hadoop-yarn-project/hadoop-yarn/hadoop-yarn-registry/src/test/java/org/apache/hadoop/registry/secure/TestSecureLogins.java - hadoop - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.registry.secure;

 import java.io.File;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.security.Principal;
 import java.security.PrivilegedExceptionAction;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;

 import org.apache.zookeeper.Environment;
 import org.apache.zookeeper.data.ACL;

 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.security.HadoopKerberosName;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.util.KerberosName;
 import org.apache.hadoop.security.authentication.util.KerberosUtil;
 import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
 import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions;

 import static org.apache.hadoop.security.authentication.util.KerberosName.DEFAULT_MECHANISM;
 import static org.apache.hadoop.security.authentication.util.KerberosName.MECHANISM_HADOOP;
 import static org.apache.hadoop.security.authentication.util.KerberosName.MECHANISM_MIT;
 import static org.apache.hadoop.util.PlatformName.IBM_JAVA;

 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 /**
  * Verify that logins work
  */
 public class TestSecureLogins extends AbstractSecureRegistryTest {
   private static final Logger LOG =
       LoggerFactory.getLogger(TestSecureLogins.class);

   @Test
   public void testHasRealm() throws Throwable {
     assertNotNull(getRealm());
     LOG.info("ZK principal = {}", getPrincipalAndRealm(ZOOKEEPER_LOCALHOST));
   }

   @Test
   public void testJaasFileSetup() throws Throwable {
     // the JVM has seemed inconsistent on setting up here
     assertNotNull("jaasFile", jaasFile);
     String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
     assertEquals(jaasFile.getAbsolutePath(), confFilename);
   }

   @Test
   public void testJaasFileBinding() throws Throwable {
     // the JVM has seemed inconsistent on setting up here
     assertNotNull("jaasFile", jaasFile);
     RegistrySecurity.bindJVMtoJAASFile(jaasFile);
     String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
     assertEquals(jaasFile.getAbsolutePath(), confFilename);
   }

   @Test
   public void testClientLogin() throws Throwable {
     LoginContext client = login(ALICE_LOCALHOST,
                                 ALICE_CLIENT_CONTEXT,
                                 keytab_alice);

     try {
       logLoginDetails(ALICE_LOCALHOST, client);
       String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
       assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
       String config = FileUtils.readFileToString(new File(confFilename));
       LOG.info("{}=\n{}", confFilename, config);
       RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
     } finally {
       client.logout();
     }
   }

   @Test
   public void testZKServerContextLogin() throws Throwable {
     LoginContext client = login(ZOOKEEPER_LOCALHOST,
                                 ZOOKEEPER_SERVER_CONTEXT,
                                 keytab_zk);
     logLoginDetails(ZOOKEEPER_LOCALHOST, client);

     client.logout();
   }

   @Test
   public void testServerLogin() throws Throwable {
     LoginContext loginContext = createLoginContextZookeeperLocalhost();
     loginContext.login();
     loginContext.logout();
   }

   public LoginContext createLoginContextZookeeperLocalhost() throws
       LoginException {
     String principalAndRealm = getPrincipalAndRealm(ZOOKEEPER_LOCALHOST);
     Set<Principal> principals = new HashSet<Principal>();
     principals.add(new KerberosPrincipal(ZOOKEEPER_LOCALHOST));
     Subject subject = new Subject(false, principals, new HashSet<Object>(),
         new HashSet<Object>());
     return new LoginContext("", subject, null,
         KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk));
   }

   @Test
   public void testKerberosAuth() throws Throwable {
     File krb5conf = getKdc().getKrb5conf();
     String krbConfig = FileUtils.readFileToString(krb5conf);
     LOG.info("krb5.conf at {}:\n{}", krb5conf, krbConfig);
     Subject subject = new Subject();
     Class<?> kerb5LoginClass =
         Class.forName(KerberosUtil.getKrb5LoginModuleName());
     Constructor<?> kerb5LoginConstr = kerb5LoginClass.getConstructor();
     Object kerb5LoginObject = kerb5LoginConstr.newInstance();
     final Map<String, String> options = new HashMap<String, String>();
     options.put("debug", "true");
     if (IBM_JAVA) {
       options.put("useKeytab",
           keytab_alice.getAbsolutePath().startsWith("file://")
             ? keytab_alice.getAbsolutePath()
             : "file://" +  keytab_alice.getAbsolutePath());
       options.put("principal", ALICE_LOCALHOST);
       options.put("refreshKrb5Config", "true");
       options.put("credsType", "both");
       String ticketCache = System.getenv("KRB5CCNAME");
       if (ticketCache != null) {
         // IBM JAVA only respect system property and not env variable
         // The first value searched when "useDefaultCcache" is used.
         System.setProperty("KRB5CCNAME", ticketCache);
         options.put("useDefaultCcache", "true");
         options.put("renewTGT", "true");
       }
     } else {
       options.put("keyTab", keytab_alice.getAbsolutePath());
       options.put("principal", ALICE_LOCALHOST);
       options.put("doNotPrompt", "true");
       options.put("isInitiator", "true");
       options.put("refreshKrb5Config", "true");
       options.put("renewTGT", "true");
       options.put("storeKey", "true");
       options.put("useKeyTab", "true");
       options.put("useTicketCache", "true");
     }
     Method methodInitialize =
         kerb5LoginObject.getClass().getMethod("initialize", Subject.class,
           CallbackHandler.class, Map.class, Map.class);
     methodInitialize.invoke(kerb5LoginObject, subject, null,
         new HashMap<String, String>(), options);
     Method methodLogin = kerb5LoginObject.getClass().getMethod("login");
     boolean loginOk = (Boolean) methodLogin.invoke(kerb5LoginObject);
     assertTrue("Failed to login", loginOk);
     Method methodCommit = kerb5LoginObject.getClass().getMethod("commit");
     boolean commitOk = (Boolean) methodCommit.invoke(kerb5LoginObject);
     assertTrue("Failed to Commit", commitOk);
   }

   @Test
   public void testDefaultRealmValid() throws Throwable {
     String defaultRealm = KerberosUtil.getDefaultRealm();
     assertNotEmpty("No default Kerberos Realm",
         defaultRealm);
     LOG.info("Default Realm '{}'", defaultRealm);
   }

   @Test
   public void testKerberosRulesValid() throws Throwable {
     assertTrue("!KerberosName.hasRulesBeenSet()",
         KerberosName.hasRulesBeenSet());
     String rules = KerberosName.getRules();
     assertEquals(kerberosRule, rules);
     LOG.info(rules);
   }

   @Test
   public void testValidKerberosName() throws Throwable {
     KerberosName.setRuleMechanism(MECHANISM_HADOOP);
     new HadoopKerberosName(ZOOKEEPER).getShortName();
     // MECHANISM_MIT allows '/' and '@' in username
     KerberosName.setRuleMechanism(MECHANISM_MIT);
     new HadoopKerberosName(ZOOKEEPER).getShortName();
     new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
     new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
     new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
     KerberosName.setRuleMechanism(DEFAULT_MECHANISM);
   }

   @Test
   public void testUGILogin() throws Throwable {

     UserGroupInformation ugi = loginUGI(ZOOKEEPER, keytab_zk);
     RegistrySecurity.UgiInfo ugiInfo =
         new RegistrySecurity.UgiInfo(ugi);
     LOG.info("logged in as: {}", ugiInfo);
     assertTrue("security is not enabled: " + ugiInfo,
         UserGroupInformation.isSecurityEnabled());
     assertTrue("login is keytab based: " + ugiInfo,
         ugi.isFromKeytab());

     // now we are here, build a SASL ACL
     ACL acl = ugi.doAs(new PrivilegedExceptionAction<ACL>() {
       @Override
       public ACL run() throws Exception {
         return registrySecurity.createSaslACLFromCurrentUser(0);
       }
     });
     assertEquals(ZOOKEEPER_REALM, acl.getId().getId());
     assertEquals(ZookeeperConfigOptions.SCHEME_SASL, acl.getId().getScheme());
     registrySecurity.addSystemACL(acl);

   }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.registry.secure;

	import java.io.File;
	import java.lang.reflect.Constructor;
	import java.lang.reflect.Method;
	import java.security.Principal;
	import java.security.PrivilegedExceptionAction;
	import java.util.HashMap;
	import java.util.HashSet;
	import java.util.Map;
	import java.util.Set;
	import javax.security.auth.Subject;
	import javax.security.auth.callback.CallbackHandler;
	import javax.security.auth.kerberos.KerberosPrincipal;
	import javax.security.auth.login.LoginContext;
	import javax.security.auth.login.LoginException;

	import org.apache.zookeeper.Environment;
	import org.apache.zookeeper.data.ACL;

	import org.apache.commons.io.FileUtils;
	import org.apache.hadoop.security.HadoopKerberosName;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.authentication.util.KerberosName;
	import org.apache.hadoop.security.authentication.util.KerberosUtil;
	import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
	import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions;

	import static org.apache.hadoop.security.authentication.util.KerberosName.DEFAULT_MECHANISM;
	import static org.apache.hadoop.security.authentication.util.KerberosName.MECHANISM_HADOOP;
	import static org.apache.hadoop.security.authentication.util.KerberosName.MECHANISM_MIT;
	import static org.apache.hadoop.util.PlatformName.IBM_JAVA;

	import org.junit.Test;
	import org.slf4j.Logger;
	import org.slf4j.LoggerFactory;

	/**
	* Verify that logins work
	*/
	public class TestSecureLogins extends AbstractSecureRegistryTest {
	private static final Logger LOG =
	LoggerFactory.getLogger(TestSecureLogins.class);

	@Test
	public void testHasRealm() throws Throwable {
	assertNotNull(getRealm());
	LOG.info("ZK principal = {}", getPrincipalAndRealm(ZOOKEEPER_LOCALHOST));
	}

	@Test
	public void testJaasFileSetup() throws Throwable {
	// the JVM has seemed inconsistent on setting up here
	assertNotNull("jaasFile", jaasFile);
	String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
	assertEquals(jaasFile.getAbsolutePath(), confFilename);
	}

	@Test
	public void testJaasFileBinding() throws Throwable {
	// the JVM has seemed inconsistent on setting up here
	assertNotNull("jaasFile", jaasFile);
	RegistrySecurity.bindJVMtoJAASFile(jaasFile);
	String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
	assertEquals(jaasFile.getAbsolutePath(), confFilename);
	}

	@Test
	public void testClientLogin() throws Throwable {
	LoginContext client = login(ALICE_LOCALHOST,
	ALICE_CLIENT_CONTEXT,
	keytab_alice);

	try {
	logLoginDetails(ALICE_LOCALHOST, client);
	String confFilename = System.getProperty(Environment.JAAS_CONF_KEY);
	assertNotNull("Unset: "+ Environment.JAAS_CONF_KEY, confFilename);
	String config = FileUtils.readFileToString(new File(confFilename));
	LOG.info("{}=\n{}", confFilename, config);
	RegistrySecurity.setZKSaslClientProperties(ALICE, ALICE_CLIENT_CONTEXT);
	} finally {
	client.logout();
	}
	}

	@Test
	public void testZKServerContextLogin() throws Throwable {
	LoginContext client = login(ZOOKEEPER_LOCALHOST,
	ZOOKEEPER_SERVER_CONTEXT,
	keytab_zk);
	logLoginDetails(ZOOKEEPER_LOCALHOST, client);

	client.logout();
	}

	@Test
	public void testServerLogin() throws Throwable {
	LoginContext loginContext = createLoginContextZookeeperLocalhost();
	loginContext.login();
	loginContext.logout();
	}

	public LoginContext createLoginContextZookeeperLocalhost() throws
	LoginException {
	String principalAndRealm = getPrincipalAndRealm(ZOOKEEPER_LOCALHOST);
	Set<Principal> principals = new HashSet<Principal>();
	principals.add(new KerberosPrincipal(ZOOKEEPER_LOCALHOST));
	Subject subject = new Subject(false, principals, new HashSet<Object>(),
	new HashSet<Object>());
	return new LoginContext("", subject, null,
	KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk));
	}

	@Test
	public void testKerberosAuth() throws Throwable {
	File krb5conf = getKdc().getKrb5conf();
	String krbConfig = FileUtils.readFileToString(krb5conf);
	LOG.info("krb5.conf at {}:\n{}", krb5conf, krbConfig);
	Subject subject = new Subject();
	Class<?> kerb5LoginClass =
	Class.forName(KerberosUtil.getKrb5LoginModuleName());
	Constructor<?> kerb5LoginConstr = kerb5LoginClass.getConstructor();
	Object kerb5LoginObject = kerb5LoginConstr.newInstance();
	final Map<String, String> options = new HashMap<String, String>();
	options.put("debug", "true");
	if (IBM_JAVA) {
	options.put("useKeytab",
	keytab_alice.getAbsolutePath().startsWith("file://")
	? keytab_alice.getAbsolutePath()
	: "file://" + keytab_alice.getAbsolutePath());
	options.put("principal", ALICE_LOCALHOST);
	options.put("refreshKrb5Config", "true");
	options.put("credsType", "both");
	String ticketCache = System.getenv("KRB5CCNAME");
	if (ticketCache != null) {
	// IBM JAVA only respect system property and not env variable
	// The first value searched when "useDefaultCcache" is used.
	System.setProperty("KRB5CCNAME", ticketCache);
	options.put("useDefaultCcache", "true");
	options.put("renewTGT", "true");
	}
	} else {
	options.put("keyTab", keytab_alice.getAbsolutePath());
	options.put("principal", ALICE_LOCALHOST);
	options.put("doNotPrompt", "true");
	options.put("isInitiator", "true");
	options.put("refreshKrb5Config", "true");
	options.put("renewTGT", "true");
	options.put("storeKey", "true");
	options.put("useKeyTab", "true");
	options.put("useTicketCache", "true");
	}
	Method methodInitialize =
	kerb5LoginObject.getClass().getMethod("initialize", Subject.class,
	CallbackHandler.class, Map.class, Map.class);
	methodInitialize.invoke(kerb5LoginObject, subject, null,
	new HashMap<String, String>(), options);
	Method methodLogin = kerb5LoginObject.getClass().getMethod("login");
	boolean loginOk = (Boolean) methodLogin.invoke(kerb5LoginObject);
	assertTrue("Failed to login", loginOk);
	Method methodCommit = kerb5LoginObject.getClass().getMethod("commit");
	boolean commitOk = (Boolean) methodCommit.invoke(kerb5LoginObject);
	assertTrue("Failed to Commit", commitOk);
	}

	@Test
	public void testDefaultRealmValid() throws Throwable {
	String defaultRealm = KerberosUtil.getDefaultRealm();
	assertNotEmpty("No default Kerberos Realm",
	defaultRealm);
	LOG.info("Default Realm '{}'", defaultRealm);
	}

	@Test
	public void testKerberosRulesValid() throws Throwable {
	assertTrue("!KerberosName.hasRulesBeenSet()",
	KerberosName.hasRulesBeenSet());
	String rules = KerberosName.getRules();
	assertEquals(kerberosRule, rules);
	LOG.info(rules);
	}

	@Test
	public void testValidKerberosName() throws Throwable {
	KerberosName.setRuleMechanism(MECHANISM_HADOOP);
	new HadoopKerberosName(ZOOKEEPER).getShortName();
	// MECHANISM_MIT allows '/' and '@' in username
	KerberosName.setRuleMechanism(MECHANISM_MIT);
	new HadoopKerberosName(ZOOKEEPER).getShortName();
	new HadoopKerberosName(ZOOKEEPER_LOCALHOST).getShortName();
	new HadoopKerberosName(ZOOKEEPER_REALM).getShortName();
	new HadoopKerberosName(ZOOKEEPER_LOCALHOST_REALM).getShortName();
	KerberosName.setRuleMechanism(DEFAULT_MECHANISM);
	}

	@Test
	public void testUGILogin() throws Throwable {

	UserGroupInformation ugi = loginUGI(ZOOKEEPER, keytab_zk);
	RegistrySecurity.UgiInfo ugiInfo =
	new RegistrySecurity.UgiInfo(ugi);
	LOG.info("logged in as: {}", ugiInfo);
	assertTrue("security is not enabled: " + ugiInfo,
	UserGroupInformation.isSecurityEnabled());
	assertTrue("login is keytab based: " + ugiInfo,
	ugi.isFromKeytab());

	// now we are here, build a SASL ACL
	ACL acl = ugi.doAs(new PrivilegedExceptionAction<ACL>() {
	@Override
	public ACL run() throws Exception {
	return registrySecurity.createSaslACLFromCurrentUser(0);
	}
	});
	assertEquals(ZOOKEEPER_REALM, acl.getId().getId());
	assertEquals(ZookeeperConfigOptions.SCHEME_SASL, acl.getId().getScheme());
	registrySecurity.addSystemACL(acl);

	}

	}