public static void init(Configuration conf, ServiceAuthorizationManager authManager) { // set service-level authorization security policy System.setProperty("hadoop.policy.file", "hbase-policy.xml"); if (conf.getBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, false)) { authManager.refresh(conf, new HBasePolicyProvider()); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); } }
/** * Constructor with existing configuration * * @param conf existing configuration * @param userProvider the login user provider * @throws IOException */ RESTServlet(final Configuration conf, final UserProvider userProvider) throws IOException { this.realUser = userProvider.getCurrent().getUGI(); this.conf = conf; int cleanInterval = conf.getInt(CLEANUP_INTERVAL, 10 * 1000); int maxIdleTime = conf.getInt(MAX_IDLETIME, 10 * 60 * 1000); connectionCache = new ConnectionCache(conf, userProvider, cleanInterval, maxIdleTime); if (supportsProxyuser()) { ProxyUsers.refreshSuperUserGroupsConfiguration(conf); } }
private String getRemoteAddr(String clientAddr, String proxyAddr, boolean trusted) { HttpServletRequest req = mock(HttpServletRequest.class); when(req.getRemoteAddr()).thenReturn("1.2.3.4"); Configuration conf = new Configuration(); if (proxyAddr == null) { when(req.getRemoteAddr()).thenReturn(clientAddr); } else { when(req.getRemoteAddr()).thenReturn(proxyAddr); when(req.getHeader("X-Forwarded-For")).thenReturn(clientAddr); if (trusted) { conf.set(ProxyServers.CONF_HADOOP_PROXYSERVERS, proxyAddr); } } ProxyUsers.refreshSuperUserGroupsConfiguration(conf); return JspHelper.getRemoteAddr(req); }
@Override public RefreshSuperUserGroupsConfigurationResponse refreshSuperUserGroupsConfiguration( RefreshSuperUserGroupsConfigurationRequest request) throws YarnException, IOException { String argName = "refreshSuperUserGroupsConfiguration"; UserGroupInformation user = checkAcls(argName); if (!isRMActive()) { RMAuditLogger.logFailure( user.getShortUserName(), argName, adminAcl.toString(), "AdminService", "ResourceManager is not active. Can not refresh super-user-groups."); throwStandbyException(); } Configuration conf = getConfiguration(new Configuration(false), YarnConfiguration.CORE_SITE_CONFIGURATION_FILE); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); RMAuditLogger.logSuccess(user.getShortUserName(), argName, "AdminService"); return recordFactory.newRecordInstance(RefreshSuperUserGroupsConfigurationResponse.class); }
@Test public void testGetProxyUgi() throws IOException { conf.set(DFSConfigKeys.FS_DEFAULT_NAME_KEY, "hdfs://localhost:4321/"); ServletContext context = mock(ServletContext.class); String realUser = "******"; String user = "******"; conf.set(DFSConfigKeys.HADOOP_SECURITY_AUTHENTICATION, "kerberos"); conf.set(DefaultImpersonationProvider.getProxySuperuserGroupConfKey(realUser), "*"); conf.set(DefaultImpersonationProvider.getProxySuperuserIpConfKey(realUser), "*"); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); UserGroupInformation.setConfiguration(conf); UserGroupInformation ugi; HttpServletRequest request; // have to be auth-ed with remote user request = getMockRequest(null, null, user); try { JspHelper.getUGI(context, request, conf); Assert.fail("bad request allowed"); } catch (IOException ioe) { Assert.assertEquals( "Security enabled but user not authenticated by filter", ioe.getMessage()); } request = getMockRequest(null, realUser, user); try { JspHelper.getUGI(context, request, conf); Assert.fail("bad request allowed"); } catch (IOException ioe) { Assert.assertEquals( "Security enabled but user not authenticated by filter", ioe.getMessage()); } // proxy ugi for user via remote user request = getMockRequest(realUser, null, user); ugi = JspHelper.getUGI(context, request, conf); Assert.assertNotNull(ugi.getRealUser()); Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser); Assert.assertEquals(ugi.getShortUserName(), user); checkUgiFromAuth(ugi); // proxy ugi for user vi a remote user = real user request = getMockRequest(realUser, realUser, user); ugi = JspHelper.getUGI(context, request, conf); Assert.assertNotNull(ugi.getRealUser()); Assert.assertEquals(ugi.getRealUser().getShortUserName(), realUser); Assert.assertEquals(ugi.getShortUserName(), user); checkUgiFromAuth(ugi); // proxy ugi for user via remote user != real user request = getMockRequest(realUser, user, user); try { JspHelper.getUGI(context, request, conf); Assert.fail("bad request allowed"); } catch (IOException ioe) { Assert.assertEquals( "Usernames not matched: name=" + user + " != expected=" + realUser, ioe.getMessage()); } // try to get get a proxy user with unauthorized user try { request = getMockRequest(user, null, realUser); JspHelper.getUGI(context, request, conf); Assert.fail("bad proxy request allowed"); } catch (AuthorizationException ae) { Assert.assertEquals( "User: "******" is not allowed to impersonate " + realUser, ae.getMessage()); } try { request = getMockRequest(user, user, realUser); JspHelper.getUGI(context, request, conf); Assert.fail("bad proxy request allowed"); } catch (AuthorizationException ae) { Assert.assertEquals( "User: "******" is not allowed to impersonate " + realUser, ae.getMessage()); } }
@Test public void testRefreshSuperUserGroupsConfiguration() throws Exception { final String SUPER_USER = "******"; final String[] GROUP_NAMES1 = new String[] {"gr1", "gr2"}; final String[] GROUP_NAMES2 = new String[] {"gr3", "gr4"}; // keys in conf String userKeyGroups = ProxyUsers.getProxySuperuserGroupConfKey(SUPER_USER); String userKeyHosts = ProxyUsers.getProxySuperuserIpConfKey(SUPER_USER); config.set(userKeyGroups, "gr3,gr4,gr5"); // superuser can proxy for this group config.set(userKeyHosts, "127.0.0.1"); ProxyUsers.refreshSuperUserGroupsConfiguration(config); UserGroupInformation ugi1 = mock(UserGroupInformation.class); UserGroupInformation ugi2 = mock(UserGroupInformation.class); UserGroupInformation suUgi = mock(UserGroupInformation.class); when(ugi1.getRealUser()).thenReturn(suUgi); when(ugi2.getRealUser()).thenReturn(suUgi); when(suUgi.getShortUserName()).thenReturn(SUPER_USER); // super user when(suUgi.getUserName()).thenReturn(SUPER_USER + "L"); // super user when(ugi1.getShortUserName()).thenReturn("user1"); when(ugi2.getShortUserName()).thenReturn("user2"); when(ugi1.getUserName()).thenReturn("userL1"); when(ugi2.getUserName()).thenReturn("userL2"); // set groups for users when(ugi1.getGroupNames()).thenReturn(GROUP_NAMES1); when(ugi2.getGroupNames()).thenReturn(GROUP_NAMES2); // check before try { ProxyUsers.authorize(ugi1, "127.0.0.1", config); fail("first auth for " + ugi1.getShortUserName() + " should've failed "); } catch (AuthorizationException e) { // expected System.err.println("auth for " + ugi1.getUserName() + " failed"); } try { ProxyUsers.authorize(ugi2, "127.0.0.1", config); System.err.println("auth for " + ugi2.getUserName() + " succeeded"); // expected } catch (AuthorizationException e) { fail( "first auth for " + ugi2.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); } // refresh will look at configuration on the server side // add additional resource with the new value // so the server side will pick it up String rsrc = "testGroupMappingRefresh_rsrc.xml"; addNewConfigResource(rsrc, userKeyGroups, "gr2", userKeyHosts, "127.0.0.1"); DFSAdmin admin = new DFSAdmin(config); String[] args = new String[] {"-refreshSuperUserGroupsConfiguration"}; // NameNode nn = cluster.getNameNode(); // Configuration conf = new Configuration(config); // conf.set(userKeyGroups, "gr2"); // superuser can proxy for this group // admin.setConf(conf); admin.run(args); try { ProxyUsers.authorize(ugi2, "127.0.0.1", config); fail("second auth for " + ugi2.getShortUserName() + " should've failed "); } catch (AuthorizationException e) { // expected System.err.println("auth for " + ugi2.getUserName() + " failed"); } try { ProxyUsers.authorize(ugi1, "127.0.0.1", config); System.err.println("auth for " + ugi1.getUserName() + " succeeded"); // expected } catch (AuthorizationException e) { fail( "second auth for " + ugi1.getShortUserName() + " should've succeeded: " + e.getLocalizedMessage()); } }
@Override // RefreshAuthorizationPolicyProtocol public void refreshSuperUserGroupsConfiguration() { LOG.info("Refreshing SuperUser proxy group mapping list "); ProxyUsers.refreshSuperUserGroupsConfiguration(); }
@BeforeClass public static void setupClass() throws Exception { solrHomeDirectory = createTempDir().toFile(); assumeFalse( "HDFS tests were disabled by -Dtests.disableHdfs", Boolean.parseBoolean(System.getProperty("tests.disableHdfs", "false"))); assumeFalse( "FIXME: This test does not work with Windows because of native library requirements", Constants.WINDOWS); AbstractZkTestCase.SOLRHOME = solrHomeDirectory; FileUtils.copyDirectory(MINIMR_CONF_DIR, solrHomeDirectory); File dataDir = createTempDir().toFile(); tempDir = dataDir.getAbsolutePath(); new File(tempDir).mkdirs(); FileUtils.copyFile( new File(RESOURCES_DIR + "/custom-mimetypes.xml"), new File(tempDir + "/custom-mimetypes.xml")); AbstractSolrMorphlineTestBase.setupMorphline( tempDir, "test-morphlines/solrCellDocumentTypes", true); System.setProperty("hadoop.log.dir", new File(solrHomeDirectory, "logs").getAbsolutePath()); int taskTrackers = 1; int dataNodes = 2; // String proxyUser = System.getProperty("user.name"); // String proxyGroup = "g"; // StringBuilder sb = new StringBuilder(); // sb.append("127.0.0.1,localhost"); // for (InetAddress i : InetAddress.getAllByName(InetAddress.getLocalHost().getHostName())) { // sb.append(",").append(i.getCanonicalHostName()); // } new File(dataDir, "nm-local-dirs").mkdirs(); System.setProperty("solr.hdfs.blockcache.enabled", "false"); System.setProperty( "test.build.dir", dataDir + File.separator + "hdfs" + File.separator + "test-build-dir"); System.setProperty( "test.build.data", dataDir + File.separator + "hdfs" + File.separator + "build"); System.setProperty( "test.cache.data", dataDir + File.separator + "hdfs" + File.separator + "cache"); // Initialize AFTER test.build.dir is set, JarFinder uses it. SEARCH_ARCHIVES_JAR = JarFinder.getJar(MapReduceIndexerTool.class); JobConf conf = new JobConf(); conf.set("dfs.block.access.token.enable", "false"); conf.set("dfs.permissions", "true"); conf.set("hadoop.security.authentication", "simple"); conf.set(YarnConfiguration.NM_LOCAL_DIRS, dataDir.getPath() + File.separator + "nm-local-dirs"); conf.set(YarnConfiguration.DEFAULT_NM_LOG_DIRS, dataDir + File.separator + "nm-logs"); conf.set("testWorkDir", dataDir.getPath() + File.separator + "testWorkDir"); conf.set("mapreduce.jobhistory.minicluster.fixed.ports", "false"); conf.set("mapreduce.jobhistory.admin.address", "0.0.0.0:0"); dfsCluster = new MiniDFSCluster(conf, dataNodes, true, null); FileSystem fileSystem = dfsCluster.getFileSystem(); fileSystem.mkdirs(new Path("/tmp")); fileSystem.mkdirs(new Path("/user")); fileSystem.mkdirs(new Path("/hadoop/mapred/system")); fileSystem.setPermission(new Path("/tmp"), FsPermission.valueOf("-rwxrwxrwx")); fileSystem.setPermission(new Path("/user"), FsPermission.valueOf("-rwxrwxrwx")); fileSystem.setPermission(new Path("/hadoop/mapred/system"), FsPermission.valueOf("-rwx------")); String nnURI = fileSystem.getUri().toString(); int numDirs = 1; String[] racks = null; String[] hosts = null; mrCluster = new MiniMRCluster(0, 0, taskTrackers, nnURI, numDirs, racks, hosts, null, conf); ProxyUsers.refreshSuperUserGroupsConfiguration(conf); }