HADOOP-13395. Enhance TestKMSAudit. Contributed by Xiao Chen.
This commit is contained in:
parent
6418edd6fe
commit
070548943a
|
@ -17,6 +17,7 @@
|
||||||
*/
|
*/
|
||||||
package org.apache.hadoop.crypto.key.kms.server;
|
package org.apache.hadoop.crypto.key.kms.server;
|
||||||
|
|
||||||
|
import com.google.common.annotations.VisibleForTesting;
|
||||||
import org.apache.hadoop.security.UserGroupInformation;
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -227,4 +228,9 @@ public class KMSAudit {
|
||||||
public void shutdown() {
|
public void shutdown() {
|
||||||
executor.shutdownNow();
|
executor.shutdownNow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@VisibleForTesting
|
||||||
|
void evictCacheForTesting() {
|
||||||
|
cache.invalidateAll();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -33,7 +33,9 @@ import org.apache.log4j.PropertyConfigurator;
|
||||||
import org.junit.After;
|
import org.junit.After;
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
|
import org.junit.rules.Timeout;
|
||||||
import org.mockito.Mockito;
|
import org.mockito.Mockito;
|
||||||
|
|
||||||
public class TestKMSAudit {
|
public class TestKMSAudit {
|
||||||
|
@ -55,6 +57,9 @@ public class TestKMSAudit {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Rule
|
||||||
|
public final Timeout testTimeout = new Timeout(180000);
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
public void setUp() throws IOException {
|
public void setUp() throws IOException {
|
||||||
originalOut = System.err;
|
originalOut = System.err;
|
||||||
|
@ -67,7 +72,8 @@ public class TestKMSAudit {
|
||||||
PropertyConfigurator.configure(is);
|
PropertyConfigurator.configure(is);
|
||||||
IOUtils.closeStream(is);
|
IOUtils.closeStream(is);
|
||||||
|
|
||||||
this.kmsAudit = new KMSAudit(1000);
|
this.kmsAudit =
|
||||||
|
new KMSAudit(KMSConfiguration.KMS_AUDIT_AGGREGATION_WINDOW_DEFAULT);
|
||||||
}
|
}
|
||||||
|
|
||||||
@After
|
@After
|
||||||
|
@ -97,9 +103,9 @@ public class TestKMSAudit {
|
||||||
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
Thread.sleep(1500);
|
kmsAudit.evictCacheForTesting();
|
||||||
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
kmsAudit.ok(luser, KMSOp.DECRYPT_EEK, "k1", "testmsg");
|
||||||
Thread.sleep(1500);
|
kmsAudit.evictCacheForTesting();
|
||||||
String out = getAndResetLogOutput();
|
String out = getAndResetLogOutput();
|
||||||
System.out.println(out);
|
System.out.println(out);
|
||||||
Assert.assertTrue(
|
Assert.assertTrue(
|
||||||
|
@ -118,24 +124,55 @@ public class TestKMSAudit {
|
||||||
UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
|
UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
|
||||||
Mockito.when(luser.getShortUserName()).thenReturn("luser");
|
Mockito.when(luser.getShortUserName()).thenReturn("luser");
|
||||||
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
|
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k2");
|
||||||
Thread.sleep(1000);
|
kmsAudit.evictCacheForTesting();
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
|
kmsAudit.unauthorized(luser, KMSOp.GENERATE_EEK, "k3");
|
||||||
|
// wait a bit so the UNAUTHORIZED-triggered cache invalidation happens.
|
||||||
|
Thread.sleep(1000);
|
||||||
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k3", "testmsg");
|
||||||
Thread.sleep(2000);
|
kmsAudit.evictCacheForTesting();
|
||||||
String out = getAndResetLogOutput();
|
String out = getAndResetLogOutput();
|
||||||
System.out.println(out);
|
System.out.println(out);
|
||||||
Assert.assertTrue(
|
|
||||||
out.matches(
|
// The UNAUTHORIZED will trigger cache invalidation, which then triggers
|
||||||
"UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
|
// the aggregated OK (accessCount=5). But the order of the UNAUTHORIZED and
|
||||||
|
// the aggregated OK is arbitrary - no correctness concerns, but flaky here.
|
||||||
|
Assert.assertTrue(out.matches(
|
||||||
|
"UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
|
||||||
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
+ "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
|
+ "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
|
||||||
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg")
|
||||||
|
|| out.matches(
|
||||||
|
"UNAUTHORIZED\\[op=GENERATE_EEK, key=k2, user=luser\\] "
|
||||||
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
|
+ "UNAUTHORIZED\\[op=GENERATE_EEK, key=k3, user=luser\\] "
|
||||||
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=5, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
|
+ "OK\\[op=GENERATE_EEK, key=k3, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAuditLogFormat() throws Exception {
|
||||||
|
UserGroupInformation luser = Mockito.mock(UserGroupInformation.class);
|
||||||
|
Mockito.when(luser.getShortUserName()).thenReturn("luser");
|
||||||
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "k4", "testmsg");
|
||||||
|
kmsAudit.ok(luser, KMSOp.GENERATE_EEK, "testmsg");
|
||||||
|
kmsAudit.evictCacheForTesting();
|
||||||
|
kmsAudit.unauthorized(luser, KMSOp.DECRYPT_EEK, "k4");
|
||||||
|
kmsAudit.error(luser, "method", "url", "testmsg");
|
||||||
|
kmsAudit.unauthenticated("remotehost", "method", "url", "testmsg");
|
||||||
|
String out = getAndResetLogOutput();
|
||||||
|
System.out.println(out);
|
||||||
|
Assert.assertTrue(out.matches(
|
||||||
|
"OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
|
+ "OK\\[op=GENERATE_EEK, user=luser\\] testmsg"
|
||||||
|
+ "OK\\[op=GENERATE_EEK, key=k4, user=luser, accessCount=1, interval=[^m]{1,4}ms\\] testmsg"
|
||||||
|
+ "UNAUTHORIZED\\[op=DECRYPT_EEK, key=k4, user=luser\\] "
|
||||||
|
+ "ERROR\\[user=luser\\] Method:'method' Exception:'testmsg'"
|
||||||
|
+ "UNAUTHENTICATED RemoteHost:remotehost Method:method URL:url ErrorMsg:'testmsg'"));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue