@Test
public void testRefreshSuperUserGroupsWithFileSystemBasedConfigurationProvider()
throws IOException, YarnException {
configuration.set(
YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
// upload default configurations
uploadDefaultConfiguration();
try {
rm = new MockRM(configuration);
rm.init(configuration);
rm.start();
} catch (Exception ex) {
fail("Should not get any exceptions");
}
Configuration coreConf = new Configuration(false);
coreConf.set("hadoop.proxyuser.test.groups", "test_groups");
coreConf.set("hadoop.proxyuser.test.hosts", "test_hosts");
uploadConfiguration(coreConf, "core-site.xml");
rm.adminService.refreshSuperUserGroupsConfiguration(
RefreshSuperUserGroupsConfigurationRequest.newInstance());
Assert.assertTrue(ProxyUsers.getProxyGroups().get("hadoop.proxyuser.test.groups").size() == 1);
Assert.assertTrue(
ProxyUsers.getProxyGroups().get("hadoop.proxyuser.test.groups").contains("test_groups"));
Assert.assertTrue(ProxyUsers.getProxyHosts().get("hadoop.proxyuser.test.hosts").size() == 1);
Assert.assertTrue(
ProxyUsers.getProxyHosts().get("hadoop.proxyuser.test.hosts").contains("test_hosts"));
}
public static void init(Configuration conf, ServiceAuthorizationManager authManager) {
// set service-level authorization security policy
System.setProperty("hadoop.policy.file", "hbase-policy.xml");
if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) {
authManager.refresh(conf, new HBasePolicyProvider());
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
}
}
/**
* Constructor with existing configuration
*
* @param conf existing configuration
* @param userProvider the login user provider
* @throws IOException
*/
RESTServlet(final Configuration conf, final UserProvider userProvider) throws IOException {
this.realUser = userProvider.getCurrent().getUGI();
this.conf = conf;
int cleanInterval = conf.getInt(CLEANUP_INTERVAL, 10 * 1000);
int maxIdleTime = conf.getInt(MAX_IDLETIME, 10 * 60 * 1000);
connectionCache = new ConnectionCache(conf, userProvider, cleanInterval, maxIdleTime);
if (supportsProxyuser()) {
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
}
}
private String getRemoteAddr(String clientAddr, String proxyAddr, boolean trusted) {
HttpServletRequest req = mock(HttpServletRequest.class);
when(req.getRemoteAddr()).thenReturn("1.2.3.4");
Configuration conf = new Configuration();
if (proxyAddr == null) {
when(req.getRemoteAddr()).thenReturn(clientAddr);
} else {
when(req.getRemoteAddr()).thenReturn(proxyAddr);
when(req.getHeader("X-Forwarded-For")).thenReturn(clientAddr);
if (trusted) {
conf.set(ProxyServers.CONF_HADOOP_PROXYSERVERS, proxyAddr);
}
}
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
return JspHelper.getRemoteAddr(req);
}
private static UserGroupInformation initUGI(
final UserGroupInformation realUgi,
final String doAsUserFromQuery,
final HttpServletRequest request,
final boolean isSecurityEnabled,
final Configuration conf)
throws AuthorizationException {
final UserGroupInformation ugi;
if (doAsUserFromQuery == null) {
// non-proxy case
ugi = realUgi;
} else {
// proxy case
ugi = UserGroupInformation.createProxyUser(doAsUserFromQuery, realUgi);
ugi.setAuthenticationMethod(
isSecurityEnabled ? AuthenticationMethod.PROXY : AuthenticationMethod.SIMPLE);
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
}
return ugi;
}
@Override
public RefreshSuperUserGroupsConfigurationResponse refreshSuperUserGroupsConfiguration(
RefreshSuperUserGroupsConfigurationRequest request) throws YarnException, IOException {
String argName = "refreshSuperUserGroupsConfiguration";
UserGroupInformation user = checkAcls(argName);
if (!isRMActive()) {
RMAuditLogger.logFailure(
user.getShortUserName(),
argName,
adminAcl.toString(),
"AdminService",
"ResourceManager is not active. Can not refresh super-user-groups.");
throwStandbyException();
}
Configuration conf =
getConfiguration(new Configuration(false), YarnConfiguration.CORE_SITE_CONFIGURATION_FILE);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService");
return recordFactory.newRecordInstance(RefreshSuperUserGroupsConfigurationResponse.class);
}
@Test
public void testRMInitialsWithFileSystemBasedConfigurationProvider() throws Exception {
configuration.set(
YarnConfiguration.RM_CONFIGURATION_PROVIDER_CLASS,
"org.apache.hadoop.yarn.FileSystemBasedConfigurationProvider");
// upload configurations
final File excludeHostsFile = new File(tmpDir.toString(), "excludeHosts");
if (excludeHostsFile.exists()) {
excludeHostsFile.delete();
}
if (!excludeHostsFile.createNewFile()) {
Assert.fail("Can not create " + "excludeHosts");
}
PrintWriter fileWriter = new PrintWriter(excludeHostsFile);
fileWriter.write("0.0.0.0:123");
fileWriter.close();
uploadToRemoteFileSystem(new Path(excludeHostsFile.getAbsolutePath()));
YarnConfiguration yarnConf = new YarnConfiguration();
yarnConf.set(YarnConfiguration.YARN_ADMIN_ACL, "world:anyone:rwcda");
yarnConf.set(YarnConfiguration.RM_NODES_EXCLUDE_FILE_PATH, this.workingPath + "/excludeHosts");
uploadConfiguration(yarnConf, "yarn-site.xml");
CapacitySchedulerConfiguration csConf = new CapacitySchedulerConfiguration();
csConf.set("yarn.scheduler.capacity.maximum-applications", "5000");
uploadConfiguration(csConf, "capacity-scheduler.xml");
String aclsString = "alice,bob users,wheel";
Configuration newConf = new Configuration();
newConf.set("security.applicationclient.protocol.acl", aclsString);
uploadConfiguration(newConf, "hadoop-policy.xml");
Configuration conf = new Configuration();
conf.setBoolean(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, true);
conf.set("hadoop.proxyuser.test.groups", "test_groups");
conf.set("hadoop.proxyuser.test.hosts", "test_hosts");
conf.setClass(
CommonConfigurationKeys.HADOOP_SECURITY_GROUP_MAPPING,
MockUnixGroupsMapping.class,
GroupMappingServiceProvider.class);
uploadConfiguration(conf, "core-site.xml");
// update the groups
MockUnixGroupsMapping.updateGroups();
ResourceManager resourceManager = null;
try {
try {
resourceManager = new ResourceManager();
resourceManager.init(configuration);
resourceManager.start();
} catch (Exception ex) {
fail("Should not get any exceptions");
}
// validate values for excludeHosts
Set<String> excludeHosts =
resourceManager.getRMContext().getNodesListManager().getHostsReader().getExcludedHosts();
Assert.assertTrue(excludeHosts.size() == 1);
Assert.assertTrue(excludeHosts.contains("0.0.0.0:123"));
// validate values for admin-acls
String aclStringAfter =
resourceManager.adminService.getAccessControlList().getAclString().trim();
Assert.assertEquals(aclStringAfter, "world:anyone:rwcda");
// validate values for queue configuration
CapacityScheduler cs = (CapacityScheduler) resourceManager.getRMContext().getScheduler();
int maxAppsAfter = cs.getConfiguration().getMaximumSystemApplications();
Assert.assertEquals(maxAppsAfter, 5000);
// verify service Acls for AdminService
ServiceAuthorizationManager adminServiceServiceManager =
resourceManager.adminService.getServer().getServiceAuthorizationManager();
verifyServiceACLsRefresh(
adminServiceServiceManager,
org.apache.hadoop.yarn.api.ApplicationClientProtocolPB.class,
aclsString);
// verify service ACLs for ClientRMService
ServiceAuthorizationManager clientRMServiceServiceManager =
resourceManager
.getRMContext()
.getClientRMService()
.getServer()
.getServiceAuthorizationManager();
verifyServiceACLsRefresh(
clientRMServiceServiceManager,
org.apache.hadoop.yarn.api.ApplicationClientProtocolPB.class,
aclsString);
// verify service ACLs for ApplicationMasterService
ServiceAuthorizationManager appMasterService =
resourceManager
.getRMContext()
.getApplicationMasterService()
.getServer()
.getServiceAuthorizationManager();
verifyServiceACLsRefresh(
appMasterService,
org.apache.hadoop.yarn.api.ApplicationClientProtocolPB.class,
aclsString);
// verify service ACLs for ResourceTrackerService
ServiceAuthorizationManager RTService =
resourceManager
.getRMContext()
.getResourceTrackerService()
.getServer()
.getServiceAuthorizationManager();
verifyServiceACLsRefresh(
RTService, org.apache.hadoop.yarn.api.ApplicationClientProtocolPB.class, aclsString);
// verify ProxyUsers and ProxyHosts
Assert.assertTrue(
ProxyUsers.getProxyGroups().get("hadoop.proxyuser.test.groups").size() == 1);
Assert.assertTrue(
ProxyUsers.getProxyGroups().get("hadoop.proxyuser.test.groups").contains("test_groups"));
Assert.assertTrue(ProxyUsers.getProxyHosts().get("hadoop.proxyuser.test.hosts").size() == 1);
Assert.assertTrue(
ProxyUsers.getProxyHosts().get("hadoop.proxyuser.test.hosts").contains("test_hosts"));
// verify UserToGroupsMappings
List<String> groupAfter =
Groups.getUserToGroupsMappingService(configuration)
.getGroups(UserGroupInformation.getCurrentUser().getUserName());
Assert.assertTrue(
groupAfter.contains("test_group_D")
&& groupAfter.contains("test_group_E")
&& groupAfter.contains("test_group_F")
&& groupAfter.size() == 3);
} finally {
if (resourceManager != null) {
resourceManager.stop();
}
}
}
@Test
public void testGetProxyUgi() throws IOException {
conf.set(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:4321/");
ServletContext context = mock(ServletContext.class);
String realUser = "******";
String user = "******";
conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
conf.set(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(realUser), "*");
conf.set(DefaultImpersonationProvider.getProxySuperuserIpConfKey(realUser), "*");
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
UserGroupInformation.setConfiguration(conf);
UserGroupInformation ugi;
HttpServletRequest request;
// have to be auth-ed with remote user
request = getMockRequest(null, null, user);
try {
JspHelper.getUGI(context, request, conf);
Assert.fail("bad request allowed");
} catch (IOException ioe) {
Assert.assertEquals(
"Security enabled but user not authenticated by filter", ioe.getMessage());
}
request = getMockRequest(null, realUser, user);
try {
JspHelper.getUGI(context, request, conf);
Assert.fail("bad request allowed");
} catch (IOException ioe) {
Assert.assertEquals(
"Security enabled but user not authenticated by filter", ioe.getMessage());
}
// proxy ugi for user via remote user
request = getMockRequest(realUser, null, user);
ugi = JspHelper.getUGI(context, request, conf);
Assert.assertNotNull(ugi.getRealUser());
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
Assert.assertEquals(ugi.getShortUserName(), user);
checkUgiFromAuth(ugi);
// proxy ugi for user vi a remote user = real user
request = getMockRequest(realUser, realUser, user);
ugi = JspHelper.getUGI(context, request, conf);
Assert.assertNotNull(ugi.getRealUser());
Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser);
Assert.assertEquals(ugi.getShortUserName(), user);
checkUgiFromAuth(ugi);
// proxy ugi for user via remote user != real user
request = getMockRequest(realUser, user, user);
try {
JspHelper.getUGI(context, request, conf);
Assert.fail("bad request allowed");
} catch (IOException ioe) {
Assert.assertEquals(
"Usernames not matched: name=" + user + " != expected=" + realUser, ioe.getMessage());
}
// try to get get a proxy user with unauthorized user
try {
request = getMockRequest(user, null, realUser);
JspHelper.getUGI(context, request, conf);
Assert.fail("bad proxy request allowed");
} catch (AuthorizationException ae) {
Assert.assertEquals(
"User: "******" is not allowed to impersonate " + realUser, ae.getMessage());
}
try {
request = getMockRequest(user, user, realUser);
JspHelper.getUGI(context, request, conf);
Assert.fail("bad proxy request allowed");
} catch (AuthorizationException ae) {
Assert.assertEquals(
"User: "******" is not allowed to impersonate " + realUser, ae.getMessage());
}
}
/**
* Get {@link UserGroupInformation} and possibly the delegation token out of the request.
*
* @param context the Servlet context
* @param request the http request
* @param conf configuration
* @param secureAuthMethod the AuthenticationMethod used in secure mode.
* @param tryUgiParameter Should it try the ugi parameter?
* @return a new user from the request
* @throws AccessControlException if the request has no token
*/
public static UserGroupInformation getUGI(
ServletContext context,
HttpServletRequest request,
Configuration conf,
final AuthenticationMethod secureAuthMethod,
final boolean tryUgiParameter)
throws IOException {
final UserGroupInformation ugi;
final String usernameFromQuery = getUsernameFromQuery(request, tryUgiParameter);
final String doAsUserFromQuery = request.getParameter(DoAsParam.NAME);
if (UserGroupInformation.isSecurityEnabled()) {
final String remoteUser = request.getRemoteUser();
String tokenString = request.getParameter(DELEGATION_PARAMETER_NAME);
if (tokenString != null) {
Token<DelegationTokenIdentifier> token = new Token<DelegationTokenIdentifier>();
token.decodeFromUrlString(tokenString);
SecurityUtil.setTokenService(token, NameNode.getAddress(conf));
token.setKind(DelegationTokenIdentifier.HDFS_DELEGATION_KIND);
ByteArrayInputStream buf = new ByteArrayInputStream(token.getIdentifier());
DataInputStream in = new DataInputStream(buf);
DelegationTokenIdentifier id = new DelegationTokenIdentifier();
id.readFields(in);
if (context != null) {
NameNode nn = (NameNode) context.getAttribute("name.node");
if (nn != null) {
// Verify the token.
nn.getNamesystem()
.getDelegationTokenSecretManager()
.verifyToken(id, token.getPassword());
}
}
ugi = id.getUser();
if (ugi.getRealUser() == null) {
// non-proxy case
checkUsername(ugi.getShortUserName(), usernameFromQuery);
checkUsername(null, doAsUserFromQuery);
} else {
// proxy case
checkUsername(ugi.getRealUser().getShortUserName(), usernameFromQuery);
checkUsername(ugi.getShortUserName(), doAsUserFromQuery);
ProxyUsers.authorize(ugi, request.getRemoteAddr(), conf);
}
ugi.addToken(token);
ugi.setAuthenticationMethod(AuthenticationMethod.TOKEN);
} else {
if (remoteUser == null) {
throw new IOException("Security enabled but user not " + "authenticated by filter");
}
final UserGroupInformation realUgi = UserGroupInformation.createRemoteUser(remoteUser);
checkUsername(realUgi.getShortUserName(), usernameFromQuery);
// This is not necessarily true, could have been auth'ed by user-facing
// filter
realUgi.setAuthenticationMethod(secureAuthMethod);
ugi = initUGI(realUgi, doAsUserFromQuery, request, true, conf);
}
} else { // Security's not on, pull from url
final UserGroupInformation realUgi =
usernameFromQuery == null
? getDefaultWebUser(conf) // not specified in request
: UserGroupInformation.createRemoteUser(usernameFromQuery);
realUgi.setAuthenticationMethod(AuthenticationMethod.SIMPLE);
ugi = initUGI(realUgi, doAsUserFromQuery, request, false, conf);
}
if (LOG.isDebugEnabled()) LOG.debug("getUGI is returning: " + ugi.getShortUserName());
return ugi;
}
@Test
public void testRefreshSuperUserGroupsConfiguration() throws Exception {
final String SUPER_USER = "******";
final String[] GROUP_NAMES1 = new String[] {"gr1", "gr2"};
final String[] GROUP_NAMES2 = new String[] {"gr3", "gr4"};
// keys in conf
String userKeyGroups = ProxyUsers.getProxySuperuserGroupConfKey(SUPER_USER);
String userKeyHosts = ProxyUsers.getProxySuperuserIpConfKey(SUPER_USER);
config.set(userKeyGroups, "gr3,gr4,gr5"); // superuser can proxy for this group
config.set(userKeyHosts, "127.0.0.1");
ProxyUsers.refreshSuperUserGroupsConfiguration(config);
UserGroupInformation ugi1 = mock(UserGroupInformation.class);
UserGroupInformation ugi2 = mock(UserGroupInformation.class);
UserGroupInformation suUgi = mock(UserGroupInformation.class);
when(ugi1.getRealUser()).thenReturn(suUgi);
when(ugi2.getRealUser()).thenReturn(suUgi);
when(suUgi.getShortUserName()).thenReturn(SUPER_USER); // super user
when(suUgi.getUserName()).thenReturn(SUPER_USER + "L"); // super user
when(ugi1.getShortUserName()).thenReturn("user1");
when(ugi2.getShortUserName()).thenReturn("user2");
when(ugi1.getUserName()).thenReturn("userL1");
when(ugi2.getUserName()).thenReturn("userL2");
// set groups for users
when(ugi1.getGroupNames()).thenReturn(GROUP_NAMES1);
when(ugi2.getGroupNames()).thenReturn(GROUP_NAMES2);
// check before
try {
ProxyUsers.authorize(ugi1, "127.0.0.1", config);
fail("first auth for " + ugi1.getShortUserName() + " should've failed ");
} catch (AuthorizationException e) {
// expected
System.err.println("auth for " + ugi1.getUserName() + " failed");
}
try {
ProxyUsers.authorize(ugi2, "127.0.0.1", config);
System.err.println("auth for " + ugi2.getUserName() + " succeeded");
// expected
} catch (AuthorizationException e) {
fail(
"first auth for "
+ ugi2.getShortUserName()
+ " should've succeeded: "
+ e.getLocalizedMessage());
}
// refresh will look at configuration on the server side
// add additional resource with the new value
// so the server side will pick it up
String rsrc = "testGroupMappingRefresh_rsrc.xml";
addNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1");
DFSAdmin admin = new DFSAdmin(config);
String[] args = new String[] {"-refreshSuperUserGroupsConfiguration"};
// NameNode nn = cluster.getNameNode();
// Configuration conf = new Configuration(config);
// conf.set(userKeyGroups, "gr2"); // superuser can proxy for this group
// admin.setConf(conf);
admin.run(args);
try {
ProxyUsers.authorize(ugi2, "127.0.0.1", config);
fail("second auth for " + ugi2.getShortUserName() + " should've failed ");
} catch (AuthorizationException e) {
// expected
System.err.println("auth for " + ugi2.getUserName() + " failed");
}
try {
ProxyUsers.authorize(ugi1, "127.0.0.1", config);
System.err.println("auth for " + ugi1.getUserName() + " succeeded");
// expected
} catch (AuthorizationException e) {
fail(
"second auth for "
+ ugi1.getShortUserName()
+ " should've succeeded: "
+ e.getLocalizedMessage());
}
}
@Override // RefreshAuthorizationPolicyProtocol
public void refreshSuperUserGroupsConfiguration() {
LOG.info("Refreshing SuperUser proxy group mapping list ");
ProxyUsers.refreshSuperUserGroupsConfiguration();
}
@BeforeClass
public static void setupClass() throws Exception {
solrHomeDirectory = createTempDir().toFile();
assumeFalse(
"HDFS tests were disabled by -Dtests.disableHdfs",
Boolean.parseBoolean(System.getProperty("tests.disableHdfs", "false")));
assumeFalse(
"FIXME: This test does not work with Windows because of native library requirements",
Constants.WINDOWS);
AbstractZkTestCase.SOLRHOME = solrHomeDirectory;
FileUtils.copyDirectory(MINIMR_CONF_DIR, solrHomeDirectory);
File dataDir = createTempDir().toFile();
tempDir = dataDir.getAbsolutePath();
new File(tempDir).mkdirs();
FileUtils.copyFile(
new File(RESOURCES_DIR + "/custom-mimetypes.xml"),
new File(tempDir + "/custom-mimetypes.xml"));
AbstractSolrMorphlineTestBase.setupMorphline(
tempDir, "test-morphlines/solrCellDocumentTypes", true);
System.setProperty("hadoop.log.dir", new File(solrHomeDirectory, "logs").getAbsolutePath());
int taskTrackers = 1;
int dataNodes = 2;
// String proxyUser = System.getProperty("user.name");
// String proxyGroup = "g";
// StringBuilder sb = new StringBuilder();
// sb.append("127.0.0.1,localhost");
// for (InetAddress i : InetAddress.getAllByName(InetAddress.getLocalHost().getHostName())) {
// sb.append(",").append(i.getCanonicalHostName());
// }
new File(dataDir, "nm-local-dirs").mkdirs();
System.setProperty("solr.hdfs.blockcache.enabled", "false");
System.setProperty(
"test.build.dir", dataDir + File.separator + "hdfs" + File.separator + "test-build-dir");
System.setProperty(
"test.build.data", dataDir + File.separator + "hdfs" + File.separator + "build");
System.setProperty(
"test.cache.data", dataDir + File.separator + "hdfs" + File.separator + "cache");
// Initialize AFTER test.build.dir is set, JarFinder uses it.
SEARCH_ARCHIVES_JAR = JarFinder.getJar(MapReduceIndexerTool.class);
JobConf conf = new JobConf();
conf.set("dfs.block.access.token.enable", "false");
conf.set("dfs.permissions", "true");
conf.set("hadoop.security.authentication", "simple");
conf.set(YarnConfiguration.NM_LOCAL_DIRS, dataDir.getPath() + File.separator + "nm-local-dirs");
conf.set(YarnConfiguration.DEFAULT_NM_LOG_DIRS, dataDir + File.separator + "nm-logs");
conf.set("testWorkDir", dataDir.getPath() + File.separator + "testWorkDir");
conf.set("mapreduce.jobhistory.minicluster.fixed.ports", "false");
conf.set("mapreduce.jobhistory.admin.address", "0.0.0.0:0");
dfsCluster = new MiniDFSCluster(conf, dataNodes, true, null);
FileSystem fileSystem = dfsCluster.getFileSystem();
fileSystem.mkdirs(new Path("/tmp"));
fileSystem.mkdirs(new Path("/user"));
fileSystem.mkdirs(new Path("/hadoop/mapred/system"));
fileSystem.setPermission(new Path("/tmp"), FsPermission.valueOf("-rwxrwxrwx"));
fileSystem.setPermission(new Path("/user"), FsPermission.valueOf("-rwxrwxrwx"));
fileSystem.setPermission(new Path("/hadoop/mapred/system"), FsPermission.valueOf("-rwx------"));
String nnURI = fileSystem.getUri().toString();
int numDirs = 1;
String[] racks = null;
String[] hosts = null;
mrCluster = new MiniMRCluster(0, 0, taskTrackers, nnURI, numDirs, racks, hosts, null, conf);
ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
}
