Search in sources :

Example 1 with CertificateClientTestImpl

use of org.apache.hadoop.ozone.client.CertificateClientTestImpl in project ozone by apache.

the class TestOzoneContainerWithTLS method setup.

@Before
public void setup() throws Exception {
    conf = new OzoneConfiguration();
    String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
    File ozoneMetaFile = new File(ozoneMetaPath);
    conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
    FileUtil.fullyDelete(ozoneMetaFile);
    String keyDirName = conf.get(HDDS_KEY_DIR_NAME, HDDS_KEY_DIR_NAME_DEFAULT);
    File ozoneKeyDir = new File(ozoneMetaFile, keyDirName);
    ozoneKeyDir.mkdirs();
    conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
    conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, true);
    conf.setBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, true);
    long expiryTime = conf.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME_DEFAULT, TimeUnit.MILLISECONDS);
    caClient = new CertificateClientTestImpl(conf);
    secretManager = new OzoneBlockTokenSecretManager(new SecurityConfig(conf), expiryTime, caClient.getCertificate().getSerialNumber().toString());
}
Also used : CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) File(java.io.File) OzoneBlockTokenSecretManager(org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager) Before(org.junit.Before)

Example 2 with CertificateClientTestImpl

use of org.apache.hadoop.ozone.client.CertificateClientTestImpl in project ozone by apache.

the class TestSecureOzoneContainer method setup.

@Before
public void setup() throws Exception {
    DefaultMetricsSystem.setMiniClusterMode(true);
    ExitUtils.disableSystemExit();
    conf = new OzoneConfiguration();
    String ozoneMetaPath = GenericTestUtils.getTempPath("ozoneMeta");
    conf.set(OZONE_METADATA_DIRS, ozoneMetaPath);
    secConfig = new SecurityConfig(conf);
    caClient = new CertificateClientTestImpl(conf);
    secretManager = new ContainerTokenSecretManager(new SecurityConfig(conf), TimeUnit.DAYS.toMillis(1), caClient.getCertificate().getSerialNumber().toString());
}
Also used : SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) ContainerTokenSecretManager(org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager) Before(org.junit.Before)

Example 3 with CertificateClientTestImpl

use of org.apache.hadoop.ozone.client.CertificateClientTestImpl in project ozone by apache.

the class TestSecureOzoneCluster method testDelegationTokenRenewal.

/**
 * Tests delegation token renewal.
 */
@Test
public void testDelegationTokenRenewal() throws Exception {
    GenericTestUtils.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), INFO);
    LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
    // Setup secure OM for start.
    OzoneConfiguration newConf = new OzoneConfiguration(conf);
    int tokenMaxLifetime = 1000;
    newConf.setLong(DELEGATION_TOKEN_MAX_LIFETIME_KEY, tokenMaxLifetime);
    setupOm(newConf);
    OzoneManager.setTestSecureOmFlag(true);
    try {
        om.setCertClient(new CertificateClientTestImpl(conf));
        om.start();
        UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
        // Get first OM client which will authenticate via Kerberos
        omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(conf, ugi, null), RandomStringUtils.randomAscii(5));
        // Since client is already connected get a delegation token
        Token<OzoneTokenIdentifier> token = omClient.getDelegationToken(new Text("om"));
        // Check if token is of right kind and renewer is running om instance
        assertNotNull(token);
        assertEquals("OzoneToken", token.getKind().toString());
        assertEquals(OmUtils.getOmRpcAddress(conf), token.getService().toString());
        // Renew delegation token
        long expiryTime = omClient.renewDelegationToken(token);
        assertTrue(expiryTime > 0);
        omLogs.clearOutput();
        // Test failure of delegation renewal
        // 1. When token maxExpiryTime exceeds
        Thread.sleep(tokenMaxLifetime);
        OMException ex = LambdaTestUtils.intercept(OMException.class, "TOKEN_EXPIRED", () -> omClient.renewDelegationToken(token));
        assertEquals(TOKEN_EXPIRED, ex.getResult());
        omLogs.clearOutput();
        // 2. When renewer doesn't match (implicitly covers when renewer is
        // null or empty )
        Token<OzoneTokenIdentifier> token2 = omClient.getDelegationToken(new Text("randomService"));
        assertNotNull(token2);
        LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> omClient.renewDelegationToken(token2));
        assertTrue(omLogs.getOutput().contains(" with non-matching " + "renewer randomService"));
        omLogs.clearOutput();
        // 3. Test tampered token
        OzoneTokenIdentifier tokenId = OzoneTokenIdentifier.readProtoBuf(token.getIdentifier());
        tokenId.setRenewer(new Text("om"));
        tokenId.setMaxDate(System.currentTimeMillis() * 2);
        Token<OzoneTokenIdentifier> tamperedToken = new Token<>(tokenId.getBytes(), token2.getPassword(), token2.getKind(), token2.getService());
        LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> omClient.renewDelegationToken(tamperedToken));
        assertTrue(omLogs.getOutput().contains("can't be found in " + "cache"));
        omLogs.clearOutput();
    } finally {
        om.stop();
        om.join();
    }
}
Also used : OzoneManagerProtocolClientSideTranslatorPB(org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB) CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) OzoneTokenIdentifier(org.apache.hadoop.ozone.security.OzoneTokenIdentifier) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) Text(org.apache.hadoop.io.Text) Token(org.apache.hadoop.security.token.Token) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 4 with CertificateClientTestImpl

use of org.apache.hadoop.ozone.client.CertificateClientTestImpl in project ozone by apache.

the class TestSecureOzoneCluster method testAccessControlExceptionOnClient.

@Test
public void testAccessControlExceptionOnClient() throws Exception {
    initSCM();
    // Create a secure SCM instance as om client will connect to it
    scm = HddsTestUtils.getScmSimple(conf);
    LogCapturer logs = LogCapturer.captureLogs(OzoneManager.getLogger());
    GenericTestUtils.setLogLevel(OzoneManager.getLogger(), INFO);
    setupOm(conf);
    try {
        om.setCertClient(new CertificateClientTestImpl(conf));
        om.start();
    } catch (Exception ex) {
        // Expects timeout failure from scmClient in om but om user login via
        // kerberos should succeed.
        assertTrue(logs.getOutput().contains("Ozone Manager login successful"));
    }
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(testUserPrincipal, testUserKeytab.getCanonicalPath());
    ugi.setAuthenticationMethod(KERBEROS);
    OzoneManagerProtocolClientSideTranslatorPB secureClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(conf, ugi, null), ClientId.randomId().toString());
    try {
        secureClient.createVolume(new OmVolumeArgs.Builder().setVolume("vol1").setOwnerName("owner1").setAdminName("admin").build());
    } catch (IOException ex) {
        fail("Secure client should be able to create volume.");
    }
    ugi = UserGroupInformation.createUserForTesting("testuser1", new String[] { "test" });
    OzoneManagerProtocolClientSideTranslatorPB unsecureClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(conf, ugi, null), ClientId.randomId().toString());
    String exMessage = "org.apache.hadoop.security.AccessControlException: " + "Client cannot authenticate via:[TOKEN, KERBEROS]";
    logs = LogCapturer.captureLogs(Client.LOG);
    LambdaTestUtils.intercept(IOException.class, exMessage, () -> unsecureClient.listAllVolumes(null, null, 0));
    assertEquals("There should be no retry on AccessControlException", 1, StringUtils.countMatches(logs.getOutput(), exMessage));
}
Also used : OzoneManagerProtocolClientSideTranslatorPB(org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB) OmVolumeArgs(org.apache.hadoop.ozone.om.helpers.OmVolumeArgs) CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) IOException(java.io.IOException) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) KerberosAuthException(org.apache.hadoop.security.KerberosAuthException) IOException(java.io.IOException) SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException) OMException(org.apache.hadoop.ozone.om.exceptions.OMException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 5 with CertificateClientTestImpl

use of org.apache.hadoop.ozone.client.CertificateClientTestImpl in project ozone by apache.

the class TestContainerStateMachineFlushDelay method setup.

/**
 * Create a MiniDFSCluster for testing.
 *
 * @throws IOException
 */
@Before
public void setup() throws Exception {
    chunkSize = 100;
    flushSize = 2 * chunkSize;
    maxFlushSize = 2 * flushSize;
    blockSize = 2 * maxFlushSize;
    keyString = UUID.randomUUID().toString();
    path = GenericTestUtils.getTempPath(TestContainerStateMachineFlushDelay.class.getSimpleName());
    File baseDir = new File(path);
    baseDir.mkdirs();
    conf.setBoolean(HDDS_BLOCK_TOKEN_ENABLED, true);
    conf.setBoolean(OZONE_SCM_HA_ENABLE_KEY, false);
    // conf.setBoolean(OZONE_SECURITY_ENABLED_KEY, true);
    conf.setTimeDuration(HDDS_CONTAINER_REPORT_INTERVAL, 200, TimeUnit.MILLISECONDS);
    conf.setTimeDuration(HDDS_COMMAND_STATUS_REPORT_INTERVAL, 200, TimeUnit.MILLISECONDS);
    conf.setTimeDuration(HDDS_SCM_WATCHER_TIMEOUT, 1000, TimeUnit.MILLISECONDS);
    conf.setTimeDuration(OZONE_SCM_STALENODE_INTERVAL, 3, TimeUnit.SECONDS);
    conf.setQuietMode(false);
    OzoneManager.setTestSecureOmFlag(true);
    conf.setLong(OzoneConfigKeys.DFS_RATIS_SNAPSHOT_THRESHOLD_KEY, 1);
    // conf.set(HADOOP_SECURITY_AUTHENTICATION, KERBEROS.toString());
    cluster = MiniOzoneCluster.newBuilder(conf).setNumDatanodes(1).setBlockSize(blockSize).setChunkSize(chunkSize).setStreamBufferFlushSize(flushSize).setStreamBufferMaxSize(maxFlushSize).setStreamBufferSizeUnit(StorageUnit.BYTES).setHbInterval(200).setCertificateClient(new CertificateClientTestImpl(conf)).build();
    cluster.waitForClusterToBeReady();
    cluster.getOzoneManager().startSecretManager();
    // the easiest way to create an open container is creating a key
    client = OzoneClientFactory.getRpcClient(conf);
    objectStore = client.getObjectStore();
    volumeName = "testcontainerstatemachinefailures";
    bucketName = volumeName;
    objectStore.createVolume(volumeName);
    objectStore.getVolume(volumeName).createBucket(bucketName);
}
Also used : CertificateClientTestImpl(org.apache.hadoop.ozone.client.CertificateClientTestImpl) File(java.io.File) Before(org.junit.Before)

Aggregations

CertificateClientTestImpl (org.apache.hadoop.ozone.client.CertificateClientTestImpl)11 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)5 File (java.io.File)4 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)4 OzoneManagerProtocolClientSideTranslatorPB (org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB)4 UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)4 Before (org.junit.Before)4 Test (org.junit.Test)4 OMException (org.apache.hadoop.ozone.om.exceptions.OMException)3 OzoneBlockTokenSecretManager (org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager)3 LogCapturer (org.apache.ozone.test.GenericTestUtils.LogCapturer)3 BeforeClass (org.junit.BeforeClass)3 IOException (java.io.IOException)2 ContainerTokenSecretManager (org.apache.hadoop.hdds.security.token.ContainerTokenSecretManager)2 Text (org.apache.hadoop.io.Text)2 OzoneTokenIdentifier (org.apache.hadoop.ozone.security.OzoneTokenIdentifier)2 MiniKMS (org.apache.hadoop.crypto.key.kms.server.MiniKMS)1 OzoneClientConfig (org.apache.hadoop.hdds.scm.OzoneClientConfig)1 SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)1 OmVolumeArgs (org.apache.hadoop.ozone.om.helpers.OmVolumeArgs)1