| /* |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package org.apache.hadoop.registry.secure; |
| |
| import org.apache.hadoop.conf.Configuration; |
| import org.apache.hadoop.security.UserGroupInformation; |
| import org.apache.hadoop.registry.client.api.RegistryConstants; |
| import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity; |
| import org.apache.zookeeper.ZooDefs; |
| import org.apache.zookeeper.data.ACL; |
| import org.junit.Assert; |
| import org.junit.BeforeClass; |
| import org.junit.Test; |
| import org.slf4j.Logger; |
| import org.slf4j.LoggerFactory; |
| |
| import java.io.IOException; |
| import java.util.List; |
| |
| import static org.apache.hadoop.registry.client.api.RegistryConstants.*; |
| |
| /** |
| * Test for registry security operations |
| */ |
| public class TestRegistrySecurityHelper extends Assert { |
| private static final Logger LOG = |
| LoggerFactory.getLogger(TestRegistrySecurityHelper.class); |
| |
| public static final String YARN_EXAMPLE_COM = "yarn@example.com"; |
| public static final String SASL_YARN_EXAMPLE_COM = |
| "sasl:" + YARN_EXAMPLE_COM; |
| public static final String MAPRED_EXAMPLE_COM = "mapred@example.com"; |
| public static final String SASL_MAPRED_EXAMPLE_COM = |
| "sasl:" + MAPRED_EXAMPLE_COM; |
| public static final String SASL_MAPRED_APACHE = "sasl:mapred@APACHE"; |
| public static final String DIGEST_F0AF = "digest:f0afbeeb00baa"; |
| public static final String SASL_YARN_SHORT = "sasl:yarn@"; |
| public static final String SASL_MAPRED_SHORT = "sasl:mapred@"; |
| public static final String REALM_EXAMPLE_COM = "example.com"; |
| private static RegistrySecurity registrySecurity; |
| |
| @BeforeClass |
| public static void setupTestRegistrySecurityHelper() throws IOException { |
| Configuration conf = new Configuration(); |
| conf.setBoolean(KEY_REGISTRY_SECURE, true); |
| conf.set(KEY_REGISTRY_KERBEROS_REALM, "KERBEROS"); |
| registrySecurity = new RegistrySecurity(""); |
| // init the ACLs OUTSIDE A KERBEROS CLUSTER |
| registrySecurity.init(conf); |
| } |
| |
| @Test |
| public void testACLSplitRealmed() throws Throwable { |
| List<String> pairs = |
| registrySecurity.splitAclPairs( |
| SASL_YARN_EXAMPLE_COM + |
| ", " + |
| SASL_MAPRED_EXAMPLE_COM, |
| ""); |
| |
| assertEquals(SASL_YARN_EXAMPLE_COM, pairs.get(0)); |
| assertEquals(SASL_MAPRED_EXAMPLE_COM, pairs.get(1)); |
| } |
| |
| |
| @Test |
| public void testBuildAclsRealmed() throws Throwable { |
| List<ACL> acls = registrySecurity.buildACLs( |
| SASL_YARN_EXAMPLE_COM + |
| ", " + |
| SASL_MAPRED_EXAMPLE_COM, |
| "", |
| ZooDefs.Perms.ALL); |
| assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); |
| assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); |
| } |
| |
| @Test |
| public void testACLDefaultRealm() throws Throwable { |
| List<String> pairs = |
| registrySecurity.splitAclPairs( |
| SASL_YARN_SHORT + |
| ", " + |
| SASL_MAPRED_SHORT, |
| REALM_EXAMPLE_COM); |
| |
| assertEquals(SASL_YARN_EXAMPLE_COM, pairs.get(0)); |
| assertEquals(SASL_MAPRED_EXAMPLE_COM, pairs.get(1)); |
| } |
| |
| @Test |
| public void testBuildAclsDefaultRealm() throws Throwable { |
| List<ACL> acls = registrySecurity.buildACLs( |
| SASL_YARN_SHORT + |
| ", " + |
| SASL_MAPRED_SHORT, |
| REALM_EXAMPLE_COM, ZooDefs.Perms.ALL); |
| |
| assertEquals(YARN_EXAMPLE_COM, acls.get(0).getId().getId()); |
| assertEquals(MAPRED_EXAMPLE_COM, acls.get(1).getId().getId()); |
| } |
| |
| @Test |
| public void testACLSplitNullRealm() throws Throwable { |
| List<String> pairs = |
| registrySecurity.splitAclPairs( |
| SASL_YARN_SHORT + |
| ", " + |
| SASL_MAPRED_SHORT, |
| ""); |
| |
| assertEquals(SASL_YARN_SHORT, pairs.get(0)); |
| assertEquals(SASL_MAPRED_SHORT, pairs.get(1)); |
| } |
| |
| @Test(expected = IllegalArgumentException.class) |
| public void testBuildAclsNullRealm() throws Throwable { |
| registrySecurity.buildACLs( |
| SASL_YARN_SHORT + |
| ", " + |
| SASL_MAPRED_SHORT, |
| "", ZooDefs.Perms.ALL); |
| fail(""); |
| |
| } |
| |
| @Test |
| public void testACLDefaultRealmOnlySASL() throws Throwable { |
| List<String> pairs = |
| registrySecurity.splitAclPairs( |
| SASL_YARN_SHORT + |
| ", " + |
| DIGEST_F0AF, |
| REALM_EXAMPLE_COM); |
| |
| assertEquals(SASL_YARN_EXAMPLE_COM, pairs.get(0)); |
| assertEquals(DIGEST_F0AF, pairs.get(1)); |
| } |
| |
| @Test |
| public void testACLSplitMixed() throws Throwable { |
| List<String> pairs = |
| registrySecurity.splitAclPairs( |
| SASL_YARN_SHORT + |
| ", " + |
| SASL_MAPRED_APACHE + |
| ", ,," + |
| DIGEST_F0AF, |
| REALM_EXAMPLE_COM); |
| |
| assertEquals(SASL_YARN_EXAMPLE_COM, pairs.get(0)); |
| assertEquals(SASL_MAPRED_APACHE, pairs.get(1)); |
| assertEquals(DIGEST_F0AF, pairs.get(2)); |
| } |
| |
| @Test |
| public void testDefaultAClsValid() throws Throwable { |
| registrySecurity.buildACLs( |
| RegistryConstants.DEFAULT_REGISTRY_SYSTEM_ACCOUNTS, |
| REALM_EXAMPLE_COM, ZooDefs.Perms.ALL); |
| } |
| |
| @Test |
| public void testDefaultRealm() throws Throwable { |
| String realm = RegistrySecurity.getDefaultRealmInJVM(); |
| LOG.info("Realm {}", realm); |
| } |
| |
| @Test |
| public void testUGIProperties() throws Throwable { |
| UserGroupInformation user = UserGroupInformation.getCurrentUser(); |
| ACL acl = registrySecurity.createACLForUser(user, ZooDefs.Perms.ALL); |
| assertFalse(RegistrySecurity.ALL_READWRITE_ACCESS.equals(acl)); |
| LOG.info("User {} has ACL {}", user, acl); |
| } |
| |
| |
| @Test |
| public void testSecurityImpliesKerberos() throws Throwable { |
| Configuration conf = new Configuration(); |
| conf.setBoolean("hadoop.security.authentication", true); |
| conf.setBoolean(KEY_REGISTRY_SECURE, true); |
| conf.set(KEY_REGISTRY_KERBEROS_REALM, "KERBEROS"); |
| RegistrySecurity security = new RegistrySecurity("registry security"); |
| try { |
| security.init(conf); |
| } catch (Exception e) { |
| assertTrue( |
| "did not find "+ RegistrySecurity.E_NO_KERBEROS + " in " + e, |
| e.toString().contains(RegistrySecurity.E_NO_KERBEROS)); |
| } |
| } |
| |
| |
| } |