Search in sources :

Example 1 with WorkerTokenManager

use of org.apache.storm.security.auth.workertoken.WorkerTokenManager in project storm by apache.

the class AuthTest method workerTokenDigestAuthTest.

@Test
public void workerTokenDigestAuthTest() throws Exception {
    LOG.info("\n\n\t\tworkerTokenDigestAuthTest - START\n\n");
    Nimbus.Iface impl = mock(Nimbus.Iface.class);
    final AtomicReference<ReqContext> user = new AtomicReference<>();
    doAnswer((invocation) -> {
        user.set(new ReqContext(ReqContext.context()));
        return null;
    }).when(impl).activate(anyString());
    Map<String, Object> extraConfs = new HashMap<>();
    // Let worker tokens work on insecure ZK...
    extraConfs.put("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS", true);
    try (InProcessZookeeper zk = new InProcessZookeeper()) {
        withServer(MISSING_CLIENT, DigestSaslTransportPlugin.class, impl, zk, extraConfs, (ThriftServer server, Map<String, Object> conf) -> {
            try (Time.SimulatedTime sim = new Time.SimulatedTime()) {
                conf.put(Config.STORM_NIMBUS_RETRY_TIMES, 0);
                // We cannot connect if there is no client section in the jaas conf...
                try (NimbusClient client = new NimbusClient(conf, "localhost", server.getPort(), NIMBUS_TIMEOUT)) {
                    client.getClient().activate("bad_auth_test_topology");
                    fail("We should not be able to connect without a token...");
                } catch (Exception e) {
                    assert (Utils.exceptionCauseIsInstanceOf(IOException.class, e));
                }
                // Now lets create a token and verify that we can connect...
                IStormClusterState state = ClusterUtils.mkStormClusterState(conf, new ClusterStateContext(DaemonType.NIMBUS, conf));
                WorkerTokenManager wtMan = new WorkerTokenManager(conf, state);
                Subject bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
                verifyUserIs(user, "bob");
                Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(12));
                // Alice has no digest jaas section at all...
                Subject alice = testConnectWithTokenFor(wtMan, conf, server, "alice", "topo-alice");
                verifyUserIs(user, "alice");
                Time.advanceTimeSecs(TimeUnit.HOURS.toSeconds(13));
                try {
                    tryConnectAs(conf, server, bob, "bad_auth_test_topology");
                    fail("We should not be able to connect with bad auth");
                } catch (Exception e) {
                    assert (Utils.exceptionCauseIsInstanceOf(TTransportException.class, e));
                }
                tryConnectAs(conf, server, alice, "topo-alice");
                verifyUserIs(user, "alice");
                // Now see if we can create a new token for bob and try again.
                bob = testConnectWithTokenFor(wtMan, conf, server, "bob", "topo-bob");
                verifyUserIs(user, "bob");
                tryConnectAs(conf, server, alice, "topo-alice");
                verifyUserIs(user, "alice");
            }
        });
    }
    verify(impl, times(2)).activate("topo-bob");
    verify(impl, times(3)).activate("topo-alice");
    verify(impl, never()).activate("bad_auth_test_topology");
    LOG.info("\n\n\t\tworkerTokenDigestAuthTest - END\n\n");
}
Also used : InProcessZookeeper(org.apache.storm.testing.InProcessZookeeper) HashMap(java.util.HashMap) AtomicReference(java.util.concurrent.atomic.AtomicReference) Time(org.apache.storm.utils.Time) NimbusClient(org.apache.storm.utils.NimbusClient) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) TTransportException(org.apache.storm.thrift.transport.TTransportException) Subject(javax.security.auth.Subject) WorkerTokenManager(org.apache.storm.security.auth.workertoken.WorkerTokenManager) Nimbus(org.apache.storm.generated.Nimbus) IStormClusterState(org.apache.storm.cluster.IStormClusterState) HashMap(java.util.HashMap) Map(java.util.Map) ClusterStateContext(org.apache.storm.cluster.ClusterStateContext) Test(org.junit.Test)

Aggregations

IOException (java.io.IOException)1 PrivilegedActionException (java.security.PrivilegedActionException)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 AtomicReference (java.util.concurrent.atomic.AtomicReference)1 Subject (javax.security.auth.Subject)1 ClusterStateContext (org.apache.storm.cluster.ClusterStateContext)1 IStormClusterState (org.apache.storm.cluster.IStormClusterState)1 Nimbus (org.apache.storm.generated.Nimbus)1 WorkerTokenManager (org.apache.storm.security.auth.workertoken.WorkerTokenManager)1 InProcessZookeeper (org.apache.storm.testing.InProcessZookeeper)1 TTransportException (org.apache.storm.thrift.transport.TTransportException)1 NimbusClient (org.apache.storm.utils.NimbusClient)1 Time (org.apache.storm.utils.Time)1 Test (org.junit.Test)1