Search in sources :

Example 16 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMSAudit method testAggregationUnauth.

@Test
@SuppressWarnings("checkstyle:linelength")
public void testAggregationUnauth() throws Exception {
    UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
    Mockito.when(luser.getShortUserName()).thenReturn("luser");
    kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
    kmsAudit.evictCacheForTesting();
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
    // wait a bit so the UNAUTHORIZED-triggered cache invalidation happens.
    Thread.sleep(1000);
    kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
    kmsAudit.evictCacheForTesting();
    String out = getAndResetLogOutput();
    System.out.println(out);
    // The UNAUTHORIZED will trigger cache invalidation, which then triggers
    // the aggregated OK (accessCount=5). But the order of the UNAUTHORIZED and
    // the aggregated OK is arbitrary - no correctness concerns, but flaky here.
    Assert.assertTrue(out.matches("UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] " + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg" + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] " + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg") || out.matches("UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] " + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg" + "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] " + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg" + "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
}
Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 17 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKeyAuthorizationKeyProvider method testCreateKey.

@Test
public void testCreateKey() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("foo", KeyOpType.MANAGEMENT)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    when(mock.hasAccessToKey("foo", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    u1.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try {
                kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
            } catch (IOException ioe) {
                Assert.fail("User should be Authorized !!");
            }
            // "bar" key not configured
            try {
                kpExt.createKey("bar", SecureRandom.getSeed(16), newOptions(conf));
                Assert.fail("User should NOT be Authorized !!");
            } catch (IOException ioe) {
            // Ignore
            }
            return null;
        }
    });
    // Unauthorized User
    UserGroupInformation.createRemoteUser("badGuy").doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            try {
                kpExt.createKey("foo", SecureRandom.getSeed(16), newOptions(conf));
                Assert.fail("User should NOT be Authorized !!");
            } catch (IOException ioe) {
            // Ignore
            }
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Configuration(org.apache.hadoop.conf.Configuration) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) IOException(java.io.IOException) URI(java.net.URI) IOException(java.io.IOException) UserProvider(org.apache.hadoop.crypto.key.UserProvider) KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 18 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKeyAuthorizationKeyProvider method testDecryptWithKeyVersionNameKeyMismatch.

@Test(expected = IllegalArgumentException.class)
public void testDecryptWithKeyVersionNameKeyMismatch() throws Exception {
    final Configuration conf = new Configuration();
    KeyProvider kp = new UserProvider.Factory().createProvider(new URI("user:///"), conf);
    KeyACLs mock = mock(KeyACLs.class);
    when(mock.isACLPresent("testKey", KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.isACLPresent("testKey", KeyOpType.ALL)).thenReturn(true);
    UserGroupInformation u1 = UserGroupInformation.createRemoteUser("u1");
    UserGroupInformation u2 = UserGroupInformation.createRemoteUser("u2");
    UserGroupInformation u3 = UserGroupInformation.createRemoteUser("u3");
    UserGroupInformation sudo = UserGroupInformation.createRemoteUser("sudo");
    when(mock.hasAccessToKey("testKey", u1, KeyOpType.MANAGEMENT)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u2, KeyOpType.GENERATE_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", u3, KeyOpType.DECRYPT_EEK)).thenReturn(true);
    when(mock.hasAccessToKey("testKey", sudo, KeyOpType.ALL)).thenReturn(true);
    final KeyProviderCryptoExtension kpExt = new KeyAuthorizationKeyProvider(KeyProviderCryptoExtension.createKeyProviderCryptoExtension(kp), mock);
    sudo.doAs(new PrivilegedExceptionAction<Void>() {

        @Override
        public Void run() throws Exception {
            Options opt = newOptions(conf);
            Map<String, String> m = new HashMap<String, String>();
            m.put("key.acl.name", "testKey");
            opt.setAttributes(m);
            KeyVersion kv = kpExt.createKey("foo", SecureRandom.getSeed(16), opt);
            kpExt.rollNewVersion(kv.getName());
            kpExt.rollNewVersion(kv.getName(), SecureRandom.getSeed(16));
            EncryptedKeyVersion ekv = kpExt.generateEncryptedKey(kv.getName());
            ekv = EncryptedKeyVersion.createForDecryption(ekv.getEncryptionKeyName() + "x", ekv.getEncryptionKeyVersionName(), ekv.getEncryptedKeyIv(), ekv.getEncryptedKeyVersion().getMaterial());
            kpExt.decryptEncryptedKey(ekv);
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) KeyVersion(org.apache.hadoop.crypto.key.KeyProvider.KeyVersion) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) KeyProviderCryptoExtension(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension) URI(java.net.URI) IOException(java.io.IOException) EncryptedKeyVersion(org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.EncryptedKeyVersion) UserProvider(org.apache.hadoop.crypto.key.UserProvider) KeyACLs(org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyACLs) HashMap(java.util.HashMap) Map(java.util.Map) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Example 19 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMS method testDelegationTokensOps.

private void testDelegationTokensOps(final boolean ssl, final boolean kerb) throws Exception {
    final File confDir = getTestDir();
    final Configuration conf;
    if (kerb) {
        conf = setupConfForKerberos(confDir);
    } else {
        conf = createBaseKMSConf(confDir, null);
    }
    final String keystore;
    final String password;
    if (ssl) {
        final String sslConfDir = KeyStoreTestUtil.getClasspathDir(TestKMS.class);
        KeyStoreTestUtil.setupSSLConfig(confDir.getAbsolutePath(), sslConfDir, conf, false);
        keystore = confDir.getAbsolutePath() + "/serverKS.jks";
        password = "serverP";
    } else {
        keystore = null;
        password = null;
    }
    writeConf(confDir, conf);
    runServer(keystore, password, confDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration clientConf = new Configuration();
            final URI uri = createKMSUri(getKMSUrl());
            clientConf.set(KeyProviderFactory.KEY_PROVIDER_PATH, createKMSUri(getKMSUrl()).toString());
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, clientConf);
                    // test delegation token retrieval
                    KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
                    final Credentials credentials = new Credentials();
                    final Token<?>[] tokens = kpdte.addDelegationTokens("client1", credentials);
                    Assert.assertEquals(1, credentials.getAllTokens().size());
                    InetSocketAddress kmsAddr = new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort());
                    Assert.assertEquals(KMSDelegationToken.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(kmsAddr)).getKind());
                    // Test non-renewer user cannot renew.
                    for (Token<?> token : tokens) {
                        if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                            LOG.info("Skipping token {}", token);
                            continue;
                        }
                        LOG.info("Got dt for " + uri + "; " + token);
                        try {
                            token.renew(clientConf);
                            Assert.fail("client should not be allowed to renew token with" + "renewer=client1");
                        } catch (Exception e) {
                            final DelegationTokenIdentifier identifier = (DelegationTokenIdentifier) token.decodeIdentifier();
                            GenericTestUtils.assertExceptionContains("tries to renew a token (" + identifier + ") with non-matching renewer", e);
                        }
                    }
                    final UserGroupInformation otherUgi;
                    if (kerb) {
                        UserGroupInformation.loginUserFromKeytab("client1", keytab.getAbsolutePath());
                        otherUgi = UserGroupInformation.getLoginUser();
                    } else {
                        otherUgi = UserGroupInformation.createUserForTesting("client1", new String[] { "other group" });
                        UserGroupInformation.setLoginUser(otherUgi);
                    }
                    try {
                        // test delegation token renewal via renewer
                        otherUgi.doAs(new PrivilegedExceptionAction<Void>() {

                            @Override
                            public Void run() throws Exception {
                                boolean renewed = false;
                                for (Token<?> token : tokens) {
                                    if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                                        LOG.info("Skipping token {}", token);
                                        continue;
                                    }
                                    LOG.info("Got dt for " + uri + "; " + token);
                                    long tokenLife = token.renew(clientConf);
                                    LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), tokenLife);
                                    Thread.sleep(100);
                                    long newTokenLife = token.renew(clientConf);
                                    LOG.info("Renewed token of kind {}, new lifetime:{}", token.getKind(), newTokenLife);
                                    Assert.assertTrue(newTokenLife > tokenLife);
                                    renewed = true;
                                }
                                Assert.assertTrue(renewed);
                                // test delegation token cancellation
                                for (Token<?> token : tokens) {
                                    if (!(token.getKind().equals(KMSDelegationToken.TOKEN_KIND))) {
                                        LOG.info("Skipping token {}", token);
                                        continue;
                                    }
                                    LOG.info("Got dt for " + uri + "; " + token);
                                    token.cancel(clientConf);
                                    LOG.info("Cancelled token of kind {}", token.getKind());
                                    try {
                                        token.renew(clientConf);
                                        Assert.fail("should not be able to renew a canceled token");
                                    } catch (Exception e) {
                                        LOG.info("Expected exception when renewing token", e);
                                    }
                                }
                                return null;
                            }
                        });
                        // Close the client provider. We will verify all providers'
                        // Truststore reloader threads are closed later.
                        kp.close();
                        return null;
                    } finally {
                        otherUgi.logoutUserFromKeytab();
                    }
                }
            });
            return null;
        }
    });
    // verify that providers created by KMSTokenRenewer are closed.
    if (ssl) {
        GenericTestUtils.waitFor(new Supplier<Boolean>() {

            @Override
            public Boolean get() {
                final Set<Thread> threadSet = Thread.getAllStackTraces().keySet();
                for (Thread t : threadSet) {
                    if (t.getName().contains(SSL_RELOADER_THREAD_NAME)) {
                        return false;
                    }
                }
                return true;
            }
        }, 1000, 10000);
    }
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Set(java.util.Set) HashSet(java.util.HashSet) Configuration(org.apache.hadoop.conf.Configuration) DelegationTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier) InetSocketAddress(java.net.InetSocketAddress) KMSDelegationToken(org.apache.hadoop.crypto.key.kms.KMSDelegationToken) Token(org.apache.hadoop.security.token.Token) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 20 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMS method testDelegationTokenAccess.

@Test
public void testDelegationTokenAccess() throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    conf.set("hadoop.kms.authentication.type", "kerberos");
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    final String keyA = "key_a";
    final String keyD = "key_d";
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyA + ".ALL", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + keyD + ".ALL", "*");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            final Credentials credentials = new Credentials();
            final UserGroupInformation nonKerberosUgi = UserGroupInformation.getCurrentUser();
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            doAs("client", new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    KeyProviderDelegationTokenExtension kpdte = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(kp);
                    kpdte.addDelegationTokens("foo", credentials);
                    return null;
                }
            });
            nonKerberosUgi.addCredentials(credentials);
            try {
                KeyProvider kp = createProvider(uri, conf);
                kp.createKey(keyA, new KeyProvider.Options(conf));
            } catch (IOException ex) {
                System.out.println(ex.getMessage());
            }
            nonKerberosUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    KeyProvider kp = createProvider(uri, conf);
                    kp.createKey(keyD, new KeyProvider.Options(conf));
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) KeyProviderDelegationTokenExtension(org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension) Configuration(org.apache.hadoop.conf.Configuration) IOException(java.io.IOException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) Credentials(org.apache.hadoop.security.Credentials) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)621 IOException (java.io.IOException)274 Test (org.junit.Test)220 Configuration (org.apache.hadoop.conf.Configuration)138 Path (org.apache.hadoop.fs.Path)91 FileSystem (org.apache.hadoop.fs.FileSystem)59 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)57 AccessControlException (org.apache.hadoop.security.AccessControlException)54 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)50 Path (javax.ws.rs.Path)47 Produces (javax.ws.rs.Produces)45 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)45 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)43 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)39 Token (org.apache.hadoop.security.token.Token)39 ArrayList (java.util.ArrayList)38 FsPermission (org.apache.hadoop.fs.permission.FsPermission)36 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)36 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)35 Text (org.apache.hadoop.io.Text)34