Example 11 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class TestGroupsCaching method testExceptionsFromImplNotCachedInNegativeCache.
@Test
public void testExceptionsFromImplNotCachedInNegativeCache() {
conf.setClass(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING, ExceptionalGroupMapping.class, ShellBasedUnixGroupsMapping.class);
conf.setLong(CommonConfigurationKeys.HADOOP_SECURITY_GROUPS_NEGATIVE_CACHE_SECS, 10000);
Groups groups = new Groups(conf);
groups.cacheGroupsAdd(Arrays.asList(myGroups));
groups.refresh();
assertEquals(0, ExceptionalGroupMapping.getRequestCount());
// First call should hit the wire
try {
groups.getGroups("anything");
fail("Should have thrown");
} catch (IOException e) {
// okay
}
assertEquals(1, ExceptionalGroupMapping.getRequestCount());
// Second call should hit the wire (no negative caching)
try {
groups.getGroups("anything");
fail("Should have thrown");
} catch (IOException e) {
// okay
}
assertEquals(2, ExceptionalGroupMapping.getRequestCount());
}
Also used :
Groups(org.apache.hadoop.security.Groups)
IOException(java.io.IOException)
Test(org.junit.Test)
Example 12 with Groups
use of org.apache.hadoop.security.Groups in project hive by apache.
the class ProxyUserSupport method validateGroup.
private static void validateGroup(String proxyUser, String doAsUser) throws NotAuthorizedException {
Set<String> validGroups = proxyUserGroups.get(proxyUser);
if (validGroups == WILD_CARD) {
return;
} else if (validGroups == null || validGroups.isEmpty()) {
throw new NotAuthorizedException(MessageFormat.format("Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", proxyUser, doAsUser));
}
Groups groupsInfo = new Groups(Main.getAppConfigInstance());
try {
List<String> userGroups = groupsInfo.getGroups(doAsUser);
for (String g : validGroups) {
if (userGroups.contains(g)) {
return;
}
}
} catch (IOException ex) {
// thrown, for example, if there is no such user on the system
LOG.warn(MessageFormat.format("Unable to get list of groups for doAsUser [{0}].", doAsUser), ex);
}
throw new NotAuthorizedException(MessageFormat.format("Unauthorized proxyuser [{0}] for doAsUser [{1}], not in proxyuser groups", proxyUser, doAsUser));
}
Also used :
Groups(org.apache.hadoop.security.Groups)
IOException(java.io.IOException)
Example 13 with Groups
use of org.apache.hadoop.security.Groups in project knox by apache.
the class HadoopGroupsTest method init.
@Before
public void init() {
username = System.getProperty("user.name");
hadoopConfig = new Configuration(false);
hadoopConfig.set("hadoop.security.group.mapping", GROUP_MAPPING);
hadoopGroups = new Groups(hadoopConfig);
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
Groups(org.apache.hadoop.security.Groups)
Before(org.junit.Before)
Example 14 with Groups
use of org.apache.hadoop.security.Groups in project zeppelin by apache.
the class KerberosRealm method onInit.
/**
* Initializes the KerberosRealm by 'kinit'ing using principal and keytab.
* <p>
* It creates a Kerberos context using the principal and keytab specified in
* the Shiro configuration.
* <p>
* This method should be called only once.
*
* @throws RuntimeException thrown if the handler could not be initialized.
*/
@Override
protected void onInit() {
super.onInit();
config = getConfiguration();
try {
if (principal == null || principal.trim().length() == 0) {
throw new RuntimeException("Principal not defined in configuration");
}
if (keytab == null || keytab.trim().length() == 0) {
throw new RuntimeException("Keytab not defined in configuration");
}
File keytabFile = new File(keytab);
if (!keytabFile.exists()) {
throw new RuntimeException("Keytab file does not exist: " + keytab);
}
// use all SPNEGO principals in the keytab if a principal isn't
// specifically configured
final String[] spnegoPrincipals;
if (principal.equals("*")) {
spnegoPrincipals = KerberosUtil.getPrincipalNames(keytab, Pattern.compile("HTTP/.*"));
if (spnegoPrincipals.length == 0) {
throw new RuntimeException("Principals do not exist in the keytab");
}
} else {
spnegoPrincipals = new String[] { principal };
}
KeyTab keytabInstance = KeyTab.getInstance(keytabFile);
serverSubject = new Subject();
serverSubject.getPrivateCredentials().add(keytabInstance);
for (String spnegoPrincipal : spnegoPrincipals) {
Principal krbPrincipal = new KerberosPrincipal(spnegoPrincipal);
LOG.info("Using keytab {}, for principal {}", keytab, krbPrincipal);
serverSubject.getPrincipals().add(krbPrincipal);
}
if (nameRules == null || nameRules.trim().length() == 0) {
LOG.warn("No auth_to_local rules defined, DEFAULT will be used.");
nameRules = "DEFAULT";
}
KerberosName.setRules(nameRules);
if (null == gssManager) {
try {
gssManager = Subject.doAs(serverSubject, (PrivilegedExceptionAction<GSSManager>) GSSManager::getInstance);
LOG.trace("SPNEGO gssManager initialized.");
} catch (PrivilegedActionException ex) {
throw ex.getException();
}
}
if (null == signer) {
initializeSecretProvider();
}
Configuration hadoopConfig = new Configuration();
hadoopGroups = new Groups(hadoopConfig);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Configuration(org.apache.hadoop.conf.Configuration)
PrivilegedActionException(java.security.PrivilegedActionException)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Subject(javax.security.auth.Subject)
AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
GSSException(org.ietf.jgss.GSSException)
AuthorizationException(org.apache.shiro.authz.AuthorizationException)
KeyTab(javax.security.auth.kerberos.KeyTab)
Groups(org.apache.hadoop.security.Groups)
GSSManager(org.ietf.jgss.GSSManager)
File(java.io.File)
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
Principal(java.security.Principal)
Example 15 with Groups
use of org.apache.hadoop.security.Groups in project hadoop by apache.
the class TestAccessControlList method testNetgroups.
/**
* Test the netgroups (groups in ACL rules that start with @)
*
* This is a manual test because it requires:
* - host setup
* - native code compiled
* - specify the group mapping class
*
* Host setup:
*
* /etc/nsswitch.conf should have a line like this:
* netgroup: files
*
* /etc/netgroup should be (the whole file):
* lasVegas (,elvis,)
* memphis (,elvis,) (,jerryLeeLewis,)
*
* To run this test:
*
* export JAVA_HOME='path/to/java'
* ant \
* -Dtestcase=TestAccessControlList \
* -Dtest.output=yes \
* -DTestAccessControlListGroupMapping=$className \
* compile-native test
*
* where $className is one of the classes that provide group
* mapping services, i.e. classes that implement
* GroupMappingServiceProvider interface, at this time:
* - org.apache.hadoop.security.JniBasedUnixGroupsNetgroupMapping
* - org.apache.hadoop.security.ShellBasedUnixGroupsNetgroupMapping
*
*/
@Test
public void testNetgroups() throws Exception {
if (!NativeCodeLoader.isNativeCodeLoaded()) {
LOG.info("Not testing netgroups, " + "this test only runs when native code is compiled");
return;
}
String groupMappingClassName = System.getProperty("TestAccessControlListGroupMapping");
if (groupMappingClassName == null) {
LOG.info("Not testing netgroups, no group mapping class specified, " + "use -DTestAccessControlListGroupMapping=$className to specify " + "group mapping class (must implement GroupMappingServiceProvider " + "interface and support netgroups)");
return;
}
LOG.info("Testing netgroups using: " + groupMappingClassName);
Configuration conf = new Configuration();
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_GROUP_MAPPING, groupMappingClassName);
Groups groups = Groups.getUserToGroupsMappingService(conf);
AccessControlList acl;
// create these ACLs to populate groups cache
// plain
acl = new AccessControlList("ja my");
// netgroup
acl = new AccessControlList("sinatra ratpack,@lasVegas");
// no user
acl = new AccessControlList(" somegroup,@someNetgroup");
// this ACL will be used for testing ACLs
acl = new AccessControlList("carlPerkins ratpack,@lasVegas");
acl.addGroup("@memphis");
// validate the netgroups before and after rehresh to make
// sure refresh works correctly
validateNetgroups(groups, acl);
groups.refresh();
validateNetgroups(groups, acl);
}
Also used :
Configuration(org.apache.hadoop.conf.Configuration)
Groups(org.apache.hadoop.security.Groups)
Test(org.junit.Test)
Aggregations
Groups (org.apache.hadoop.security.Groups)29
Test (org.junit.Test)19
IOException (java.io.IOException)14
FakeTimer (org.apache.hadoop.util.FakeTimer)10
Configuration (org.apache.hadoop.conf.Configuration)8
ArrayList (java.util.ArrayList)5
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)3
ServletException (javax.servlet.ServletException)2
GrantedAuthority (org.springframework.security.core.GrantedAuthority)2
SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
File (java.io.File)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
Principal (java.security.Principal)1
PrivilegedActionException (java.security.PrivilegedActionException)1
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1
CertificateException (java.security.cert.CertificateException)1
ParseException (java.text.ParseException)1
TimeoutException (java.util.concurrent.TimeoutException)1
Subject (javax.security.auth.Subject)1
