Search in sources :

Example 21 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMS method doAs.

private <T> T doAs(String user, final PrivilegedExceptionAction<T> action) throws Exception {
    UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath());
    UserGroupInformation ugi = UserGroupInformation.getLoginUser();
    try {
        return ugi.doAs(action);
    } finally {
        ugi.logoutUserFromKeytab();
    }
}
Also used : UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 22 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestKMS method doProxyUserTest.

public void doProxyUserTest(final boolean kerberos) throws Exception {
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "kerberos");
    final File testDir = getTestDir();
    conf = createBaseKMSConf(testDir, conf);
    if (kerberos) {
        conf.set("hadoop.kms.authentication.type", "kerberos");
    }
    conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
    conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
    conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
    conf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
    conf.set("hadoop.kms.proxyuser.client.hosts", "*");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kaa.ALL", "client");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kbb.ALL", "foo");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL", "foo1");
    conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kdd.ALL", "bar");
    writeConf(testDir, conf);
    runServer(null, null, testDir, new KMSCallable<Void>() {

        @Override
        public Void call() throws Exception {
            final Configuration conf = new Configuration();
            conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
            final URI uri = createKMSUri(getKMSUrl());
            UserGroupInformation proxyUgi = null;
            if (kerberos) {
                // proxyuser client using kerberos credentials
                proxyUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
            } else {
                proxyUgi = UserGroupInformation.createRemoteUser("client");
                UserGroupInformation.setLoginUser(proxyUgi);
            }
            final UserGroupInformation clientUgi = proxyUgi;
            clientUgi.doAs(new PrivilegedExceptionAction<Void>() {

                @Override
                public Void run() throws Exception {
                    final KeyProvider kp = createProvider(uri, conf);
                    kp.createKey("kaa", new KeyProvider.Options(conf));
                    // authorized proxyuser
                    UserGroupInformation fooUgi = UserGroupInformation.createProxyUser("foo", clientUgi);
                    fooUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kbb", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    // unauthorized proxyuser
                    UserGroupInformation foo1Ugi = UserGroupInformation.createProxyUser("foo1", clientUgi);
                    foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            try {
                                kp.createKey("kcc", new KeyProvider.Options(conf));
                                Assert.fail();
                            } catch (AuthorizationException ex) {
                            // OK
                            } catch (Exception ex) {
                                Assert.fail(ex.getMessage());
                            }
                            return null;
                        }
                    });
                    // authorized proxyuser
                    UserGroupInformation barUgi = UserGroupInformation.createProxyUser("bar", clientUgi);
                    barUgi.doAs(new PrivilegedExceptionAction<Void>() {

                        @Override
                        public Void run() throws Exception {
                            Assert.assertNotNull(kp.createKey("kdd", new KeyProvider.Options(conf)));
                            return null;
                        }
                    });
                    return null;
                }
            });
            return null;
        }
    });
}
Also used : KeyProvider(org.apache.hadoop.crypto.key.KeyProvider) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) Configuration(org.apache.hadoop.conf.Configuration) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) URI(java.net.URI) AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException) SocketTimeoutException(java.net.SocketTimeoutException) IOException(java.io.IOException) Options(org.apache.hadoop.crypto.key.KeyProvider.Options) File(java.io.File) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 23 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class FsckServlet method doGet.

/** Handle fsck request */
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
    @SuppressWarnings("unchecked") final Map<String, String[]> pmap = request.getParameterMap();
    final PrintWriter out = response.getWriter();
    final InetAddress remoteAddress = InetAddress.getByName(request.getRemoteAddr());
    final ServletContext context = getServletContext();
    final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
    final UserGroupInformation ugi = getUGI(request, conf);
    try {
        ugi.doAs(new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {
                NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
                final FSNamesystem namesystem = nn.getNamesystem();
                final BlockManager bm = namesystem.getBlockManager();
                final int totalDatanodes = namesystem.getNumberOfDatanodes(DatanodeReportType.LIVE);
                new NamenodeFsck(conf, nn, bm.getDatanodeManager().getNetworkTopology(), pmap, out, totalDatanodes, remoteAddress).fsck();
                return null;
            }
        });
    } catch (InterruptedException e) {
        response.sendError(400, e.getMessage());
    }
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) IOException(java.io.IOException) BlockManager(org.apache.hadoop.hdfs.server.blockmanagement.BlockManager) ServletContext(javax.servlet.ServletContext) InetAddress(java.net.InetAddress) PrintWriter(java.io.PrintWriter) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)

Example 24 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class NameNodeRpcServer method createSymlink.

// ClientProtocol
@Override
public void createSymlink(String target, String link, FsPermission dirPerms, boolean createParent) throws IOException {
    checkNNStartup();
    namesystem.checkOperation(OperationCategory.WRITE);
    CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
    if (cacheEntry != null && cacheEntry.isSuccess()) {
        // Return previous response
        return;
    }
    /* We enforce the MAX_PATH_LENGTH limit even though a symlink target
     * URI may refer to a non-HDFS file system. 
     */
    if (!checkPathLength(link)) {
        throw new IOException("Symlink path exceeds " + MAX_PATH_LENGTH + " character limit");
    }
    final UserGroupInformation ugi = getRemoteUser();
    boolean success = false;
    try {
        PermissionStatus perm = new PermissionStatus(ugi.getShortUserName(), null, dirPerms);
        namesystem.createSymlink(target, link, perm, createParent, cacheEntry != null);
        success = true;
    } finally {
        RetryCache.setState(cacheEntry, success);
    }
}
Also used : IOException(java.io.IOException) CacheEntry(org.apache.hadoop.ipc.RetryCache.CacheEntry) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) PermissionStatus(org.apache.hadoop.fs.permission.PermissionStatus)

Example 25 with UserGroupInformation

use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.

the class TestAclsEndToEnd method testGoodWithWhitelist.

/**
   * Test the full life cycle of a key using a config with whitelist key ACLs.
   * The configuration used is the correct configuration to pass the full ACL
   * test in {@link #doFullAclTest()}.
   *
   * @throws Exception thrown on test failure
   */
@Test
public void testGoodWithWhitelist() throws Exception {
    UserGroupInformation hdfsUgi = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[] { "supergroup" });
    UserGroupInformation keyadminUgi = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[] { "keyadmin" });
    UserGroupInformation userUgi = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[] { "staff" });
    Configuration conf = getBaseConf(hdfsUgi, keyadminUgi);
    setBlacklistAcls(conf, hdfsUgi);
    setKeyAcls(conf, KMSConfiguration.WHITELIST_KEY_ACL_PREFIX, hdfsUgi, keyadminUgi, userUgi);
    doFullAclTest(conf, hdfsUgi, keyadminUgi, userUgi);
}
Also used : Configuration(org.apache.hadoop.conf.Configuration) KMSConfiguration(org.apache.hadoop.crypto.key.kms.server.KMSConfiguration) UserGroupInformation(org.apache.hadoop.security.UserGroupInformation) Test(org.junit.Test)

Aggregations

UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)621 IOException (java.io.IOException)274 Test (org.junit.Test)220 Configuration (org.apache.hadoop.conf.Configuration)138 Path (org.apache.hadoop.fs.Path)91 FileSystem (org.apache.hadoop.fs.FileSystem)59 YarnException (org.apache.hadoop.yarn.exceptions.YarnException)57 AccessControlException (org.apache.hadoop.security.AccessControlException)54 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)50 Path (javax.ws.rs.Path)47 Produces (javax.ws.rs.Produces)45 ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)45 RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)43 AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)39 Token (org.apache.hadoop.security.token.Token)39 ArrayList (java.util.ArrayList)38 FsPermission (org.apache.hadoop.fs.permission.FsPermission)36 ApplicationAttemptId (org.apache.hadoop.yarn.api.records.ApplicationAttemptId)36 YarnConfiguration (org.apache.hadoop.yarn.conf.YarnConfiguration)35 Text (org.apache.hadoop.io.Text)34