hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMSWithZK.java - hadoop - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.hadoop.crypto.key.kms.server;

 import org.apache.curator.test.TestingServer;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
 import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
 import org.junit.Assert;
 import org.junit.Test;

 import java.io.File;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.PrivilegedExceptionAction;

 public class TestKMSWithZK {

   protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
     Configuration conf = new Configuration(false);
     conf.set(KMSConfiguration.KEY_PROVIDER_URI,
         "jceks://file@" + new Path(keyStoreDir.getAbsolutePath(),
             "kms.keystore").toUri());
     conf.set("hadoop.kms.authentication.type", "simple");
     conf.setBoolean(KMSConfiguration.KEY_AUTHORIZATION_ENABLE, false);

     conf.set(KMSACLs.Type.GET_KEYS.getAclConfigKey(), "foo");
     return conf;
   }

   @Test
   public void testMultipleKMSInstancesWithZKSigner() throws Exception {
     final File testDir = TestKMS.getTestDir();
     Configuration conf = createBaseKMSConf(testDir);

     TestingServer zkServer = new TestingServer();
     zkServer.start();

     MiniKMS kms1 = null;
     MiniKMS kms2 = null;

     conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
         AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
     conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
             ZKSignerSecretProvider.ZOOKEEPER_CONNECTION_STRING,
         zkServer.getConnectString());
     conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
             ZKSignerSecretProvider.ZOOKEEPER_PATH, "/secret");
     TestKMS.writeConf(testDir, conf);

     try {
       kms1 = new MiniKMS.Builder()
           .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
       kms1.start();

       kms2 = new MiniKMS.Builder()
           .setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
       kms2.start();

       final URL url1 = new URL(kms1.getKMSUrl().toExternalForm() +
           KMSRESTConstants.SERVICE_VERSION +  "/" +
           KMSRESTConstants.KEYS_NAMES_RESOURCE);
       final URL url2 = new URL(kms2.getKMSUrl().toExternalForm() +
           KMSRESTConstants.SERVICE_VERSION + "/" +
           KMSRESTConstants.KEYS_NAMES_RESOURCE);

       final DelegationTokenAuthenticatedURL.Token token =
           new DelegationTokenAuthenticatedURL.Token();
       final DelegationTokenAuthenticatedURL aUrl =
           new DelegationTokenAuthenticatedURL();

       UserGroupInformation ugiFoo = UserGroupInformation.createUserForTesting(
           "foo", new String[]{"gfoo"});
       UserGroupInformation ugiBar = UserGroupInformation.createUserForTesting(
           "bar", new String[]{"gBar"});

       ugiFoo.doAs(new PrivilegedExceptionAction<Object>() {
         @Override
         public Object run() throws Exception {
           HttpURLConnection conn = aUrl.openConnection(url1, token);
           Assert.assertEquals(HttpURLConnection.HTTP_OK,
               conn.getResponseCode());
           return null;
         }
       });

       ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
         @Override
         public Object run() throws Exception {
           HttpURLConnection conn = aUrl.openConnection(url2, token);
           Assert.assertEquals(HttpURLConnection.HTTP_OK,
               conn.getResponseCode());
           return null;
         }
       });

       ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
         @Override
         public Object run() throws Exception {
           final DelegationTokenAuthenticatedURL.Token emptyToken =
               new DelegationTokenAuthenticatedURL.Token();
           HttpURLConnection conn = aUrl.openConnection(url2, emptyToken);
           Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
               conn.getResponseCode());
           return null;
         }
       });

     } finally {
       if (kms2 != null) {
         kms2.stop();
       }
       if (kms1 != null) {
         kms1.stop();
       }
       zkServer.stop();
     }

   }

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.hadoop.crypto.key.kms.server;

	import org.apache.curator.test.TestingServer;
	import org.apache.hadoop.conf.Configuration;
	import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
	import org.apache.hadoop.fs.Path;
	import org.apache.hadoop.security.UserGroupInformation;
	import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
	import org.apache.hadoop.security.authentication.util.ZKSignerSecretProvider;
	import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
	import org.junit.Assert;
	import org.junit.Test;

	import java.io.File;
	import java.net.HttpURLConnection;
	import java.net.URL;
	import java.security.PrivilegedExceptionAction;

	public class TestKMSWithZK {

	protected Configuration createBaseKMSConf(File keyStoreDir) throws Exception {
	Configuration conf = new Configuration(false);
	conf.set(KMSConfiguration.KEY_PROVIDER_URI,
	"jceks://file@" + new Path(keyStoreDir.getAbsolutePath(),
	"kms.keystore").toUri());
	conf.set("hadoop.kms.authentication.type", "simple");
	conf.setBoolean(KMSConfiguration.KEY_AUTHORIZATION_ENABLE, false);

	conf.set(KMSACLs.Type.GET_KEYS.getAclConfigKey(), "foo");
	return conf;
	}

	@Test
	public void testMultipleKMSInstancesWithZKSigner() throws Exception {
	final File testDir = TestKMS.getTestDir();
	Configuration conf = createBaseKMSConf(testDir);

	TestingServer zkServer = new TestingServer();
	zkServer.start();

	MiniKMS kms1 = null;
	MiniKMS kms2 = null;

	conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
	AuthenticationFilter.SIGNER_SECRET_PROVIDER, "zookeeper");
	conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
	ZKSignerSecretProvider.ZOOKEEPER_CONNECTION_STRING,
	zkServer.getConnectString());
	conf.set(KMSAuthenticationFilter.CONFIG_PREFIX +
	ZKSignerSecretProvider.ZOOKEEPER_PATH, "/secret");
	TestKMS.writeConf(testDir, conf);

	try {
	kms1 = new MiniKMS.Builder()
	.setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
	kms1.start();

	kms2 = new MiniKMS.Builder()
	.setKmsConfDir(testDir).setLog4jConfFile("log4j.properties").build();
	kms2.start();

	final URL url1 = new URL(kms1.getKMSUrl().toExternalForm() +
	KMSRESTConstants.SERVICE_VERSION + "/" +
	KMSRESTConstants.KEYS_NAMES_RESOURCE);
	final URL url2 = new URL(kms2.getKMSUrl().toExternalForm() +
	KMSRESTConstants.SERVICE_VERSION + "/" +
	KMSRESTConstants.KEYS_NAMES_RESOURCE);

	final DelegationTokenAuthenticatedURL.Token token =
	new DelegationTokenAuthenticatedURL.Token();
	final DelegationTokenAuthenticatedURL aUrl =
	new DelegationTokenAuthenticatedURL();

	UserGroupInformation ugiFoo = UserGroupInformation.createUserForTesting(
	"foo", new String[]{"gfoo"});
	UserGroupInformation ugiBar = UserGroupInformation.createUserForTesting(
	"bar", new String[]{"gBar"});

	ugiFoo.doAs(new PrivilegedExceptionAction<Object>() {
	@Override
	public Object run() throws Exception {
	HttpURLConnection conn = aUrl.openConnection(url1, token);
	Assert.assertEquals(HttpURLConnection.HTTP_OK,
	conn.getResponseCode());
	return null;
	}
	});

	ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
	@Override
	public Object run() throws Exception {
	HttpURLConnection conn = aUrl.openConnection(url2, token);
	Assert.assertEquals(HttpURLConnection.HTTP_OK,
	conn.getResponseCode());
	return null;
	}
	});

	ugiBar.doAs(new PrivilegedExceptionAction<Object>() {
	@Override
	public Object run() throws Exception {
	final DelegationTokenAuthenticatedURL.Token emptyToken =
	new DelegationTokenAuthenticatedURL.Token();
	HttpURLConnection conn = aUrl.openConnection(url2, emptyToken);
	Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN,
	conn.getResponseCode());
	return null;
	}
	});

	} finally {
	if (kms2 != null) {
	kms2.stop();
	}
	if (kms1 != null) {
	kms1.stop();
	}
	zkServer.stop();
	}

	}

	}