Example 31 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project testcases by coheigea.
the class RangerKmsAuthorizerTest method testGetKeys.
@org.junit.Test
public void testGetKeys() throws Throwable {
// bob should have permission to get keys
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to get keys
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi2, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
// the IT group should have permission to get keys
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.GET_KEYS, ugi3, KMSOp.GET_KEYS, "newkey1", "127.0.0.1");
return null;
}
});
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 32 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project testcases by coheigea.
the class RangerKmsAuthorizerTest method testGenerateEEK.
@org.junit.Test
public void testGenerateEEK() throws Throwable {
// bob should have permission to generate EEK
final UserGroupInformation ugi = UserGroupInformation.createRemoteUser("bob");
ugi.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1");
return null;
}
});
// "eve" should not have permission to generate EEK
final UserGroupInformation ugi2 = UserGroupInformation.createRemoteUser("eve");
ugi2.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi2, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
// the IT group should not have permission to generate EEK
final UserGroupInformation ugi3 = UserGroupInformation.createUserForTesting("alice", new String[] { "IT" });
ugi3.doAs(new PrivilegedExceptionAction<Void>() {
public Void run() throws Exception {
try {
KMSWebApp.getACLs().assertAccess(Type.GENERATE_EEK, ugi3, KMSOp.GENERATE_EEK, "newkey1", "127.0.0.1");
Assert.fail("Failure expected");
} catch (AuthorizationException ex) {
// expected
}
return null;
}
});
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 33 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.
the class ProxyUserAuthenticationFilter method doFilter.
@Override
protected void doFilter(FilterChain filterChain, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
final HttpServletRequest lowerCaseRequest = toLowerCase(request);
String doAsUser = lowerCaseRequest.getParameter(DO_AS);
if (doAsUser != null && !doAsUser.equals(request.getRemoteUser())) {
LOG.debug("doAsUser = {}, RemoteUser = {} , RemoteAddress = {} ", doAsUser, request.getRemoteUser(), request.getRemoteAddr());
UserGroupInformation requestUgi = (request.getUserPrincipal() != null) ? UserGroupInformation.createRemoteUser(request.getRemoteUser()) : null;
if (requestUgi != null) {
requestUgi = UserGroupInformation.createProxyUser(doAsUser, requestUgi);
try {
ProxyUsers.authorize(requestUgi, request.getRemoteAddr());
final UserGroupInformation ugiF = requestUgi;
request = new HttpServletRequestWrapper(request) {
@Override
public String getRemoteUser() {
return ugiF.getShortUserName();
}
@Override
public Principal getUserPrincipal() {
return new Principal() {
@Override
public String getName() {
return ugiF.getUserName();
}
};
}
};
LOG.debug("Proxy user Authentication successful");
} catch (AuthorizationException ex) {
HttpExceptionUtils.createServletExceptionResponse(response, HttpServletResponse.SC_FORBIDDEN, ex);
LOG.warn("Proxy user Authentication exception", ex);
return;
}
}
}
super.doFilter(filterChain, request, response);
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
Principal(java.security.Principal)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 34 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project hbase by apache.
the class ThriftHttpServlet method doPost.
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String effectiveUser = request.getRemoteUser();
if (securityEnabled) {
/*
Check that the AUTHORIZATION header has any content. If it does not then return a 401
requesting AUTHORIZATION header to be sent. This is typical where the first request doesn't
send the AUTHORIZATION header initially.
*/
String authHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
if (authHeader == null || authHeader.isEmpty()) {
// Send a 401 to the client
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
try {
// As Thrift HTTP transport doesn't support SPNEGO yet (THRIFT-889),
// Kerberos authentication is being done at servlet level.
final RemoteUserIdentity identity = doKerberosAuth(request);
effectiveUser = identity.principal;
// It is standard for client applications expect this header.
// Please see http://tools.ietf.org/html/rfc4559 for more details.
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, NEGOTIATE + " " + identity.outToken);
} catch (HttpAuthenticationException e) {
LOG.error("Kerberos Authentication failed", e);
// Send a 401 to the client
response.addHeader(HttpHeaders.WWW_AUTHENTICATE, NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Error: " + e.getMessage());
return;
}
}
if (effectiveUser == null) {
effectiveUser = serviceUGI.getShortUserName();
}
String doAsUserFromQuery = getDoasFromHeader(request);
if (doAsUserFromQuery != null) {
if (!doAsEnabled) {
throw new ServletException("Support for proxyuser is not configured");
}
// The authenticated remote user is attempting to perform 'doAs' proxy user.
UserGroupInformation remoteUser = UserGroupInformation.createRemoteUser(effectiveUser);
// create and attempt to authorize a proxy user (the client is attempting
// to do proxy user)
UserGroupInformation ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, remoteUser);
// validate the proxy user authorization
try {
ProxyUsers.authorize(ugi, request.getRemoteAddr());
} catch (AuthorizationException e) {
throw new ServletException(e);
}
effectiveUser = doAsUserFromQuery;
}
handler.setEffectiveUser(effectiveUser);
super.doPost(request, response);
}
Also used :
ServletException(javax.servlet.ServletException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Example 35 with AuthorizationException
use of org.apache.hadoop.security.authorize.AuthorizationException in project hive by apache.
the class TestHadoopAuthBridge23 method testMetastoreProxyUser.
@Test
public void testMetastoreProxyUser() throws Exception {
setup();
final String proxyUserName = "proxyUser";
// set the configuration up such that proxyUser can act on
// behalf of all users belonging to the group foo_bar_group (
// a dummy group)
String[] groupNames = new String[] { "foo_bar_group" };
setGroupsInConf(groupNames, proxyUserName);
final UserGroupInformation delegationTokenUser = UserGroupInformation.getCurrentUser();
final UserGroupInformation proxyUserUgi = UserGroupInformation.createRemoteUser(proxyUserName);
String tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {
public String run() throws Exception {
try {
// foo_bar_group, the call to getDelegationTokenStr will fail
return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
} catch (AuthorizationException ae) {
return null;
}
}
});
Assert.assertTrue("Expected the getDelegationToken call to fail", tokenStrForm == null);
// set the configuration up such that proxyUser can act on
// behalf of all users belonging to the real group(s) that the
// user running the test belongs to
setGroupsInConf(UserGroupInformation.getCurrentUser().getGroupNames(), proxyUserName);
tokenStrForm = proxyUserUgi.doAs(new PrivilegedExceptionAction<String>() {
public String run() throws Exception {
try {
// obtained above the call to getDelegationTokenStr will succeed
return getDelegationTokenStr(delegationTokenUser, proxyUserUgi);
} catch (AuthorizationException ae) {
return null;
}
}
});
Assert.assertTrue("Expected the getDelegationToken call to not fail", tokenStrForm != null);
Token<DelegationTokenIdentifier> t = new Token<DelegationTokenIdentifier>();
t.decodeFromUrlString(tokenStrForm);
// check whether the username in the token is what we expect
DelegationTokenIdentifier d = new DelegationTokenIdentifier();
d.readFields(new DataInputStream(new ByteArrayInputStream(t.getIdentifier())));
Assert.assertTrue("Usernames don't match", delegationTokenUser.getShortUserName().equals(d.getUser().getShortUserName()));
}
Also used :
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InvalidToken(org.apache.hadoop.security.token.SecretManager.InvalidToken)
Token(org.apache.hadoop.security.token.Token)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
DataInputStream(java.io.DataInputStream)
MetaException(org.apache.hadoop.hive.metastore.api.MetaException)
TTransportException(org.apache.thrift.transport.TTransportException)
AuthorizationException(org.apache.hadoop.security.authorize.AuthorizationException)
IOException(java.io.IOException)
UserGroupInformation(org.apache.hadoop.security.UserGroupInformation)
Test(org.junit.Test)
Aggregations
AuthorizationException (org.apache.hadoop.security.authorize.AuthorizationException)67
UserGroupInformation (org.apache.hadoop.security.UserGroupInformation)42
IOException (java.io.IOException)22
Test (org.junit.Test)21
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)14
Path (javax.ws.rs.Path)14
Produces (javax.ws.rs.Produces)14
BadRequestException (org.apache.hadoop.yarn.webapp.BadRequestException)12
YarnException (org.apache.hadoop.yarn.exceptions.YarnException)11
UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)8
Consumes (javax.ws.rs.Consumes)8
POST (javax.ws.rs.POST)8
Configuration (org.apache.hadoop.conf.Configuration)6
RemoteException (org.apache.hadoop.ipc.RemoteException)6
NotFoundException (org.apache.hadoop.yarn.webapp.NotFoundException)6
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
PUT (javax.ws.rs.PUT)4
InvalidToken (org.apache.hadoop.security.token.SecretManager.InvalidToken)4
Token (org.apache.hadoop.security.token.Token)4
RMApp (org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp)4
