Example 61 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project testcases by coheigea.
the class RangerKmsAuthorizerTest method testDeleteKeys.
@org.junit.Test
public void testDeleteKeys() throws Throwable {
// bob should have permission to delete
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to delete
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi2, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
// the IT group should not have permission to delete
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DELETE, ugi3, KMSOp.DELETE_KEY, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 62 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project testcases by coheigea.
the class RangerKmsAuthorizerTest method testDecryptEEK.
@org.junit.Test
public void testDecryptEEK() throws Throwable {
// bob should have permission to generate EEK
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to decrypt EEK
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi2, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
// the IT group should not have permission to decrypt EEK
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi3, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 63 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project oozie by apache.
the class TestHadoopAccessorService method testCreateYarnClient.
public void testCreateYarnClient() throws Exception {
HadoopAccessorService has = Services.get().get(HadoopAccessorService.class);
Configuration conf = has.createConfiguration(getJobTrackerUri());
YarnClient yc = has.createYarnClient(getTestUser(), conf);
assertNotNull(yc);
yc.getApplications();
try {
yc = has.createYarnClient("invalid-user", conf);
assertNotNull(yc);
yc.getApplications();
fail("Should have thrown exception because not allowed to impersonate 'invalid-user'");
} catch (AuthorizationException ex) {
}
JobConf conf2 = new JobConf(false);
conf2.set("yarn.resourcemanager.address", getJobTrackerUri());
try {
has.createYarnClient(getTestUser(), conf2);
fail("Should have thrown exception because Configuration not created by HadoopAccessorService");
} catch (HadoopAccessorException ex) {
assertEquals(ErrorCode.E0903, ex.getErrorCode());
}
}
Also used :
XConfiguration(org.apache.oozie.util.XConfiguration)
Configuration(org.apache.hadoop.conf.Configuration)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
JobConf(org.apache.hadoop.mapred.JobConf)
YarnClient(org.apache.hadoop.yarn.client.api.YarnClient)
Example 64 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.
the class KeyAuthorizationKeyProvider method authorizeCreateKey.
// This method first checks if "key.acl.name" attribute is present as an
// attribute in the provider Options. If yes, use the aclName for any
// subsequent access checks, else use the keyName as the aclName and set it
// as the value of the "key.acl.name" in the key's metadata.
private void authorizeCreateKey(String keyName, Options options, UserGroupInformation ugi) throws IOException {
Preconditions.checkNotNull(ugi, "UserGroupInformation cannot be null");
Map<String, String> attributes = options.getAttributes();
String aclName = attributes.get(KEY_ACL_NAME);
boolean success = false;
if (Strings.isNullOrEmpty(aclName)) {
if (acls.isACLPresent(keyName, KeyOpType.MANAGEMENT)) {
options.setAttributes(ImmutableMap.<String, String>builder().putAll(attributes).put(KEY_ACL_NAME, keyName).build());
success = acls.hasAccessToKey(keyName, ugi, KeyOpType.MANAGEMENT) || acls.hasAccessToKey(keyName, ugi, KeyOpType.ALL);
} else {
success = false;
}
} else {
success = acls.isACLPresent(aclName, KeyOpType.MANAGEMENT) && (acls.hasAccessToKey(aclName, ugi, KeyOpType.MANAGEMENT) || acls.hasAccessToKey(aclName, ugi, KeyOpType.ALL));
}
if (!success)
throw new AuthorizationException(String.format("User [%s] is not" + " authorized to create key !!", ugi.getShortUserName()));
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
Example 65 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project ranger by apache.
the class RangerKmsAuthorizerTest method testDecryptEEK.
@Test
public void testDecryptEEK() throws Throwable {
if (!UNRESTRICTED_POLICIES_INSTALLED) {
return;
}
// bob should have permission to generate EEK
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to decrypt EEK
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi2, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
// the IT group should not have permission to decrypt EEK
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.DECRYPT_EEK, ugi3, KMSOp.DECRYPT_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
LOG.error("", ex);
}
return null;
}
});
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)69
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)44
IOException (java.io.IOException)23
Test (org.junit.Test)21
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)14
Path (javax.ws.rs.Path)14
Produces (javax.ws.rs.Produces)14
BadRequestException (org.apache.hadoop.yarn.webapp.BadRequestException)12
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)11
UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)8
Consumes (javax.ws.rs.Consumes)8
POST (javax.ws.rs.POST)8
Configuration (org.apache.hadoop.conf.Configuration)6
RemoteException (org.apache.hadoop.ipc.RemoteException)6
NotFoundException (org.apache.hadoop.yarn.webapp.NotFoundException)6
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletRequestWrapper (javax.servlet.http.HttpServletRequestWrapper)4
PUT (javax.ws.rs.PUT)4
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)4
Token (org.apache.hadoop.security.token.Token)4
