use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class TestKMS method doAs.
private <T> T doAs(String user, final PrivilegedExceptionAction<T> action) throws Exception {
UserGroupInformation.loginUserFromKeytab(user, keytab.getAbsolutePath());
UserGroupInformation ugi = UserGroupInformation.getLoginUser();
try {
return ugi.doAs(action);
} finally {
ugi.logoutUserFromKeytab();
}
}
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class TestKMS method doProxyUserTest.
public void doProxyUserTest(final boolean kerberos) throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
final File testDir = getTestDir();
conf = createBaseKMSConf(testDir, conf);
if (kerberos) {
conf.set("hadoop.kms.authentication.type", "kerberos");
}
conf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
conf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
conf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
conf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
conf.set("hadoop.kms.proxyuser.client.hosts", "*");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kaa.ALL", "client");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kbb.ALL", "foo");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kcc.ALL", "foo1");
conf.set(KeyAuthorizationKeyProvider.KEY_ACL + "kdd.ALL", "bar");
writeConf(testDir, conf);
runServer(null, null, testDir, new KMSCallable<Void>() {
@Override
public Void call() throws Exception {
final Configuration conf = new Configuration();
conf.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
final URI uri = createKMSUri(getKMSUrl());
UserGroupInformation proxyUgi = null;
if (kerberos) {
// proxyuser client using kerberos credentials
proxyUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", keytab.getAbsolutePath());
} else {
proxyUgi = UserGroupInformation.createRemoteUser("client");
UserGroupInformation.setLoginUser(proxyUgi);
}
final UserGroupInformation clientUgi = proxyUgi;
clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
final KeyProvider kp = createProvider(uri, conf);
kp.createKey("kaa", new KeyProvider.Options(conf));
// authorized proxyuser
UserGroupInformation fooUgi = UserGroupInformation.createProxyUser("foo", clientUgi);
fooUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
Assert.assertNotNull(kp.createKey("kbb", new KeyProvider.Options(conf)));
return null;
}
});
// unauthorized proxyuser
UserGroupInformation foo1Ugi = UserGroupInformation.createProxyUser("foo1", clientUgi);
foo1Ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
kp.createKey("kcc", new KeyProvider.Options(conf));
Assert.fail();
} catch (AuthorizationException ex) {
// OK
} catch (Exception ex) {
Assert.fail(ex.getMessage());
}
return null;
}
});
// authorized proxyuser
UserGroupInformation barUgi = UserGroupInformation.createProxyUser("bar", clientUgi);
barUgi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
Assert.assertNotNull(kp.createKey("kdd", new KeyProvider.Options(conf)));
return null;
}
});
return null;
}
});
return null;
}
});
}
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class FsckServlet method doGet.
/** Handle fsck request */
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
@SuppressWarnings("unchecked") final Map<String, String[]> pmap = request.getParameterMap();
final PrintWriter out = response.getWriter();
final InetAddress remoteAddress = InetAddress.getByName(request.getRemoteAddr());
final ServletContext context = getServletContext();
final Configuration conf = NameNodeHttpServer.getConfFromContext(context);
final UserGroupInformation ugi = getUGI(request, conf);
try {
ugi.doAs(new PrivilegedExceptionAction<Object>() {
@Override
public Object run() throws Exception {
NameNode nn = NameNodeHttpServer.getNameNodeFromContext(context);
final FSNamesystem namesystem = nn.getNamesystem();
final BlockManager bm = namesystem.getBlockManager();
final int totalDatanodes = namesystem.getNumberOfDatanodes(DatanodeReportType.LIVE);
new NamenodeFsck(conf, nn, bm.getDatanodeManager().getNetworkTopology(), pmap, out, totalDatanodes, remoteAddress).fsck();
return null;
}
});
} catch (InterruptedException e) {
response.sendError(400, e.getMessage());
}
}
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class NameNodeRpcServer method createSymlink.
// ClientProtocol
@Override
public void createSymlink(String target, String link, FsPermission dirPerms, boolean createParent) throws IOException {
checkNNStartup();
namesystem.checkOperation(OperationCategory.WRITE);
CacheEntry cacheEntry = RetryCache.waitForCompletion(retryCache);
if (cacheEntry != null && cacheEntry.isSuccess()) {
// Return previous response
return;
}
/* We enforce the MAX_PATH_LENGTH limit even though a symlink target
* URI may refer to a non-HDFS file system.
*/
if (!checkPathLength(link)) {
throw new IOException("Symlink path exceeds " + MAX_PATH_LENGTH + " character limit");
}
final UserGroupInformation ugi = getRemoteUser();
boolean success = false;
try {
PermissionStatus perm = new PermissionStatus(ugi.getShortUserName(), null, dirPerms);
namesystem.createSymlink(target, link, perm, createParent, cacheEntry != null);
success = true;
} finally {
RetryCache.setState(cacheEntry, success);
}
}
use of org.apache.hadoop.security.UserGroupInformation in project hadoop by apache.
the class TestAclsEndToEnd method testGoodWithWhitelist.
/**
* Test the full life cycle of a key using a config with whitelist key ACLs.
* The configuration used is the correct configuration to pass the full ACL
* test in {@link #doFullAclTest()}.
*
* @throws Exception thrown on test failure
*/
@Test
public void testGoodWithWhitelist() throws Exception {
UserGroupInformation hdfsUgi = UserGroupInformation.createProxyUserForTesting("hdfs", realUgi, new String[] { "supergroup" });
UserGroupInformation keyadminUgi = UserGroupInformation.createProxyUserForTesting("keyadmin", realUgi, new String[] { "keyadmin" });
UserGroupInformation userUgi = UserGroupInformation.createProxyUserForTesting("user", realUgi, new String[] { "staff" });
Configuration conf = getBaseConf(hdfsUgi, keyadminUgi);
setBlacklistAcls(conf, hdfsUgi);
setKeyAcls(conf, KMSConfiguration.WHITELIST_KEY_ACL_PREFIX, hdfsUgi, keyadminUgi, userUgi);
doFullAclTest(conf, hdfsUgi, keyadminUgi, userUgi);
}
Aggregations