use of org.apache.storm.security.auth.workertoken.WorkerTokenManager in project storm by apache.
the class AuthTest method workerTokenDigestAuthTest.
@Test
public void workerTokenDigestAuthTest() throws Exception {
LOG.info("\n\n\t\tworkerTokenDigestAuthTest - START\n\n");
Nimbus.Iface impl = mock(Nimbus.Iface.class);
final AtomicReference<ReqContext> user = new AtomicReference<>();
doAnswer((invocation) -> {
user.set(new ReqContext(ReqContext.context()));
return null;
}).when(impl).activate(anyString());
Map<String, Object> extraConfs = new HashMap<>();
// Let worker tokens work on insecure ZK...
extraConfs.put("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS", true);
try (InProcessZookeeper zk = new InProcessZookeeper()) {
withServer(MISSING_CLIENT, DigestSaslTransportPlugin.class, impl, zk, extraConfs, (ThriftServer server, Map<String, Object> conf) -> {
try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
conf.put(Config.STORM_NIMBUS_RETRY_TIMES, 0);
// We cannot connect if there is no client section in the jaas conf...
try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
client.getClient().activate("bad_auth_test_topology");
fail("We should not be able to connect without a token...");
} catch (Exception e) {
assert (Utils.exceptionCauseIsInstanceOf(IOException.class, e));
}
// Now lets create a token and verify that we can connect...
IStormClusterState state = ClusterUtils.mkStormClusterState(conf, new ClusterStateContext(DaemonType.NIMBUS, conf));
WorkerTokenManager wtMan = new WorkerTokenManager(conf, state);
Subject bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
verifyUserIs(user, "bob");
Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(12));
// Alice has no digest jaas section at all...
Subject alice = testConnectWithTokenFor(wtMan, conf, server, "alice", "topo-alice");
verifyUserIs(user, "alice");
Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(13));
try {
tryConnectAs(conf, server, bob, "bad_auth_test_topology");
fail("We should not be able to connect with bad auth");
} catch (Exception e) {
assert (Utils.exceptionCauseIsInstanceOf(TTransportException.class, e));
}
tryConnectAs(conf, server, alice, "topo-alice");
verifyUserIs(user, "alice");
// Now see if we can create a new token for bob and try again.
bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
verifyUserIs(user, "bob");
tryConnectAs(conf, server, alice, "topo-alice");
verifyUserIs(user, "alice");
}
});
}
verify(impl, times(2)).activate("topo-bob");
verify(impl, times(3)).activate("topo-alice");
verify(impl, never()).activate("bad_auth_test_topology");
LOG.info("\n\n\t\tworkerTokenDigestAuthTest - END\n\n");
}
Aggregations