hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.apache.hadoop.registry.secure;



import com.sun.security.auth.module.Krb5LoginModule;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions;
import org.apache.zookeeper.Environment;
import org.apache.zookeeper.data.ACL;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

/**
 * Verify that logins work
 */
public class TestSecureLogins extends AbstractSecureRegistryTest {
  private static final Logger LOG =
      LoggerFactory.getLogger(TestSecureLogins.class);

  @Test
  public void testHasRealm() throws Throwable {
    assertNotNull(getRealm());
    LOG.info("ZK principal = {}", getPrincipalAndRealm(ZOOKEEPER_LOCALHOST));
  }

  @Test
  public void testJaasFileSetup() throws Throwable {
    // the JVM has seemed inconsistent on setting up here
    assertNotNull("jaasFile", jaasFile);
    String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
    assertEquals(jaasFile.getAbsolutePath(), confFilename);
  }

  @Test
  public void testJaasFileBinding() throws Throwable {
    // the JVM has seemed inconsistent on setting up here
    assertNotNull("jaasFile", jaasFile);
    RegistrySecurity.bindJVMtoJAASFile(jaasFile);
    String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
    assertEquals(jaasFile.getAbsolutePath(), confFilename);
  }


  @Test
  public void testClientLogin() throws Throwable {
    LoginContext client = login(ALICE_LOCALHOST,
                                ALICE_CLIENT_CONTEXT,
                                keytab_alice);

    try {
      logLoginDetails(ALICE_LOCALHOST, client);
      String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
      assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
      String config = FileUtils.readFileToString(new File(confFilename));
      LOG.info("{}=\n{}", confFilename, config);
      RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
    } finally {
      client.logout();
    }
  }

  @Test
  public void testZKServerContextLogin() throws Throwable {
    LoginContext client = login(ZOOKEEPER_LOCALHOST,
                                ZOOKEEPER_SERVER_CONTEXT,
                                keytab_zk);
    logLoginDetails(ZOOKEEPER_LOCALHOST, client);

    client.logout();
  }


  @Test
  public void testServerLogin() throws Throwable {
    LoginContext loginContext = createLoginContextZookeeperLocalhost();
    loginContext.login();
    loginContext.logout();
  }

  public LoginContext createLoginContextZookeeperLocalhost() throws
      LoginException {
    String principalAndRealm = getPrincipalAndRealm(ZOOKEEPER_LOCALHOST);
    Set<Principal> principals = new HashSet<Principal>();
    principals.add(new KerberosPrincipal(ZOOKEEPER_LOCALHOST));
    Subject subject = new Subject(false, principals, new HashSet<Object>(),
        new HashSet<Object>());
    return new LoginContext("", subject, null,
        KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk));
  }


  @Test
  public void testKerberosAuth() throws Throwable {
    File krb5conf = getKdc().getKrb5conf();
    String krbConfig = FileUtils.readFileToString(krb5conf);
    LOG.info("krb5.conf at {}:\n{}", krb5conf, krbConfig);
    Subject subject = new Subject();

    final Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
    final Map<String, String> options = new HashMap<String, String>();
    options.put("keyTab", keytab_alice.getAbsolutePath());
    options.put("principal", ALICE_LOCALHOST);
    options.put("debug", "true");
    options.put("doNotPrompt", "true");
    options.put("isInitiator", "true");
    options.put("refreshKrb5Config", "true");
    options.put("renewTGT", "true");
    options.put("storeKey", "true");
    options.put("useKeyTab", "true");
    options.put("useTicketCache", "true");

    krb5LoginModule.initialize(subject, null,
        new HashMap<String, String>(),
        options);

    boolean loginOk = krb5LoginModule.login();
    assertTrue("Failed to login", loginOk);
    boolean commitOk = krb5LoginModule.commit();
    assertTrue("Failed to Commit", commitOk);
  }

  @Test
  public void testDefaultRealmValid() throws Throwable {
    String defaultRealm = KerberosUtil.getDefaultRealm();
    assertNotEmpty("No default Kerberos Realm",
        defaultRealm);
    LOG.info("Default Realm '{}'", defaultRealm);
  }

  @Test
  public void testKerberosRulesValid() throws Throwable {
    assertTrue("!KerberosName.hasRulesBeenSet()",
        KerberosName.hasRulesBeenSet());
    String rules = KerberosName.getRules();
    assertEquals(kerberosRule, rules);
    LOG.info(rules);
  }

  @Test
  public void testValidKerberosName() throws Throwable {

    new HadoopKerberosName(ZOOKEEPER).getShortName();
    new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
    new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
    try {
      new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
      Assert.fail("Unexpected success for invalid principal: " +
          ZOOKEEPER_LOCALHOST);
    } catch (IOException e) {
      LOG.info("Expected exception: " + e.getMessage());
    }
  }


  @Test
  public void testUGILogin() throws Throwable {

    UserGroupInformation ugi = loginUGI(ZOOKEEPER, keytab_zk);
    RegistrySecurity.UgiInfo ugiInfo =
        new RegistrySecurity.UgiInfo(ugi);
    LOG.info("logged in as: {}", ugiInfo);
    assertTrue("security is not enabled: " + ugiInfo,
        UserGroupInformation.isSecurityEnabled());
    assertTrue("login is keytab based: " + ugiInfo,
        ugi.isFromKeytab());

    // now we are here, build a SASL ACL
    ACL acl = ugi.doAs(new PrivilegedExceptionAction<ACL>() {
      @Override
      public ACL run() throws Exception {
        return registrySecurity.createSaslACLFromCurrentUser(0);
      }
    });
    assertEquals(ZOOKEEPER_REALM, acl.getId().getId());
    assertEquals(ZookeeperConfigOptions.SCHEME_SASL, acl.getId().getScheme());
    registrySecurity.addSystemACL(acl);

  }

}