Example 16 with MiniKdc
use of org.apache.hadoop.minikdc.MiniKdc in project flink by apache.
the class SecureTestEnvironment method prepare.
public static void prepare(TemporaryFolder tempFolder) {
try {
File baseDirForSecureRun = tempFolder.newFolder();
LOG.info("Base Directory for Secure Environment: {}", baseDirForSecureRun);
String hostName = "localhost";
Properties kdcConf = MiniKdc.createConf();
if (LOG.isDebugEnabled()) {
kdcConf.setProperty(MiniKdc.DEBUG, "true");
}
kdcConf.setProperty(MiniKdc.KDC_BIND_ADDRESS, hostName);
kdc = new MiniKdc(kdcConf, baseDirForSecureRun);
kdc.start();
LOG.info("Started Mini KDC");
File keytabFile = new File(baseDirForSecureRun, "test-users.keytab");
testKeytab = keytabFile.getAbsolutePath();
testZkServerPrincipal = "zookeeper/127.0.0.1";
testZkClientPrincipal = "zk-client/127.0.0.1";
testKafkaServerPrincipal = "kafka/" + hostName;
hadoopServicePrincipal = "hadoop/" + hostName;
testPrincipal = "client/" + hostName;
kdc.createPrincipal(keytabFile, testPrincipal, testZkServerPrincipal, hadoopServicePrincipal, testZkClientPrincipal, testKafkaServerPrincipal);
testPrincipal = testPrincipal + "@" + kdc.getRealm();
testZkServerPrincipal = testZkServerPrincipal + "@" + kdc.getRealm();
testZkClientPrincipal = testZkClientPrincipal + "@" + kdc.getRealm();
testKafkaServerPrincipal = testKafkaServerPrincipal + "@" + kdc.getRealm();
hadoopServicePrincipal = hadoopServicePrincipal + "@" + kdc.getRealm();
LOG.info("-------------------------------------------------------------------");
LOG.info("Test Principal: {}", testPrincipal);
LOG.info("Test ZK Server Principal: {}", testZkServerPrincipal);
LOG.info("Test ZK Client Principal: {}", testZkClientPrincipal);
LOG.info("Test Kafka Server Principal: {}", testKafkaServerPrincipal);
LOG.info("Test Hadoop Service Principal: {}", hadoopServicePrincipal);
LOG.info("Test Keytab: {}", testKeytab);
LOG.info("-------------------------------------------------------------------");
//Security Context is established to allow non hadoop applications that requires JAAS
//based SASL/Kerberos authentication to work. However, for Hadoop specific applications
//the context can be reinitialized with Hadoop configuration by calling
//ctx.setHadoopConfiguration() for the UGI implementation to work properly.
//See Yarn test case module for reference
Configuration flinkConfig = GlobalConfiguration.loadConfiguration();
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_KEYTAB, testKeytab);
flinkConfig.setBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE, false);
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, testPrincipal);
flinkConfig.setString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS, "Client,KafkaClient");
SecurityUtils.SecurityConfiguration ctx = new SecurityUtils.SecurityConfiguration(flinkConfig);
TestingSecurityContext.install(ctx, getClientSecurityConfigurationMap());
populateJavaPropertyVariables();
} catch (Exception e) {
throw new RuntimeException("Exception occured while preparing secure environment.", e);
}
}
Also used :
Configuration(org.apache.flink.configuration.Configuration)
GlobalConfiguration(org.apache.flink.configuration.GlobalConfiguration)
MiniKdc(org.apache.hadoop.minikdc.MiniKdc)
SecurityUtils(org.apache.flink.runtime.security.SecurityUtils)
Properties(java.util.Properties)
File(java.io.File)
Example 17 with MiniKdc
use of org.apache.hadoop.minikdc.MiniKdc in project knox by apache.
the class SecureClusterTest method setupKnox.
private static void setupKnox(String keytab, String hdfsPrincipal) throws Exception {
// kerberos setup for http client
File jaasConf = setupJaasConf(baseDir, keytab, hdfsPrincipal);
System.setProperty("java.security.krb5.conf", ((MiniKdc) kdc).getKrb5conf().getAbsolutePath());
System.setProperty("java.security.auth.login.config", jaasConf.getAbsolutePath());
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("sun.security.krb5.debug", "true");
// knox setup
System.setProperty("gateway.hadoop.kerberos.secured", "true");
GatewayTestConfig config = new GatewayTestConfig();
config.setGatewayPath("gateway");
config.setHadoopKerberosSecured(true);
config.setKerberosConfig(((MiniKdc) kdc).getKrb5conf().getAbsolutePath());
config.setKerberosLoginConfig(jaasConf.getAbsolutePath());
driver.setResourceBase(SecureClusterTest.class);
driver.setupLdap(0);
driver.setupGateway(config, "cluster", createTopology(), true);
}Example 18 with MiniKdc
use of org.apache.hadoop.minikdc.MiniKdc in project herddb by diennea.
the class JAASKerberosTest method startMiniKdc.
@Before
public void startMiniKdc() throws Exception {
conf = MiniKdc.createConf();
kdc = new MiniKdc(conf, kdcDir.getRoot());
kdc.start();
String localhostName = "localhost.localdomain";
String principalServerNoRealm = "herddb/" + localhostName;
String principalServer = "herddb/" + localhostName + "@" + kdc.getRealm();
String principalClientNoRealm = "herddbclient/" + localhostName;
String principalClient = principalClientNoRealm + "@" + kdc.getRealm();
System.out.println("adding principal: " + principalServerNoRealm);
System.out.println("adding principal: " + principalClientNoRealm);
File keytabClient = new File(workDir.getRoot(), "herddbclient.keytab");
kdc.createPrincipal(keytabClient, principalClientNoRealm);
File keytabServer = new File(workDir.getRoot(), "herddbserver.keytab");
kdc.createPrincipal(keytabServer, principalServerNoRealm);
File jaas_file = new File(workDir.getRoot(), "jaas.conf");
try (FileWriter writer = new FileWriter(jaas_file)) {
writer.write("\n" + "HerdDBServer {\n" + " com.sun.security.auth.module.Krb5LoginModule required debug=true\n" + " useKeyTab=true\n" + " keyTab=\"" + keytabServer.getAbsolutePath() + "\n" + " storeKey=true\n" + " useTicketCache=false\n" + " principal=\"" + principalServer + "\";\n" + "};\n" + "\n" + "\n" + "\n" + "HerdDBClient {\n" + " com.sun.security.auth.module.Krb5LoginModule required debug=true\n" + " useKeyTab=true\n" + " keyTab=\"" + keytabClient.getAbsolutePath() + "\n" + " storeKey=true\n" + " useTicketCache=false\n" + " principal=\"" + principalClient + "\";\n" + "};\n");
}
File krb5file = new File(workDir.getRoot(), "krb5.conf");
try (FileWriter writer = new FileWriter(krb5file)) {
writer.write("[libdefaults]\n" + " default_realm = " + kdc.getRealm() + "\n" + "\n" + "\n" + "[realms]\n" + " " + kdc.getRealm() + " = {\n" + " kdc = " + kdc.getHost() + ":" + kdc.getPort() + "\n" + " }");
}
System.setProperty("java.security.auth.login.config", jaas_file.getAbsolutePath());
System.setProperty("java.security.krb5.conf", krb5file.getAbsolutePath());
}
Also used :
FileWriter(java.io.FileWriter)
MiniKdc(org.apache.hadoop.minikdc.MiniKdc)
File(java.io.File)
Before(org.junit.Before)
Example 19 with MiniKdc
use of org.apache.hadoop.minikdc.MiniKdc in project cdap by caskdata.
the class UGIProviderTest method init.
@BeforeClass
public static void init() throws Exception {
cConf = CConfiguration.create();
cConf.set(Constants.CFG_LOCAL_DATA_DIR, TEMP_FOLDER.newFolder().getAbsolutePath());
namespaceClient = new InMemoryNamespaceClient();
// Start KDC
miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder());
miniKdc.start();
System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath());
localKeytabDirPath = TEMP_FOLDER.newFolder();
// Generate keytab
aliceKeytabFile = createPrincipal(localKeytabDirPath, "alice");
bobKeytabFile = createPrincipal(localKeytabDirPath, "bob");
eveKeytabFile = createPrincipal(localKeytabDirPath, "eve");
// construct Kerberos PrincipalIds
aliceKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("alice"));
bobKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("bob"));
eveKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("eve"));
// Start mini DFS cluster
Configuration hConf = new Configuration();
hConf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, TEMP_FOLDER.newFolder().getAbsolutePath());
hConf.setBoolean("ipc.client.fallback-to-simple-auth-allowed", true);
miniDFSCluster = new MiniDFSCluster.Builder(hConf).numDataNodes(1).build();
miniDFSCluster.waitClusterUp();
locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf());
hConf = new Configuration();
hConf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(hConf);
}
Also used :
MiniDFSCluster(org.apache.hadoop.hdfs.MiniDFSCluster)
CConfiguration(co.cask.cdap.common.conf.CConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
MiniKdc(org.apache.hadoop.minikdc.MiniKdc)
InMemoryNamespaceClient(co.cask.cdap.common.namespace.InMemoryNamespaceClient)
FileContextLocationFactory(org.apache.twill.filesystem.FileContextLocationFactory)
KerberosPrincipalId(co.cask.cdap.proto.id.KerberosPrincipalId)
BeforeClass(org.junit.BeforeClass)
Example 20 with MiniKdc
use of org.apache.hadoop.minikdc.MiniKdc in project oozie by apache.
the class ZKXTestCaseWithSecurity method setupZKServer.
/**
* Creates and sets up the embedded ZooKeeper server. Test subclasses should have no reason to override this method.
* <p>
* Here we override it to start the MiniKdc, set the jaas configuration, configure ZooKeeper for SASL/Kerberos authentication
* and ACLs, and to start the ZooKeeper server.
* <p>
* Unfortunately, ZooKeeper security requires setting the security for the entire JVM. And for the tests, we're running the
* ZK server and one or more clients from the same JVM, so things get messy. There are two ways to tell ZooKeeper to
* authenticate: (1) set the system property, "java.security.auth.login.config", to a jaas.conf file and (2) create a
* javax.security.auth.login.Configuration object with the same info as the jaas.conf and set it. In either case, once set and
* something has authenticated, it seems that it can't be unset or changed, and there's no way to log out. By setting the
* system property, "javax.security.auth.useSubjectCredsOnly", to "false" we can sort-of change the jaas Configuration, but its
* kind of funny about it. Another effect of this is that we have to add jaas entries for the "Server" and "Client" here
* instead of just the "Server" here and the "Client" in the normal place ({@link ZKUtils}) or it will be unable to find the
* "Client" info. Also, because there is no way to logout, once any client has authenticated once, all subsequent clients will
* automatically connect using the same authentication; trying to stop this is futile and either results in an error or has no
* effect. This means that there's no way to do any tests with an unauthenticated client. Also, if any tests using secure
* ZooKeeper get run before tests not using secure ZooKeeper, they will likely fail because it will try to use authentication:
* so they should be run separately. For this reason, the secure tests should be run in a separate module where they will get
* their own JVM.
*
* @return the embedded ZooKeeper server
* @throws Exception
*/
@Override
protected TestingServer setupZKServer() throws Exception {
// Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with
// re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it:
// http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false");
// Setup KDC and principal
kdc = new MiniKdc(MiniKdc.createConf(), new File(getTestCaseDir()));
kdc.start();
keytabFile = new File(getTestCaseDir(), "test.keytab");
String serverPrincipal = "zookeeper/127.0.0.1";
kdc.createPrincipal(keytabFile, getPrincipal(), serverPrincipal);
setSystemProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
setSystemProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
setSystemProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
JaasConfiguration.addEntry("Server", serverPrincipal, keytabFile.getAbsolutePath());
// Here's where we add the "Client" to the jaas configuration, even though we'd like not to
JaasConfiguration.addEntry("Client", getPrincipal(), keytabFile.getAbsolutePath());
Configuration.setConfiguration(JaasConfiguration.getInstance());
setSystemProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
return new TestingServer();
}
Also used :
TestingServer(org.apache.curator.test.TestingServer)
MiniKdc(org.apache.hadoop.minikdc.MiniKdc)
File(java.io.File)
Aggregations
MiniKdc (org.apache.hadoop.minikdc.MiniKdc)41
File (java.io.File)33
Properties (java.util.Properties)18
BeforeClass (org.junit.BeforeClass)15
Configuration (org.apache.hadoop.conf.Configuration)10
FileWriter (java.io.FileWriter)5
IOException (java.io.IOException)5
Before (org.junit.Before)5
BindException (java.net.BindException)4
Closeable (java.io.Closeable)3
Writer (java.io.Writer)3
HBaseTestingUtil (org.apache.hadoop.hbase.HBaseTestingUtil)3
AuthenticationTokenIdentifier (org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier)3
Text (org.apache.hadoop.io.Text)3
Job (org.apache.hadoop.mapreduce.Job)3
Credentials (org.apache.hadoop.security.Credentials)3
Token (org.apache.hadoop.security.token.Token)3
TokenIdentifier (org.apache.hadoop.security.token.TokenIdentifier)3
Test (org.junit.Test)3
ApplicationProperties (org.apache.atlas.ApplicationProperties)2
