KerberosName.setRules(nameRules);
private static Configuration buildSpnegoConfiguration(String serverPrincipal, File serverKeytab) { Configuration conf = new Configuration(); KerberosName.setRules("DEFAULT"); conf.setInt(HttpServer.HTTP_MAX_THREADS, TestHttpServer.MAX_THREADS); // Enable Kerberos (pre-req) conf.set("hbase.security.authentication", "kerberos"); conf.set(HttpServer.HTTP_UI_AUTHENTICATION, "kerberos"); conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_PRINCIPAL_KEY, serverPrincipal); conf.set(HttpServer.HTTP_SPNEGO_AUTHENTICATION_KEYTAB_KEY, serverKeytab.getAbsolutePath()); return conf; }
private static void addSecurityConfigurations(Configuration conf) { KerberosName.setRules("DEFAULT"); HBaseKerberosUtils.setKeytabFileForTesting(serverKeytab.getAbsolutePath()); HBaseKerberosUtils.setSecuredConfiguration(conf, serverPrincipal, spnegoServerPrincipal); conf.setBoolean(THRIFT_SUPPORT_PROXYUSER_KEY, true); conf.setBoolean(Constants.USE_HTTP_CONF_KEY, true); conf.set("hadoop.proxyuser.hbase.hosts", "*"); conf.set("hadoop.proxyuser.hbase.groups", "*"); conf.set(Constants.THRIFT_KERBEROS_PRINCIPAL_KEY, serverPrincipal); conf.set(Constants.THRIFT_KEYTAB_FILE_KEY, serverKeytab.getAbsolutePath()); conf.set(Constants.THRIFT_SPNEGO_PRINCIPAL_KEY, spnegoServerPrincipal); conf.set(Constants.THRIFT_SPNEGO_KEYTAB_FILE_KEY, spnegoServerKeytab.getAbsolutePath()); }
/** * Init hadoop security by setting up the UGI config */ public static void initHadoopSecurity() { UserGroupInformation.setConfiguration(CONF); KerberosName.setRules(kerberosRule); }
/** * Init hadoop security by setting up the UGI config */ public static void initHadoopSecurity() { UserGroupInformation.setConfiguration(CONF); KerberosName.setRules(kerberosRule); }
@Before public void setUp() throws Exception { System.setProperty("java.security.krb5.realm", KerberosTestUtils.getRealm()); System.setProperty("java.security.krb5.kdc", "localhost:88"); String rules = "RULE:[1:$1@$0](.*@YAHOO\\.COM)s/@.*//\n" + "RULE:[2:$1](johndoe)s/^.*$/guest/\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$//\n" + "RULE:[2:$2](root)\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); }
@Before public void setUp() throws Exception { System.setProperty("java.security.krb5.realm", KerberosTestUtils.getRealm()); System.setProperty("java.security.krb5.kdc", "localhost:88"); String rules = "RULE:[1:$1@$0](.*@YAHOO\\.COM)s/@.*//\n" + "RULE:[2:$1](johndoe)s/^.*$/guest/\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$//\n" + "RULE:[2:$2](root)\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); }
@Before public void setUp() throws Exception { System.setProperty("java.security.krb5.realm", KerberosTestUtils.getRealm()); System.setProperty("java.security.krb5.kdc", "localhost:88"); String rules = "RULE:[1:$1@$0](.*@YAHOO\\.COM)s/@.*//\n" + "RULE:[2:$1](johndoe)s/^.*$/guest/\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$//\n" + "RULE:[2:$2](root)\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); }
@Test public void testAllowConnectWithRuleSet() { String ruleString = "RULE:[1:$1@$0](user1@TEST.REALM.COM)s/.*/hive/"; KerberosName.setRules(ruleString); String validPrincipal = "user1@TEST.REALM.COM"; assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); //New rule for a different user ruleString = "RULE:[1:$1@$0](user2@TEST.REALM.COM)s/.*/solr/"; KerberosName.setRules(ruleString); String invalidPrincipal1 = "user2@TEST.REALM.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal1)); String invalidPrincipal2 = "user3@TEST.REALM.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal2)); }
@Test public void testToLowerCase() throws Exception { String rules = "RULE:[1:$1]/L\n" + "RULE:[2:$1]/L\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); checkTranslation("Joe@FOO.COM", "joe"); checkTranslation("Joe/root@FOO.COM", "joe"); checkTranslation("Joe/admin@FOO.COM", "joe"); checkTranslation("Joe/guestguest@FOO.COM", "joe"); }
@Test public void testToLowerCase() throws Exception { String rules = "RULE:[1:$1]/L\n" + "RULE:[2:$1]/L\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); checkTranslation("Joe@FOO.COM", "joe"); checkTranslation("Joe/root@FOO.COM", "joe"); checkTranslation("Joe/admin@FOO.COM", "joe"); checkTranslation("Joe/guestguest@FOO.COM", "joe"); }
@Test public void testToLowerCase() throws Exception { String rules = "RULE:[1:$1]/L\n" + "RULE:[2:$1]/L\n" + "RULE:[2:$1;$2](^.*;admin$)s/;admin$///L\n" + "RULE:[2:$1;$2](^.*;guest$)s/;guest$//g/L\n" + "DEFAULT"; KerberosName.setRules(rules); KerberosName.printRules(); checkTranslation("Joe@FOO.COM", "joe"); checkTranslation("Joe/root@FOO.COM", "joe"); checkTranslation("Joe/admin@FOO.COM", "joe"); checkTranslation("Joe/guestguest@FOO.COM", "joe"); }
@Test public void testAllowConnectOnKerberosPrincipal() { //Test with ruleset not set String validPrincipal = "hive@GCE.CLOUDERA.COM"; assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); String invalidPrincipal = "impala@GCE.CLOUDERA.COM"; assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal)); //Test with ruleset set to DEFAULT String ruleString = "DEFAULT"; KerberosName.setRules(ruleString); assertTrue("Authenticate valid user", callBack.allowConnect(validPrincipal)); assertFalse("Do not authenticate invalid user", callBack.allowConnect(invalidPrincipal)); }
@Test (timeout = 30000) public void testSetConfigWithRules() { String[] rules = { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" }; // explicitly set a rule UserGroupInformation.reset(); assertFalse(KerberosName.hasRulesBeenSet()); KerberosName.setRules(rules[0]); assertTrue(KerberosName.hasRulesBeenSet()); assertEquals(rules[0], KerberosName.getRules()); // implicit init should honor rules already being set UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules[0], KerberosName.getRules()); // set conf, should override conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[1]); UserGroupInformation.setConfiguration(conf); assertEquals(rules[1], KerberosName.getRules()); // set conf, should again override conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[2]); UserGroupInformation.setConfiguration(conf); assertEquals(rules[2], KerberosName.getRules()); // implicit init should honor rules already being set UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules[2], KerberosName.getRules()); }
@Test(timeout=60000) public void testNameRules() throws Exception { KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); //destroy handler created in setUp() handler.destroy(); KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = getNewAuthenticationHandler(); Properties props = getDefaultProperties(); props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); try { handler.init(props); } catch (Exception ex) { } kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); Assert.assertEquals("bar@FOO", kn.getShortName()); }
@Test(timeout=60000) public void testNameRules() throws Exception { KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); //destroy handler created in setUp() handler.destroy(); KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = getNewAuthenticationHandler(); Properties props = getDefaultProperties(); props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); try { handler.init(props); } catch (Exception ex) { } kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); Assert.assertEquals("bar@FOO", kn.getShortName()); }
@Test (timeout = 30000) public void testSetConfigWithRules() { String[] rules = { "RULE:[1:TEST1]", "RULE:[1:TEST2]", "RULE:[1:TEST3]" }; // explicitly set a rule UserGroupInformation.reset(); assertFalse(KerberosName.hasRulesBeenSet()); KerberosName.setRules(rules[0]); assertTrue(KerberosName.hasRulesBeenSet()); assertEquals(rules[0], KerberosName.getRules()); // implicit init should honor rules already being set UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules[0], KerberosName.getRules()); // set conf, should override conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[1]); UserGroupInformation.setConfiguration(conf); assertEquals(rules[1], KerberosName.getRules()); // set conf, should again override conf.set(HADOOP_SECURITY_AUTH_TO_LOCAL, rules[2]); UserGroupInformation.setConfiguration(conf); assertEquals(rules[2], KerberosName.getRules()); // implicit init should honor rules already being set UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules[2], KerberosName.getRules()); }
@Test(timeout=60000) public void testNameRules() throws Exception { KerberosName kn = new KerberosName(KerberosTestUtils.getServerPrincipal()); Assert.assertEquals(KerberosTestUtils.getRealm(), kn.getRealm()); //destroy handler created in setUp() handler.destroy(); KerberosName.setRules("RULE:[1:$1@$0](.*@FOO)s/@.*//\nDEFAULT"); handler = getNewAuthenticationHandler(); Properties props = getDefaultProperties(); props.setProperty(KerberosAuthenticationHandler.NAME_RULES, "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT"); try { handler.init(props); } catch (Exception ex) { } kn = new KerberosName("bar@BAR"); Assert.assertEquals("bar", kn.getShortName()); kn = new KerberosName("bar@FOO"); try { kn.getShortName(); Assert.fail(); } catch (Exception ex) { } }
@Test (timeout = 30000) public void testEnsureInitWithRules() throws IOException { String rules = "RULE:[1:RULE1]"; // trigger implicit init, rules should init UserGroupInformation.reset(); assertFalse(KerberosName.hasRulesBeenSet()); UserGroupInformation.createUserForTesting("someone", new String[0]); assertTrue(KerberosName.hasRulesBeenSet()); // set a rule, trigger implicit init, rule should not change UserGroupInformation.reset(); KerberosName.setRules(rules); assertTrue(KerberosName.hasRulesBeenSet()); assertEquals(rules, KerberosName.getRules()); UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules, KerberosName.getRules()); }
@Test (timeout = 30000) public void testEnsureInitWithRules() throws IOException { String rules = "RULE:[1:RULE1]"; // trigger implicit init, rules should init UserGroupInformation.reset(); assertFalse(KerberosName.hasRulesBeenSet()); UserGroupInformation.createUserForTesting("someone", new String[0]); assertTrue(KerberosName.hasRulesBeenSet()); // set a rule, trigger implicit init, rule should not change UserGroupInformation.reset(); KerberosName.setRules(rules); assertTrue(KerberosName.hasRulesBeenSet()); assertEquals(rules, KerberosName.getRules()); UserGroupInformation.createUserForTesting("someone", new String[0]); assertEquals(rules, KerberosName.getRules()); }