principal)) {
            principalMismatch(principal, tcreds.principal);
        }
        String clientAddr = TServerUtils.clientAddress.get();
        if (!usersWithHosts.getHosts().contains(clientAddr)) {
            final String msg = "Principal in credentials object allowed mismatched" + " Kerberos principals, but not on " + clientAddr;
            log.warn(msg);
            throw new ThriftSecurityException(msg, SecurityErrorCode.BAD_CREDENTIALS);
        }
    }
}
Also used : UsersWithHosts(org.apache.accumulo.server.security.UserImpersonation.UsersWithHosts) TCredentials(org.apache.accumulo.core.securityImpl.thrift.TCredentials) DelegationTokenImpl(org.apache.accumulo.core.clientImpl.DelegationTokenImpl) ThriftSecurityException(org.apache.accumulo.core.clientImpl.thrift.ThriftSecurityException)

Example 18 with TCredentials

use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.

the class CompactionCoordinatorTest method testCoordinatorRestartOneRunningCompaction.

@Test
public void testCoordinatorRestartOneRunningCompaction() throws Exception {
    PowerMock.resetAll();
    PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
    PowerMock.suppress(PowerMock.methods(ThriftUtil.class, "returnClient"));
    PowerMock.suppress(PowerMock.methods(DeadCompactionDetector.class, "detectDeadCompactions", "detectDanglingFinalStateMarkers"));
    AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
    ServerContext context = PowerMock.createNiceMock(ServerContext.class);
    TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
    EasyMock.expect(context.rpcCreds()).andReturn(creds);
    CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
    LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
    TServerInstance instance = PowerMock.createNiceMock(TServerInstance.class);
    HostAndPort tserverAddress = HostAndPort.fromString("localhost:9997");
    EasyMock.expect(instance.getHostAndPort()).andReturn(tserverAddress).anyTimes();
    EasyMock.expect(tservers.getCurrentServers()).andReturn(Sets.newHashSet(instance)).once();
    tservers.startListeningForTabletServerChanges();
    PowerMock.mockStatic(ExternalCompactionUtil.class);
    List<RunningCompaction> runningCompactions = new ArrayList<>();
    ExternalCompactionId eci = ExternalCompactionId.generate(UUID.randomUUID());
    TExternalCompactionJob job = PowerMock.createNiceMock(TExternalCompactionJob.class);
    EasyMock.expect(job.getExternalCompactionId()).andReturn(eci.toString()).anyTimes();
    TKeyExtent extent = new TKeyExtent();
    extent.setTable("1".getBytes());
    runningCompactions.add(new RunningCompaction(job, tserverAddress.toString(), "queue"));
    EasyMock.expect(ExternalCompactionUtil.getCompactionsRunningOnCompactors(context)).andReturn(runningCompactions);
    ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
    HostAndPort address = HostAndPort.fromString("localhost:10240");
    EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
    EasyMock.expect(instance.getHostPort()).andReturn("localhost:9997").anyTimes();
    TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
    TCompactionQueueSummary queueSummary = PowerMock.createNiceMock(TCompactionQueueSummary.class);
    EasyMock.expect(tsc.getCompactionQueueInfo(EasyMock.anyObject(), EasyMock.anyObject())).andReturn(Collections.singletonList(queueSummary)).anyTimes();
    EasyMock.expect(queueSummary.getQueue()).andReturn("R2DQ").anyTimes();
    EasyMock.expect(queueSummary.getPriority()).andReturn((short) 1).anyTimes();
    AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
    PowerMock.replayAll();
    TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
    coordinator.resetInternals();
    assertEquals(0, coordinator.getQueues().size());
    assertEquals(0, coordinator.getIndex().size());
    assertEquals(0, coordinator.getRunning().size());
    coordinator.run();
    assertEquals(1, coordinator.getQueues().size());
    QueueAndPriority qp = QueueAndPriority.get("R2DQ".intern(), (short) 1);
    Map<Short, TreeSet<TServerInstance>> m = coordinator.getQueues().get("R2DQ".intern());
    assertNotNull(m);
    assertEquals(1, m.size());
    assertTrue(m.containsKey((short) 1));
    Set<TServerInstance> t = m.get((short) 1);
    assertNotNull(t);
    assertEquals(1, t.size());
    TServerInstance queuedTsi = t.iterator().next();
    assertEquals(instance.getHostPortSession(), queuedTsi.getHostPortSession());
    assertEquals(1, coordinator.getIndex().size());
    assertTrue(coordinator.getIndex().containsKey(queuedTsi));
    Set<QueueAndPriority> i = coordinator.getIndex().get(queuedTsi);
    assertEquals(1, i.size());
    assertEquals(qp, i.iterator().next());
    assertEquals(1, coordinator.getRunning().size());
    PowerMock.verifyAll();
    coordinator.resetInternals();
    coordinator.close();
}
Also used : ExternalCompactionId(org.apache.accumulo.core.metadata.schema.ExternalCompactionId) ThriftUtil(org.apache.accumulo.core.rpc.ThriftUtil) ArrayList(java.util.ArrayList) ServerAddress(org.apache.accumulo.server.rpc.ServerAddress) AuditedSecurityOperation(org.apache.accumulo.server.security.AuditedSecurityOperation) TCompactionQueueSummary(org.apache.accumulo.core.tabletserver.thrift.TCompactionQueueSummary) LiveTServerSet(org.apache.accumulo.server.manager.LiveTServerSet) HostAndPort(org.apache.accumulo.core.util.HostAndPort) Client(org.apache.accumulo.core.tabletserver.thrift.TabletClientService.Client) TreeSet(java.util.TreeSet) TExternalCompactionJob(org.apache.accumulo.core.tabletserver.thrift.TExternalCompactionJob) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) TCredentials(org.apache.accumulo.core.securityImpl.thrift.TCredentials) RunningCompaction(org.apache.accumulo.core.util.compaction.RunningCompaction) TKeyExtent(org.apache.accumulo.core.dataImpl.thrift.TKeyExtent) TServerInstance(org.apache.accumulo.core.metadata.TServerInstance) AbstractServer(org.apache.accumulo.server.AbstractServer) ServerContext(org.apache.accumulo.server.ServerContext) TabletClientService(org.apache.accumulo.core.tabletserver.thrift.TabletClientService) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 19 with TCredentials

use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.

the class CompactionCoordinatorTest method testGetCompactionJobNoJobs.

@Test
public void testGetCompactionJobNoJobs() throws Exception {
    PowerMock.resetAll();
    PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
    AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
    ServerContext context = PowerMock.createNiceMock(ServerContext.class);
    TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
    CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
    LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
    ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
    HostAndPort address = HostAndPort.fromString("localhost:10240");
    EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
    TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
    AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
    EasyMock.expect(security.canPerformSystemActions(creds)).andReturn(true);
    PowerMock.replayAll();
    TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
    coordinator.resetInternals();
    TExternalCompactionJob job = coordinator.getCompactionJob(TraceUtil.traceInfo(), creds, "R2DQ", "localhost:10240", UUID.randomUUID().toString());
    assertNull(job.getExternalCompactionId());
    PowerMock.verifyAll();
    coordinator.resetInternals();
    coordinator.close();
}
Also used : TCredentials(org.apache.accumulo.core.securityImpl.thrift.TCredentials) ServerAddress(org.apache.accumulo.server.rpc.ServerAddress) AuditedSecurityOperation(org.apache.accumulo.server.security.AuditedSecurityOperation) LiveTServerSet(org.apache.accumulo.server.manager.LiveTServerSet) HostAndPort(org.apache.accumulo.core.util.HostAndPort) AbstractServer(org.apache.accumulo.server.AbstractServer) Client(org.apache.accumulo.core.tabletserver.thrift.TabletClientService.Client) ServerContext(org.apache.accumulo.server.ServerContext) TabletClientService(org.apache.accumulo.core.tabletserver.thrift.TabletClientService) TExternalCompactionJob(org.apache.accumulo.core.tabletserver.thrift.TExternalCompactionJob) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 20 with TCredentials

use of org.apache.accumulo.core.securityImpl.thrift.TCredentials in project accumulo by apache.

the class CompactionCoordinatorTest method testGetCompactionJob.

@Test
public void testGetCompactionJob() throws Exception {
    PowerMock.resetAll();
    PowerMock.suppress(PowerMock.constructor(AbstractServer.class));
    PowerMock.suppress(PowerMock.methods(ThriftUtil.class, "returnClient"));
    PowerMock.suppress(PowerMock.methods(DeadCompactionDetector.class, "detectDeadCompactions", "detectDanglingFinalStateMarkers"));
    AccumuloConfiguration conf = PowerMock.createNiceMock(AccumuloConfiguration.class);
    ServerContext context = PowerMock.createNiceMock(ServerContext.class);
    TCredentials creds = PowerMock.createNiceMock(TCredentials.class);
    EasyMock.expect(context.rpcCreds()).andReturn(creds).anyTimes();
    PowerMock.mockStatic(ExternalCompactionUtil.class);
    List<RunningCompaction> runningCompactions = new ArrayList<>();
    EasyMock.expect(ExternalCompactionUtil.getCompactionsRunningOnCompactors(context)).andReturn(runningCompactions);
    CompactionFinalizer finalizer = PowerMock.createNiceMock(CompactionFinalizer.class);
    LiveTServerSet tservers = PowerMock.createNiceMock(LiveTServerSet.class);
    TServerInstance instance = PowerMock.createNiceMock(TServerInstance.class);
    EasyMock.expect(tservers.getCurrentServers()).andReturn(Collections.singleton(instance)).once();
    HostAndPort tserverAddress = HostAndPort.fromString("localhost:9997");
    EasyMock.expect(instance.getHostAndPort()).andReturn(tserverAddress).anyTimes();
    ServerAddress client = PowerMock.createNiceMock(ServerAddress.class);
    HostAndPort address = HostAndPort.fromString("localhost:10240");
    EasyMock.expect(client.getAddress()).andReturn(address).anyTimes();
    TServerInstance tsi = PowerMock.createNiceMock(TServerInstance.class);
    EasyMock.expect(tsi.getHostPort()).andReturn("localhost:9997").anyTimes();
    TabletClientService.Client tsc = PowerMock.createNiceMock(TabletClientService.Client.class);
    TCompactionQueueSummary queueSummary = PowerMock.createNiceMock(TCompactionQueueSummary.class);
    EasyMock.expect(tsc.getCompactionQueueInfo(EasyMock.anyObject(), EasyMock.anyObject())).andReturn(Collections.singletonList(queueSummary)).anyTimes();
    EasyMock.expect(queueSummary.getQueue()).andReturn("R2DQ").anyTimes();
    EasyMock.expect(queueSummary.getPriority()).andReturn((short) 1).anyTimes();
    ExternalCompactionId eci = ExternalCompactionId.generate(UUID.randomUUID());
    TExternalCompactionJob job = PowerMock.createNiceMock(TExternalCompactionJob.class);
    EasyMock.expect(job.getExternalCompactionId()).andReturn(eci.toString()).anyTimes();
    TInfo trace = TraceUtil.traceInfo();
    EasyMock.expect(tsc.reserveCompactionJob(trace, creds, "R2DQ", 1, "localhost:10241", eci.toString())).andReturn(job).anyTimes();
    AuditedSecurityOperation security = PowerMock.createNiceMock(AuditedSecurityOperation.class);
    EasyMock.expect(security.canPerformSystemActions(creds)).andReturn(true);
    PowerMock.replayAll();
    TestCoordinator coordinator = new TestCoordinator(conf, finalizer, tservers, client, tsc, context, security);
    coordinator.resetInternals();
    assertEquals(0, coordinator.getQueues().size());
    assertEquals(0, coordinator.getIndex().size());
    assertEquals(0, coordinator.getRunning().size());
    // Use coordinator.run() to populate the internal data structures. This is tested in a different
    // test.
    coordinator.run();
    assertEquals(1, coordinator.getQueues().size());
    QueueAndPriority qp = QueueAndPriority.get("R2DQ".intern(), (short) 1);
    Map<Short, TreeSet<TServerInstance>> m = coordinator.getQueues().get("R2DQ".intern());
    assertNotNull(m);
    assertEquals(1, m.size());
    assertTrue(m.containsKey((short) 1));
    Set<TServerInstance> t = m.get((short) 1);
    assertNotNull(t);
    assertEquals(1, t.size());
    TServerInstance queuedTsi = t.iterator().next();
    assertEquals(tsi.getHostPortSession(), queuedTsi.getHostPortSession());
    assertEquals(1, coordinator.getIndex().size());
    assertTrue(coordinator.getIndex().containsKey(queuedTsi));
    Set<QueueAndPriority> i = coordinator.getIndex().get(queuedTsi);
    assertEquals(1, i.size());
    assertEquals(qp, i.iterator().next());
    assertEquals(0, coordinator.getRunning().size());
    // Get the next job
    TExternalCompactionJob createdJob = coordinator.getCompactionJob(trace, creds, "R2DQ", "localhost:10241", eci.toString());
    assertEquals(eci.toString(), createdJob.getExternalCompactionId());
    assertEquals(1, coordinator.getQueues().size());
    assertEquals(1, coordinator.getIndex().size());
    assertEquals(1, coordinator.getRunning().size());
    Entry<ExternalCompactionId, RunningCompaction> entry = coordinator.getRunning().entrySet().iterator().next();
    assertEquals(eci.toString(), entry.getKey().toString());
    assertEquals("localhost:10241", entry.getValue().getCompactorAddress());
    assertEquals(eci.toString(), entry.getValue().getJob().getExternalCompactionId());
    PowerMock.verifyAll();
    coordinator.resetInternals();
    coordinator.close();
}
Also used : ExternalCompactionId(org.apache.accumulo.core.metadata.schema.ExternalCompactionId) ThriftUtil(org.apache.accumulo.core.rpc.ThriftUtil) ArrayList(java.util.ArrayList) ServerAddress(org.apache.accumulo.server.rpc.ServerAddress) AuditedSecurityOperation(org.apache.accumulo.server.security.AuditedSecurityOperation) TCompactionQueueSummary(org.apache.accumulo.core.tabletserver.thrift.TCompactionQueueSummary) LiveTServerSet(org.apache.accumulo.server.manager.LiveTServerSet) HostAndPort(org.apache.accumulo.core.util.HostAndPort) Client(org.apache.accumulo.core.tabletserver.thrift.TabletClientService.Client) TreeSet(java.util.TreeSet) TExternalCompactionJob(org.apache.accumulo.core.tabletserver.thrift.TExternalCompactionJob) AccumuloConfiguration(org.apache.accumulo.core.conf.AccumuloConfiguration) TInfo(org.apache.accumulo.core.trace.thrift.TInfo) TCredentials(org.apache.accumulo.core.securityImpl.thrift.TCredentials) RunningCompaction(org.apache.accumulo.core.util.compaction.RunningCompaction) TServerInstance(org.apache.accumulo.core.metadata.TServerInstance) AbstractServer(org.apache.accumulo.server.AbstractServer) ServerContext(org.apache.accumulo.server.ServerContext) TabletClientService(org.apache.accumulo.core.tabletserver.thrift.TabletClientService) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Aggregations

TCredentials (org.apache.accumulo.core.securityImpl.thrift.TCredentials)27 Test (org.junit.Test)18 KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)7 ArrayList (java.util.ArrayList)6 TabletClientService (org.apache.accumulo.core.tabletserver.thrift.TabletClientService)6 PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)5 AccumuloConfiguration (org.apache.accumulo.core.conf.AccumuloConfiguration)5 TServerInstance (org.apache.accumulo.core.metadata.TServerInstance)5 TCompactionQueueSummary (org.apache.accumulo.core.tabletserver.thrift.TCompactionQueueSummary)5 Client (org.apache.accumulo.core.tabletserver.thrift.TabletClientService.Client)5 TInfo (org.apache.accumulo.core.trace.thrift.TInfo)5 HostAndPort (org.apache.accumulo.core.util.HostAndPort)5 AbstractServer (org.apache.accumulo.server.AbstractServer)5 ServerContext (org.apache.accumulo.server.ServerContext)5 LiveTServerSet (org.apache.accumulo.server.manager.LiveTServerSet)5 ServerAddress (org.apache.accumulo.server.rpc.ServerAddress)5 AuditedSecurityOperation (org.apache.accumulo.server.security.AuditedSecurityOperation)5 HashSet (java.util.HashSet)4 TreeSet (java.util.TreeSet)4 Credentials (org.apache.accumulo.core.clientImpl.Credentials)4