Example 1 with AccumuloSecurityException
use of org.apache.accumulo.proxy.thrift.AccumuloSecurityException in project accumulo by apache.
the class SimpleProxyBase method namespacePermissions.
@Test
public void namespacePermissions() throws Exception {
String userName;
ClusterUser otherClient = null;
ByteBuffer password = s2bb("password");
ByteBuffer user;
TestProxyClient origProxyClient = null;
Client origClient = null;
TestProxyClient userProxyClient = null;
Client userClient = null;
if (isKerberosEnabled()) {
otherClient = getKdc().getClientPrincipal(1);
userName = otherClient.getPrincipal();
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
userProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi);
origProxyClient = proxyClient;
origClient = client;
userClient = client = userProxyClient.proxy();
user = client.login(userName, Collections.<String, String>emptyMap());
} else {
userName = getUniqueNames(1)[0];
// create a user
client.createLocalUser(creds, userName, password);
user = client.login(userName, s2pp(ByteBufferUtil.toString(password)));
}
// check permission failure
try {
client.createTable(user, namespaceName + ".fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains(namespaceName + ".fail"));
}
// grant permissions and test
assertFalse(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
client.grantNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE);
assertTrue(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, namespaceName + ".success", true, TimeType.MILLIS);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertTrue(client.listTables(creds).contains(namespaceName + ".success"));
// revoke permissions
client.revokeNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE);
assertFalse(client.hasNamespacePermission(creds, userName, namespaceName, NamespacePermission.CREATE_TABLE));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, namespaceName + ".fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains(namespaceName + ".fail"));
}
// delete user
client.dropLocalUser(creds, userName);
Set<String> users = client.listLocalUsers(creds);
assertFalse("Should not see user after they are deleted", users.contains(userName));
if (isKerberosEnabled()) {
userProxyClient.close();
proxyClient = origProxyClient;
client = origClient;
}
// delete table from namespace otherwise we can't delete namespace during teardown
client.deleteTable(creds, namespaceName + ".success");
}
Also used :
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
ByteBuffer(java.nio.ByteBuffer)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 2 with AccumuloSecurityException
use of org.apache.accumulo.proxy.thrift.AccumuloSecurityException in project accumulo by apache.
the class SimpleProxyBase method userPermissions.
@Test
public void userPermissions() throws Exception {
String userName = getUniqueNames(1)[0];
ClusterUser otherClient = null;
ByteBuffer password = s2bb("password");
ByteBuffer user;
TestProxyClient origProxyClient = null;
Client origClient = null;
TestProxyClient userProxyClient = null;
Client userClient = null;
if (isKerberosEnabled()) {
otherClient = getKdc().getClientPrincipal(1);
userName = otherClient.getPrincipal();
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
final UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
// Re-login in and make a new connection. Can't use the previous one
userProxyClient = new TestProxyClient(hostname, proxyPort, factory, proxyPrimary, ugi);
origProxyClient = proxyClient;
origClient = client;
userClient = client = userProxyClient.proxy();
user = client.login(userName, Collections.<String, String>emptyMap());
} else {
userName = getUniqueNames(1)[0];
// create a user
client.createLocalUser(creds, userName, password);
user = client.login(userName, s2pp(ByteBufferUtil.toString(password)));
}
// check permission failure
try {
client.createTable(user, "fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains("fail"));
}
// grant permissions and test
assertFalse(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
client.grantSystemPermission(creds, userName, SystemPermission.CREATE_TABLE);
assertTrue(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, "success", true, TimeType.MILLIS);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertTrue(client.listTables(creds).contains("success"));
// revoke permissions
client.revokeSystemPermission(creds, userName, SystemPermission.CREATE_TABLE);
assertFalse(client.hasSystemPermission(creds, userName, SystemPermission.CREATE_TABLE));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
client.createTable(user, "fail", true, TimeType.MILLIS);
fail("should not create the table");
} catch (AccumuloSecurityException ex) {
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
assertFalse(client.listTables(creds).contains("fail"));
}
// denied!
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
String scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 100);
fail("stooge should not read table test");
} catch (AccumuloSecurityException ex) {
}
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// grant
assertFalse(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
client.grantTablePermission(creds, userName, tableName, TablePermission.READ);
assertTrue(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
String scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 10);
client.closeScanner(scanner);
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// revoke
client.revokeTablePermission(creds, userName, tableName, TablePermission.READ);
assertFalse(client.hasTablePermission(creds, userName, tableName, TablePermission.READ));
try {
if (isKerberosEnabled()) {
// Switch back to the extra user
UserGroupInformation.loginUserFromKeytab(otherClient.getPrincipal(), otherClient.getKeytab().getAbsolutePath());
client = userClient;
}
scanner = client.createScanner(user, tableName, null);
client.nextK(scanner, 100);
fail("stooge should not read table test");
} catch (AccumuloSecurityException ex) {
}
if (isKerberosEnabled()) {
// Switch back to original client
UserGroupInformation.loginUserFromKeytab(clientPrincipal, clientKeytab.getAbsolutePath());
client = origClient;
}
// delete user
client.dropLocalUser(creds, userName);
Set<String> users = client.listLocalUsers(creds);
assertFalse("Should not see user after they are deleted", users.contains(userName));
if (isKerberosEnabled()) {
userProxyClient.close();
proxyClient = origProxyClient;
client = origClient;
}
}
Also used :
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
Client(org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)
ByteBuffer(java.nio.ByteBuffer)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Example 3 with AccumuloSecurityException
use of org.apache.accumulo.proxy.thrift.AccumuloSecurityException in project accumulo by apache.
the class KerberosProxyIT method proxiedUserAccessWithoutAccumuloProxy.
@Test
public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
final String tableName = getUniqueNames(1)[0];
ClusterUser rootUser = kdc.getRootUser();
final UserGroupInformation rootUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
final UserGroupInformation realUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
final String userWithoutCredentials1 = kdc.qualifyUser(PROXIED_USER1);
final String userWithoutCredentials2 = kdc.qualifyUser(PROXIED_USER2);
final String userWithoutCredentials3 = kdc.qualifyUser(PROXIED_USER3);
final UserGroupInformation proxyUser1 = UserGroupInformation.createProxyUser(userWithoutCredentials1, realUgi);
final UserGroupInformation proxyUser2 = UserGroupInformation.createProxyUser(userWithoutCredentials2, realUgi);
final UserGroupInformation proxyUser3 = UserGroupInformation.createProxyUser(userWithoutCredentials3, realUgi);
// Create a table and user, grant permission to our user to read that table.
rootUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(rootUgi.getUserName(), new KerberosToken());
conn.tableOperations().create(tableName);
conn.securityOperations().createLocalUser(userWithoutCredentials1, new PasswordToken("ignored"));
conn.securityOperations().grantTablePermission(userWithoutCredentials1, tableName, TablePermission.READ);
conn.securityOperations().createLocalUser(userWithoutCredentials3, new PasswordToken("ignored"));
conn.securityOperations().grantTablePermission(userWithoutCredentials3, tableName, TablePermission.READ);
return null;
}
});
realUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(proxyPrincipal, new KerberosToken());
try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
s.iterator().hasNext();
Assert.fail("Expected to see an exception");
} catch (RuntimeException e) {
int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
}
return null;
}
});
// Allowed to be proxied and has read permission
proxyUser1.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(userWithoutCredentials1, new KerberosToken(userWithoutCredentials1));
Scanner s = conn.createScanner(tableName, Authorizations.EMPTY);
assertFalse(s.iterator().hasNext());
return null;
}
});
// Allowed to be proxied but does not have read permission
proxyUser2.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
Connector conn = inst.getConnector(userWithoutCredentials2, new KerberosToken(userWithoutCredentials3));
try (Scanner s = conn.createScanner(tableName, Authorizations.EMPTY)) {
s.iterator().hasNext();
Assert.fail("Expected to see an exception");
} catch (RuntimeException e) {
int numSecurityExceptionsSeen = Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class));
assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), numSecurityExceptionsSeen > 0);
}
return null;
}
});
// Has read permission but is not allowed to be proxied
proxyUser3.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
ZooKeeperInstance inst = new ZooKeeperInstance(mac.getClientConfig());
try {
inst.getConnector(userWithoutCredentials3, new KerberosToken(userWithoutCredentials3));
Assert.fail("Should not be able to create a Connector as this user cannot be proxied");
} catch (org.apache.accumulo.core.client.AccumuloSecurityException e) {
// Expected, this user cannot be proxied
}
return null;
}
});
}
Also used :
Connector(org.apache.accumulo.core.client.Connector)
Scanner(org.apache.accumulo.core.client.Scanner)
KerberosToken(org.apache.accumulo.core.client.security.tokens.KerberosToken)
TTransportException(org.apache.thrift.transport.TTransportException)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
ConnectException(java.net.ConnectException)
ExpectedException(org.junit.rules.ExpectedException)
IOException(java.io.IOException)
ZooKeeperInstance(org.apache.accumulo.core.client.ZooKeeperInstance)
PasswordToken(org.apache.accumulo.core.client.security.tokens.PasswordToken)
ClusterUser(org.apache.accumulo.cluster.ClusterUser)
AccumuloSecurityException(org.apache.accumulo.proxy.thrift.AccumuloSecurityException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
ClusterUser (org.apache.accumulo.cluster.ClusterUser)3
AccumuloSecurityException (org.apache.accumulo.proxy.thrift.AccumuloSecurityException)3
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)3
Test (org.junit.Test)3
ByteBuffer (java.nio.ByteBuffer)2
Client (org.apache.accumulo.proxy.thrift.AccumuloProxy.Client)2
IOException (java.io.IOException)1
ConnectException (java.net.ConnectException)1
Connector (org.apache.accumulo.core.client.Connector)1
Scanner (org.apache.accumulo.core.client.Scanner)1
ZooKeeperInstance (org.apache.accumulo.core.client.ZooKeeperInstance)1
KerberosToken (org.apache.accumulo.core.client.security.tokens.KerberosToken)1
PasswordToken (org.apache.accumulo.core.client.security.tokens.PasswordToken)1
TTransportException (org.apache.thrift.transport.TTransportException)1
ExpectedException (org.junit.rules.ExpectedException)1
