use of org.apache.knox.gateway.config.GatewayConfig in project knox by apache.
the class DeploymentFactoryFuncTest method testDeploymentWithServiceParams.
@Test(timeout = LONG_TIMEOUT)
public void testDeploymentWithServiceParams() throws Exception {
LOG_ENTER();
GatewayConfig config = new GatewayTestConfig();
File targetDir = new File(System.getProperty("user.dir"), "target");
File gatewayDir = new File(targetDir, "gateway-home-" + UUID.randomUUID());
gatewayDir.mkdirs();
((GatewayTestConfig) config).setGatewayHomeDir(gatewayDir.getAbsolutePath());
File deployDir = new File(config.getGatewayDeploymentDir());
deployDir.mkdirs();
DefaultGatewayServices srvcs = new DefaultGatewayServices();
Map<String, String> options = new HashMap<>();
options.put("persist-master", "false");
options.put("master", "password");
try {
DeploymentFactory.setGatewayServices(srvcs);
srvcs.init(config, options);
} catch (ServiceLifecycleException e) {
// I18N not required.
e.printStackTrace();
}
Service service;
Param param;
Topology topology = new Topology();
topology.setName("test-cluster");
service = new Service();
service.setRole("HIVE");
service.setUrls(Arrays.asList(new String[] { "http://hive-host:50001/" }));
param = new Param();
param.setName("someparam");
param.setValue("somevalue");
service.addParam(param);
topology.addService(service);
service = new Service();
service.setRole("WEBHBASE");
service.setUrls(Arrays.asList(new String[] { "http://hbase-host:50002/" }));
param = new Param();
param.setName("replayBufferSize");
param.setValue("33");
service.addParam(param);
topology.addService(service);
service = new Service();
service.setRole("OOZIE");
service.setUrls(Arrays.asList(new String[] { "http://hbase-host:50003/" }));
param = new Param();
param.setName("otherparam");
param.setValue("65");
service.addParam(param);
topology.addService(service);
EnterpriseArchive war = DeploymentFactory.createDeployment(config, topology);
Document doc = XmlUtils.readXml(war.get("%2F/WEB-INF/gateway.xml").getAsset().openStream());
// dump( doc );
Node resourceNode, filterNode, paramNode;
String value;
resourceNode = node(doc, "gateway/resource[role/text()='HIVE']");
assertThat(resourceNode, is(not(nullValue())));
filterNode = node(resourceNode, "filter[role/text()='dispatch']");
assertThat(filterNode, is(not(nullValue())));
paramNode = node(filterNode, "param[name/text()='someparam']");
value = value(paramNode, "value/text()");
assertThat(value, is("somevalue"));
resourceNode = node(doc, "gateway/resource[role/text()='WEBHBASE']");
assertThat(resourceNode, is(not(nullValue())));
filterNode = node(resourceNode, "filter[role/text()='dispatch']");
assertThat(filterNode, is(not(nullValue())));
paramNode = node(filterNode, "param[name/text()='replayBufferSize']");
value = value(paramNode, "value/text()");
assertThat(value, is("33"));
resourceNode = node(doc, "gateway/resource[role/text()='OOZIE']");
assertThat(resourceNode, is(not(nullValue())));
filterNode = node(resourceNode, "filter[role/text()='dispatch']");
assertThat(filterNode, is(not(nullValue())));
paramNode = node(filterNode, "param[name/text()='otherparam']");
value = value(paramNode, "value/text()");
assertThat(value, is("65"));
FileUtils.deleteQuietly(deployDir);
LOG_EXIT();
}
use of org.apache.knox.gateway.config.GatewayConfig in project knox by apache.
the class DeploymentFactoryFuncTest method testWebXmlGeneration.
@Test(timeout = LONG_TIMEOUT)
public void testWebXmlGeneration() throws IOException, SAXException, ParserConfigurationException, URISyntaxException {
LOG_ENTER();
GatewayConfig config = new GatewayTestConfig();
File targetDir = new File(System.getProperty("user.dir"), "target");
File gatewayDir = new File(targetDir, "gateway-home-" + UUID.randomUUID());
gatewayDir.mkdirs();
((GatewayTestConfig) config).setGatewayHomeDir(gatewayDir.getAbsolutePath());
File deployDir = new File(config.getGatewayDeploymentDir());
deployDir.mkdirs();
DefaultGatewayServices srvcs = new DefaultGatewayServices();
Map<String, String> options = new HashMap<>();
options.put("persist-master", "false");
options.put("master", "password");
try {
DeploymentFactory.setGatewayServices(srvcs);
srvcs.init(config, options);
} catch (ServiceLifecycleException e) {
// I18N not required.
e.printStackTrace();
}
Topology topology = new Topology();
topology.setName("test-cluster");
Service service = new Service();
service.setRole("WEBHDFS");
service.addUrl("http://localhost:50070/webhdfs");
topology.addService(service);
Provider provider = new Provider();
provider.setRole("authentication");
provider.setName("ShiroProvider");
provider.setEnabled(true);
Param param = new Param();
param.setName("contextConfigLocation");
param.setValue("classpath:app-context-security.xml");
provider.addParam(param);
topology.addProvider(provider);
Provider asserter = new Provider();
asserter.setRole("identity-assertion");
asserter.setName("Default");
asserter.setEnabled(true);
topology.addProvider(asserter);
Provider authorizer = new Provider();
authorizer.setRole("authorization");
authorizer.setName("AclsAuthz");
authorizer.setEnabled(true);
topology.addProvider(authorizer);
Provider ha = new Provider();
ha.setRole("ha");
ha.setName("HaProvider");
ha.setEnabled(true);
topology.addProvider(ha);
for (int i = 0; i < 10; i++) {
createAndTestDeployment(config, topology);
}
LOG_EXIT();
}
use of org.apache.knox.gateway.config.GatewayConfig in project knox by apache.
the class DeploymentFactoryFuncTest method testServiceAnonAuth.
/**
* Test the case where topology has federation provider configured
* and service uses anonymous authentication in which case we should
* add AnonymousFilter to the filter chain.
* @since 1.1.0
* @throws IOException
* @throws SAXException
* @throws ParserConfigurationException
* @throws URISyntaxException
* @throws TransformerException
*/
@Test(timeout = MEDIUM_TIMEOUT)
public void testServiceAnonAuth() throws IOException, SAXException, ParserConfigurationException, URISyntaxException, TransformerException {
LOG_ENTER();
final GatewayConfig config = new GatewayTestConfig();
((GatewayTestConfig) config).setXForwardedEnabled(false);
final File targetDir = new File(System.getProperty("user.dir"), "target");
final File gatewayDir = new File(targetDir, "gateway-home-" + UUID.randomUUID());
gatewayDir.mkdirs();
((GatewayTestConfig) config).setGatewayHomeDir(gatewayDir.getAbsolutePath());
final File deployDir = new File(config.getGatewayDeploymentDir());
deployDir.mkdirs();
final DefaultGatewayServices srvcs = new DefaultGatewayServices();
final Map<String, String> options = new HashMap<>();
options.put("persist-master", "false");
options.put("master", "password");
try {
DeploymentFactory.setGatewayServices(srvcs);
srvcs.init(config, options);
} catch (ServiceLifecycleException e) {
// I18N not required.
e.printStackTrace();
}
final Topology federationTopology = new Topology();
final Topology authenticationTopology = new Topology();
federationTopology.setName("test-cluster");
authenticationTopology.setName("test-cluster");
final Service service = new Service();
service.setRole("RANGER");
service.addUrl("http://localhost:50070/");
federationTopology.addService(service);
authenticationTopology.addService(service);
/* Add federation provider to first topology */
final Provider provider = new Provider();
provider.setRole("federation");
provider.setName("SSOCookieProvider");
provider.setEnabled(true);
Param param = new Param();
param.setName("sso.authentication.provider.url");
param.setValue("https://www.local.com:8443/gateway/knoxsso/api/v1/websso");
provider.addParam(param);
federationTopology.addProvider(provider);
/* Add authentication provider to second topology */
final Provider provider2 = new Provider();
provider2.setRole("authentication");
provider2.setName("ShiroProvider");
provider2.setEnabled(true);
Param param2 = new Param();
param2.setName("contextConfigLocation");
param2.setValue("classpath:app-context-security.xml");
provider2.addParam(param2);
authenticationTopology.addProvider(provider2);
final Provider asserter = new Provider();
asserter.setRole("identity-assertion");
asserter.setName("Default");
asserter.setEnabled(true);
federationTopology.addProvider(asserter);
Provider authorizer = new Provider();
authorizer.setRole("authorization");
authorizer.setName("AclsAuthz");
authorizer.setEnabled(true);
federationTopology.addProvider(authorizer);
authenticationTopology.addProvider(authorizer);
final EnterpriseArchive war = DeploymentFactory.createDeployment(config, federationTopology);
final EnterpriseArchive war2 = DeploymentFactory.createDeployment(config, federationTopology);
final Document web = XmlUtils.readXml(war.get("%2F/WEB-INF/web.xml").getAsset().openStream());
final Document web2 = XmlUtils.readXml(war2.get("%2F/WEB-INF/web.xml").getAsset().openStream());
/* Make sure AnonymousAuthFilter is added to the chain */
final Document gateway = XmlUtils.readXml(war.get("%2F/WEB-INF/gateway.xml").getAsset().openStream());
assertThat(gateway, hasXPath("/gateway/resource[1]/pattern", equalTo("/ranger/service/public/**")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[1]/role", equalTo("authentication")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[1]/class", equalTo("org.apache.knox.gateway.filter.AnonymousAuthFilter")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[2]/role", equalTo("rewrite")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[2]/class", equalTo("org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[3]/role", equalTo("authorization")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[3]/class", equalTo("org.apache.knox.gateway.filter.AclsAuthorizationFilter")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[4]/role", equalTo("dispatch")));
assertThat(gateway, hasXPath("/gateway/resource[1]/filter[4]/class", equalTo("org.apache.knox.gateway.dispatch.GatewayDispatchFilter")));
final Document gateway2 = XmlUtils.readXml(war.get("%2F/WEB-INF/gateway.xml").getAsset().openStream());
assertThat(gateway2, hasXPath("/gateway/resource[1]/pattern", equalTo("/ranger/service/public/**")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[1]/role", equalTo("authentication")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[1]/class", equalTo("org.apache.knox.gateway.filter.AnonymousAuthFilter")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[2]/role", equalTo("rewrite")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[2]/class", equalTo("org.apache.knox.gateway.filter.rewrite.api.UrlRewriteServletFilter")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[3]/role", equalTo("authorization")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[3]/class", equalTo("org.apache.knox.gateway.filter.AclsAuthorizationFilter")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[4]/role", equalTo("dispatch")));
assertThat(gateway2, hasXPath("/gateway/resource[1]/filter[4]/class", equalTo("org.apache.knox.gateway.dispatch.GatewayDispatchFilter")));
LOG_EXIT();
}
use of org.apache.knox.gateway.config.GatewayConfig in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL.
@Test
public void testZooKeeperConfigMonitorSASLNodesExistWithUnacceptableACL() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
final ACL ANY_AUTHENTICATED_USER_ALL = new ACL(ZooDefs.Perms.ALL, new Id("auth", ""));
List<ACL> acls = Arrays.asList(ANY_AUTHENTICATED_USER_ALL, new ACL(ZooDefs.Perms.WRITE, ZooDefs.Ids.ANYONE_ID_UNSAFE));
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_CONFIG);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_PROVIDERS);
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).withACL(acls).forPath(PATH_KNOX_DESCRIPTORS);
// Make sure both ACLs were applied
List<ACL> preACLs = client.getACL().forPath(PATH_KNOX);
assertEquals(2, preACLs.size());
// Check that the config nodes really do exist (the monitor will NOT create them if they're present)
assertNotNull(client.checkExists().forPath(PATH_KNOX));
assertNotNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNotNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNotNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Validate the expected ACLs on the Knox config znodes (make sure the monitor removed the world:anyone ACL)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
}
use of org.apache.knox.gateway.config.GatewayConfig in project knox by apache.
the class RemoteConfigurationMonitorTest method testZooKeeperConfigMonitorSASLCreateNodes.
@Test
public void testZooKeeperConfigMonitorSASLCreateNodes() throws Exception {
final String configMonitorName = "zkConfigClient";
final String alias = "zkPass";
// Setup the base GatewayConfig mock
GatewayConfig gc = EasyMock.createNiceMock(GatewayConfig.class);
EasyMock.expect(gc.getGatewayProvidersConfigDir()).andReturn(providersDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getGatewayDescriptorsDir()).andReturn(descriptorsDir.getAbsolutePath()).anyTimes();
EasyMock.expect(gc.getRemoteRegistryConfigurationNames()).andReturn(Collections.singletonList(configMonitorName)).anyTimes();
final String registryConfig = GatewayConfig.REMOTE_CONFIG_REGISTRY_TYPE + "=" + ZooKeeperClientService.TYPE + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_ADDRESS + "=" + zkCluster.getConnectString() + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_PRINCIPAL + "=" + ZK_USERNAME + ";" + GatewayConfig.REMOTE_CONFIG_REGISTRY_AUTH_TYPE + "=Digest;" + GatewayConfig.REMOTE_CONFIG_REGISTRY_CREDENTIAL_ALIAS + "=" + alias;
EasyMock.expect(gc.getRemoteRegistryConfiguration(configMonitorName)).andReturn(registryConfig).anyTimes();
EasyMock.expect(gc.getRemoteConfigurationMonitorClientName()).andReturn(configMonitorName).anyTimes();
EasyMock.replay(gc);
AliasService aliasService = EasyMock.createNiceMock(AliasService.class);
EasyMock.expect(aliasService.getPasswordFromAliasForGateway(alias)).andReturn(ZK_PASSWORD.toCharArray()).anyTimes();
EasyMock.replay(aliasService);
RemoteConfigurationRegistryClientService clientService = (new ZooKeeperClientServiceProvider()).newInstance();
clientService.setAliasService(aliasService);
clientService.init(gc, Collections.emptyMap());
clientService.start();
RemoteConfigurationMonitorFactory.setClientService(clientService);
RemoteConfigurationMonitor cm = RemoteConfigurationMonitorFactory.get(gc);
assertNotNull("Failed to load RemoteConfigurationMonitor", cm);
// Check that the config nodes really don't yet exist (the monitor will create them if they're not present)
assertNull(client.checkExists().forPath(PATH_KNOX));
assertNull(client.checkExists().forPath(PATH_KNOX_CONFIG));
assertNull(client.checkExists().forPath(PATH_KNOX_PROVIDERS));
assertNull(client.checkExists().forPath(PATH_KNOX_DESCRIPTORS));
try {
cm.start();
} catch (Exception e) {
fail("Failed to start monitor: " + e.getMessage());
}
// Test auth violation
clientService.get(configMonitorName).createEntry("/auth_test/child_node/test1");
assertNull("Creation should have been prevented since write access is not granted to the test client.", client.checkExists().forPath("/auth_test/child_node/test1"));
assertTrue("Creation should have been prevented since write access is not granted to the test client.", client.getChildren().forPath("/auth_test/child_node").isEmpty());
// Validate the expected ACLs on the Knox config znodes (make sure the monitor created them correctly)
List<ACL> expectedACLs = Collections.singletonList(SASL_TESTUSER_ALL);
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_CONFIG));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_PROVIDERS));
validateKnoxConfigNodeACLs(expectedACLs, client.getACL().forPath(PATH_KNOX_DESCRIPTORS));
// Test the Knox config nodes, for which authentication should be sufficient for access
try {
final String pc_one_znode = getProviderPath("providers-config1.xml");
final File pc_one = new File(providersDir, "providers-config1.xml");
final String pc_two_znode = getProviderPath("providers-config2.xml");
final File pc_two = new File(providersDir, "providers-config2.xml");
client.create().withMode(CreateMode.PERSISTENT).forPath(pc_one_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_one.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(getProviderPath("providers-config2.xml"), TEST_PROVIDERS_CONFIG_2.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_2, FileUtils.readFileToString(pc_two));
client.setData().forPath(pc_two_znode, TEST_PROVIDERS_CONFIG_1.getBytes());
Thread.sleep(100);
assertTrue(pc_two.exists());
assertEquals(TEST_PROVIDERS_CONFIG_1, FileUtils.readFileToString(pc_two));
client.delete().forPath(pc_two_znode);
Thread.sleep(100);
assertFalse(pc_two.exists());
client.delete().forPath(pc_one_znode);
Thread.sleep(100);
assertFalse(pc_one.exists());
final String desc_one_znode = getDescriptorPath("test1.json");
final String desc_two_znode = getDescriptorPath("test2.json");
final String desc_three_znode = getDescriptorPath("test3.json");
final File desc_one = new File(descriptorsDir, "test1.json");
final File desc_two = new File(descriptorsDir, "test2.json");
final File desc_three = new File(descriptorsDir, "test3.json");
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_one_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_one.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_one));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_two_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_two));
client.setData().forPath(desc_two_znode, TEST_DESCRIPTOR_2.getBytes());
Thread.sleep(100);
assertTrue(desc_two.exists());
assertEquals(TEST_DESCRIPTOR_2, FileUtils.readFileToString(desc_two));
client.create().withMode(CreateMode.PERSISTENT).forPath(desc_three_znode, TEST_DESCRIPTOR_1.getBytes());
Thread.sleep(100);
assertTrue(desc_three.exists());
assertEquals(TEST_DESCRIPTOR_1, FileUtils.readFileToString(desc_three));
client.delete().forPath(desc_two_znode);
Thread.sleep(100);
assertFalse("Expected test2.json to have been deleted.", desc_two.exists());
client.delete().forPath(desc_three_znode);
Thread.sleep(100);
assertFalse(desc_three.exists());
client.delete().forPath(desc_one_znode);
Thread.sleep(100);
assertFalse(desc_one.exists());
} finally {
cm.stop();
}
}
Aggregations