Search in sources :

Example 11 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class FileContextPermissionBase method testUgi.

@Test
public void testUgi() throws IOException, InterruptedException {
    UserGroupInformation otherUser = UserGroupInformation.createRemoteUser("otherUser");
    FileContext newFc = otherUser.doAs(new PrivilegedExceptionAction<FileContext>() {

        @Override
        public FileContext run() throws Exception {
            FileContext newFc = FileContext.getFileContext();
            return newFc;
        }
    });
    assertEquals("otherUser", newFc.getUgi().getUserName());
}
Also used : IOException(java.io.IOException) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 12 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class KDiag method loginFromKeytab.

/**
   * Log in from a keytab, dump the UGI, validate it, then try and log in again.
   *
   * That second-time login catches JVM/Hadoop compatibility problems.
   * @throws IOException Keytab loading problems
   */
private void loginFromKeytab() throws IOException {
    UserGroupInformation ugi;
    String identity;
    if (keytab != null) {
        File kt = keytab.getCanonicalFile();
        println("Using keytab %s principal %s", kt, principal);
        identity = principal;
        failif(principal == null, CAT_KERBEROS, "No principal defined");
        ugi = loginUserFromKeytabAndReturnUGI(principal, kt.getPath());
        dumpUGI(identity, ugi);
        validateUGI(principal, ugi);
        title("Attempting to relogin");
        try {
            // package scoped -hence the reason why this class must be in the
            // hadoop.security package
            setShouldRenewImmediatelyForTests(true);
            // attempt a new login
            ugi.reloginFromKeytab();
        } catch (IllegalAccessError e) {
            // if you've built this class into an independent JAR, package-access
            // may fail. Downgrade
            warn(CAT_UGI, "Failed to reset UGI -and so could not try to relogin");
            LOG.debug("Failed to reset UGI: {}", e, e);
        }
    } else {
        println("No keytab: attempting to log in is as current user");
    }
}
Also used : File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 13 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project flink by apache.

the class HadoopUserOverlayTest method testConfigure.

@Test
public void testConfigure() throws Exception {
    final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("test");
    HadoopUserOverlay overlay = new HadoopUserOverlay(ugi);
    ContainerSpecification spec = new ContainerSpecification();
    overlay.configure(spec);
    assertEquals(ugi.getUserName(), spec.getEnvironmentVariables().get("HADOOP_USER_NAME"));
}
Also used : ContainerSpecification(org.apache.flink.runtime.clusterframework.ContainerSpecification) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 14 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMSAudit method testAggregation.

@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregation() throws Exception {
    UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
    Mockito.when(luser.getShortUserName()).thenReturn("luser");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DELETE_KEY, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.ROLL_NEW_VERSION, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.INVALIDATE_CACHE, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.evictCacheForTesting();
    kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
    kmsAudit.evictCacheForTesting();
    kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
    kmsAudit.ok(luser, KMSOp.REENCRYPT_EEK, "k1", "testmsg");
    kmsAudit.evictCacheForTesting();
    String out = getAndResetLogOutput();
    System.out.println(out);
    Assert.assertTrue(out.matches("OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + // Not aggregated !!
    "OK\\[op=DELETE_KEY, key=k1, user=luser\\] testmsg" + "OK\\[op=ROLL_NEW_VERSION, key=k1, user=luser\\] testmsg" + "OK\\[op=INVALIDATE_CACHE, key=k1, user=luser\\] testmsg" + // Aggregated
    "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=6, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=DECRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=REENCRYPT_EEK, key=k1, user=luser, accessCount=3, interval=[^m]{1,4}ms\\] testmsg"));
}
Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 15 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMSAudit method testAuditLogFormat.

@Test
@SuppressWarnings("checkstyle:linelength")
public void testAuditLogFormat() throws Exception {
    UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
    Mockito.when(luser.getShortUserName()).thenReturn("luser");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k4", "testmsg");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "testmsg");
    kmsAudit.evictCacheForTesting();
    kmsAudit.unauthorized(luser, KMSOp.DECRYPT_EEK, "k4");
    kmsAudit.error(luser, "method", "url", "testmsg");
    kmsAudit.unauthenticated("remotehost", "method", "url", "testmsg");
    String out = getAndResetLogOutput();
    System.out.println(out);
    Assert.assertTrue(out.matches("OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=GENERATE_EEK, user=luser\\] testmsg" + "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "UNAUTHORIZED\\[op=DECRYPT_EEK, key=k4, user=luser\\] " + "ERROR\\[user=luser\\] Method:'method' Exception:'testmsg'" + "UNAUTHENTICATED RemoteHost:remotehost Method:method URL:url ErrorMsg:'testmsg'"));
}
Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)621 IOException (java.io.IOException)274 Test (org.junit.Test)220 Configuration (org.apache.hadoop.conf.Configuration)138 Path (org.apache.hadoop.fs.Path)91 FileSystem (org.apache.hadoop.fs.FileSystem)59 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)57 AccessControlException (org.apache.hadoop.security.AccessControlException)54 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)50 Path (javax.ws.rs.Path)47 Produces (javax.ws.rs.Produces)45 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)45 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)43 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)39 Token (org.apache.hadoop.security.token.Token)39 ArrayList (java.util.ArrayList)38 FsPermission (org.apache.hadoop.fs.permission.FsPermission)36 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)36 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)35 Text (org.apache.hadoop.io.Text)34