Example 56 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestHttpServer method testHasAdministratorAccess.
@Test
public void testHasAdministratorAccess() throws Exception {
Configuration conf = new Configuration();
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, false);
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(null);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
Mockito.when(request.getRemoteUser()).thenReturn(null);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
//authorization OFF
Assert.assertTrue(HttpServer2.hasAdministratorAccess(context, request, response));
//authorization ON & user NULL
response = Mockito.mock(HttpServletResponse.class);
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response));
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString());
//authorization ON & user NOT NULL & ACLs NULL
response = Mockito.mock(HttpServletResponse.class);
Mockito.when(request.getRemoteUser()).thenReturn("foo");
Assert.assertTrue(HttpServer2.hasAdministratorAccess(context, request, response));
//authorization ON & user NOT NULL & ACLs NOT NULL & user not in ACLs
response = Mockito.mock(HttpServletResponse.class);
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
Assert.assertFalse(HttpServer2.hasAdministratorAccess(context, request, response));
Mockito.verify(response).sendError(Mockito.eq(HttpServletResponse.SC_FORBIDDEN), Mockito.anyString());
//authorization ON & user NOT NULL & ACLs NOT NULL & user in in ACLs
response = Mockito.mock(HttpServletResponse.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(true);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
Assert.assertTrue(HttpServer2.hasAdministratorAccess(context, request, response));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
ServletContext(javax.servlet.ServletContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Test(org.junit.Test)
Example 57 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestHttpServer method testRequiresAuthorizationAccess.
@Test
public void testRequiresAuthorizationAccess() throws Exception {
Configuration conf = new Configuration();
ServletContext context = Mockito.mock(ServletContext.class);
Mockito.when(context.getAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE)).thenReturn(conf);
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
//requires admin access to instrumentation, FALSE by default
Assert.assertTrue(HttpServer2.isInstrumentationAccessAllowed(context, request, response));
//requires admin access to instrumentation, TRUE
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, true);
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
AccessControlList acls = Mockito.mock(AccessControlList.class);
Mockito.when(acls.isUserAllowed(Mockito.<UserGroupInformation>any())).thenReturn(false);
Mockito.when(context.getAttribute(HttpServer2.ADMINS_ACL)).thenReturn(acls);
Assert.assertFalse(HttpServer2.isInstrumentationAccessAllowed(context, request, response));
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
ServletContext(javax.servlet.ServletContext)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Test(org.junit.Test)
Example 58 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestHttpServer method testAuthorizationOfDefaultServlets.
/**
* Verify the administrator access for /logs, /stacks, /conf, and /logLevel
* servlets.
*
* @throws Exception
*/
@Test
public void testAuthorizationOfDefaultServlets() throws Exception {
Configuration conf = new Configuration();
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_AUTHORIZATION, true);
conf.setBoolean(CommonConfigurationKeys.HADOOP_SECURITY_INSTRUMENTATION_REQUIRES_ADMIN, true);
conf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY, DummyFilterInitializer.class.getName());
conf.set(CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING, MyGroupsProvider.class.getName());
Groups.getUserToGroupsMappingService(conf);
MyGroupsProvider.clearMapping();
MyGroupsProvider.mapping.put("userA", Arrays.asList("groupA"));
MyGroupsProvider.mapping.put("userB", Arrays.asList("groupB"));
MyGroupsProvider.mapping.put("userC", Arrays.asList("groupC"));
MyGroupsProvider.mapping.put("userD", Arrays.asList("groupD"));
MyGroupsProvider.mapping.put("userE", Arrays.asList("groupE"));
HttpServer2 myServer = new HttpServer2.Builder().setName("test").addEndpoint(new URI("http://localhost:0")).setFindPort(true).setConf(conf).setACL(new AccessControlList("userA,userB groupC,groupD")).build();
myServer.setAttribute(HttpServer2.CONF_CONTEXT_ATTRIBUTE, conf);
myServer.start();
String serverURL = "http://" + NetUtils.getHostPortString(myServer.getConnectorAddress(0)) + "/";
for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "jmx" }) {
for (String user : new String[] { "userA", "userB", "userC", "userD" }) {
assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL + servlet, user));
}
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, getHttpStatusCode(serverURL + servlet, "userE"));
}
// hadoop.security.authorization is set as true while
// hadoop.http.authentication.type's value is `simple`(default value)
// in this case, static user has administrator access
final String staticUser = conf.get(HADOOP_HTTP_STATIC_USER, DEFAULT_HADOOP_HTTP_STATIC_USER);
for (String servlet : new String[] { "conf", "logs", "stacks", "logLevel", "jmx" }) {
assertEquals(HttpURLConnection.HTTP_OK, getHttpStatusCode(serverURL + servlet, staticUser));
}
myServer.stop();
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Configuration(org.apache.hadoop.conf.Configuration)
URI(java.net.URI)
Test(org.junit.Test)
Example 59 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestKMSACLs method testKeyAclDuplicateEntries.
@Test
public void testKeyAclDuplicateEntries() {
final Configuration conf = new Configuration(false);
conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt1");
conf.set(KEY_ACL + "test_key_2.ALL", "all2");
conf.set(KEY_ACL + "test_key_1.DECRYPT_EEK", "decrypt2");
conf.set(KEY_ACL + "test_key_2.ALL", "all1,all3");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "default1");
conf.set(DEFAULT_KEY_ACL_PREFIX + "MANAGEMENT", "");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
conf.set(DEFAULT_KEY_ACL_PREFIX + "DECRYPT_EEK", "");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "whitelist1");
conf.set(WHITELIST_KEY_ACL_PREFIX + "DECRYPT_EEK", "*");
final KMSACLs acls = new KMSACLs(conf);
Assert.assertTrue("expected key ACL size is 2 but got " + acls.keyAcls.size(), acls.keyAcls.size() == 2);
assertKeyAcl("test_key_1", acls, KeyOpType.DECRYPT_EEK, "decrypt2");
assertKeyAcl("test_key_2", acls, KeyOpType.ALL, "all1", "all3");
assertDefaultKeyAcl(acls, KeyOpType.MANAGEMENT);
assertDefaultKeyAcl(acls, KeyOpType.DECRYPT_EEK);
AccessControlList acl = acls.whitelistKeyAcls.get(KeyOpType.DECRYPT_EEK);
Assert.assertNotNull(acl);
Assert.assertTrue(acl.isAllAllowed());
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
KMSConfiguration(org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
Test(org.junit.Test)
Example 60 with AccessControlList
use of org.apache.hadoop.security.authorize.AccessControlList in project hadoop by apache.
the class TestKMSACLs method assertWhitelistKeyAcl.
private void assertWhitelistKeyAcl(final KMSACLs acls, final KeyOpType op, final String... names) {
final AccessControlList acl = acls.whitelistKeyAcls.get(op);
assertAcl(acl, op, names);
}
Also used :
AccessControlList(org.apache.hadoop.security.authorize.AccessControlList)
Aggregations
AccessControlList (org.apache.hadoop.security.authorize.AccessControlList)78
Configuration (org.apache.hadoop.conf.Configuration)24
HashMap (java.util.HashMap)22
Test (org.junit.Test)17
JobACL (org.apache.hadoop.mapreduce.JobACL)10
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)10
Map (java.util.Map)6
KeyOpType (org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider.KeyOpType)6
URI (java.net.URI)5
ServletContext (javax.servlet.ServletContext)5
ApplicationClientProtocol (org.apache.hadoop.yarn.api.ApplicationClientProtocol)5
GetApplicationReportRequest (org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest)5
KillApplicationRequest (org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest)5
ApplicationId (org.apache.hadoop.yarn.api.records.ApplicationId)5
IOException (java.io.IOException)4
ArrayList (java.util.ArrayList)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
KMSConfiguration (org.apache.hadoop.crypto.key.kms.server.KMSConfiguration)4
ApplicationAccessType (org.apache.hadoop.yarn.api.records.ApplicationAccessType)4
