[120] | 1 | /** |
---|
| 2 | * Licensed to the Apache Software Foundation (ASF) under one |
---|
| 3 | * or more contributor license agreements. See the NOTICE file |
---|
| 4 | * distributed with this work for additional information |
---|
| 5 | * regarding copyright ownership. The ASF licenses this file |
---|
| 6 | * to you under the Apache License, Version 2.0 (the |
---|
| 7 | * "License"); you may not use this file except in compliance |
---|
| 8 | * with the License. You may obtain a copy of the License at |
---|
| 9 | * |
---|
| 10 | * http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 11 | * |
---|
| 12 | * Unless required by applicable law or agreed to in writing, software |
---|
| 13 | * distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 14 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
---|
| 15 | * See the License for the specific language governing permissions and |
---|
| 16 | * limitations under the License. |
---|
| 17 | */ |
---|
| 18 | package org.apache.hadoop.security.authorize; |
---|
| 19 | |
---|
| 20 | import java.io.File; |
---|
| 21 | import java.io.FileWriter; |
---|
| 22 | import java.io.IOException; |
---|
| 23 | |
---|
| 24 | import org.apache.hadoop.conf.Configuration; |
---|
| 25 | import org.apache.hadoop.fs.FileSystem; |
---|
| 26 | import org.apache.hadoop.fs.FileUtil; |
---|
| 27 | import org.apache.hadoop.fs.Path; |
---|
| 28 | import org.apache.hadoop.hdfs.HDFSPolicyProvider; |
---|
| 29 | import org.apache.hadoop.hdfs.MiniDFSCluster; |
---|
| 30 | import org.apache.hadoop.hdfs.tools.DFSAdmin; |
---|
| 31 | import org.apache.hadoop.ipc.RemoteException; |
---|
| 32 | import org.apache.hadoop.mapred.JobConf; |
---|
| 33 | import org.apache.hadoop.mapred.MiniMRCluster; |
---|
| 34 | import org.apache.hadoop.mapred.TestMiniMRWithDFS; |
---|
| 35 | import org.apache.hadoop.security.UnixUserGroupInformation; |
---|
| 36 | import org.apache.hadoop.util.StringUtils; |
---|
| 37 | |
---|
| 38 | import junit.framework.TestCase; |
---|
| 39 | |
---|
| 40 | public class TestServiceLevelAuthorization extends TestCase { |
---|
| 41 | public void testServiceLevelAuthorization() throws Exception { |
---|
| 42 | MiniDFSCluster dfs = null; |
---|
| 43 | MiniMRCluster mr = null; |
---|
| 44 | FileSystem fileSys = null; |
---|
| 45 | try { |
---|
| 46 | final int slaves = 4; |
---|
| 47 | |
---|
| 48 | // Turn on service-level authorization |
---|
| 49 | Configuration conf = new Configuration(); |
---|
| 50 | conf.setClass(PolicyProvider.POLICY_PROVIDER_CONFIG, |
---|
| 51 | HadoopPolicyProvider.class, PolicyProvider.class); |
---|
| 52 | conf.setBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, |
---|
| 53 | true); |
---|
| 54 | |
---|
| 55 | // Start the mini clusters |
---|
| 56 | dfs = new MiniDFSCluster(conf, slaves, true, null); |
---|
| 57 | fileSys = dfs.getFileSystem(); |
---|
| 58 | JobConf mrConf = new JobConf(conf); |
---|
| 59 | mr = new MiniMRCluster(slaves, fileSys.getUri().toString(), 1, |
---|
| 60 | null, null, mrConf); |
---|
| 61 | |
---|
| 62 | // Run examples |
---|
| 63 | TestMiniMRWithDFS.runPI(mr, mr.createJobConf(mrConf)); |
---|
| 64 | TestMiniMRWithDFS.runWordCount(mr, mr.createJobConf(mrConf)); |
---|
| 65 | } finally { |
---|
| 66 | if (dfs != null) { dfs.shutdown(); } |
---|
| 67 | if (mr != null) { mr.shutdown(); |
---|
| 68 | } |
---|
| 69 | } |
---|
| 70 | } |
---|
| 71 | |
---|
| 72 | private static final String DUMMY_ACL = "nouser nogroup"; |
---|
| 73 | private static final String UNKNOWN_USER = "dev,null"; |
---|
| 74 | |
---|
| 75 | private void rewriteHadoopPolicyFile(File policyFile) throws IOException { |
---|
| 76 | FileWriter fos = new FileWriter(policyFile); |
---|
| 77 | PolicyProvider policyProvider = new HDFSPolicyProvider(); |
---|
| 78 | fos.write("<configuration>\n"); |
---|
| 79 | for (Service service : policyProvider.getServices()) { |
---|
| 80 | String key = service.getServiceKey(); |
---|
| 81 | String value ="*"; |
---|
| 82 | if (key.equals("security.refresh.policy.protocol.acl")) { |
---|
| 83 | value = DUMMY_ACL; |
---|
| 84 | } |
---|
| 85 | fos.write("<property><name>"+ key + "</name><value>" + value + |
---|
| 86 | "</value></property>\n"); |
---|
| 87 | System.err.println("<property><name>"+ key + "</name><value>" + value + |
---|
| 88 | "</value></property>\n"); |
---|
| 89 | } |
---|
| 90 | fos.write("</configuration>\n"); |
---|
| 91 | fos.close(); |
---|
| 92 | } |
---|
| 93 | |
---|
| 94 | private void refreshPolicy(Configuration conf) throws IOException { |
---|
| 95 | DFSAdmin dfsAdmin = new DFSAdmin(conf); |
---|
| 96 | dfsAdmin.refreshServiceAcl(); |
---|
| 97 | } |
---|
| 98 | |
---|
| 99 | public void testRefresh() throws Exception { |
---|
| 100 | MiniDFSCluster dfs = null; |
---|
| 101 | try { |
---|
| 102 | final int slaves = 4; |
---|
| 103 | |
---|
| 104 | // Turn on service-level authorization |
---|
| 105 | Configuration conf = new Configuration(); |
---|
| 106 | conf.setClass(PolicyProvider.POLICY_PROVIDER_CONFIG, |
---|
| 107 | HDFSPolicyProvider.class, PolicyProvider.class); |
---|
| 108 | conf.setBoolean(ServiceAuthorizationManager.SERVICE_AUTHORIZATION_CONFIG, |
---|
| 109 | true); |
---|
| 110 | |
---|
| 111 | // Start the mini dfs cluster |
---|
| 112 | dfs = new MiniDFSCluster(conf, slaves, true, null); |
---|
| 113 | |
---|
| 114 | // Refresh the service level authorization policy |
---|
| 115 | refreshPolicy(conf); |
---|
| 116 | |
---|
| 117 | // Simulate an 'edit' of hadoop-policy.xml |
---|
| 118 | String confDir = System.getProperty("test.build.extraconf", |
---|
| 119 | "build/test/extraconf"); |
---|
| 120 | File policyFile = new File(confDir, ConfiguredPolicy.HADOOP_POLICY_FILE); |
---|
| 121 | String policyFileCopy = ConfiguredPolicy.HADOOP_POLICY_FILE + ".orig"; |
---|
| 122 | FileUtil.copy(policyFile, FileSystem.getLocal(conf), // first save original |
---|
| 123 | new Path(confDir, policyFileCopy), false, conf); |
---|
| 124 | rewriteHadoopPolicyFile( // rewrite the file |
---|
| 125 | new File(confDir, ConfiguredPolicy.HADOOP_POLICY_FILE)); |
---|
| 126 | |
---|
| 127 | // Refresh the service level authorization policy |
---|
| 128 | refreshPolicy(conf); |
---|
| 129 | |
---|
| 130 | // Refresh the service level authorization policy once again, |
---|
| 131 | // this time it should fail! |
---|
| 132 | try { |
---|
| 133 | // Note: hadoop-policy.xml for tests has |
---|
| 134 | // security.refresh.policy.protocol.acl = ${user.name} |
---|
| 135 | conf.set(UnixUserGroupInformation.UGI_PROPERTY_NAME, UNKNOWN_USER); |
---|
| 136 | refreshPolicy(conf); |
---|
| 137 | fail("Refresh of NameNode's policy file cannot be successful!"); |
---|
| 138 | } catch (RemoteException re) { |
---|
| 139 | System.out.println("Good, refresh worked... refresh failed with: " + |
---|
| 140 | StringUtils.stringifyException(re.unwrapRemoteException())); |
---|
| 141 | } finally { |
---|
| 142 | // Reset to original hadoop-policy.xml |
---|
| 143 | FileUtil.fullyDelete(new File(confDir, |
---|
| 144 | ConfiguredPolicy.HADOOP_POLICY_FILE)); |
---|
| 145 | FileUtil.replaceFile(new File(confDir, policyFileCopy), new File(confDir, ConfiguredPolicy.HADOOP_POLICY_FILE)); |
---|
| 146 | } |
---|
| 147 | } finally { |
---|
| 148 | if (dfs != null) { dfs.shutdown(); } |
---|
| 149 | } |
---|
| 150 | } |
---|
| 151 | |
---|
| 152 | } |
---|