From 43a53f2b655be09f6fa8b20e5ae270daf6527f8b Mon Sep 17 00:00:00 2001 From: Xuan Date: Tue, 28 Oct 2014 11:18:35 -0700 Subject: [PATCH] YARN-2279. Add UTs to cover timeline server authentication. Contributed by Zhijie Shen --- hadoop-yarn-project/CHANGES.txt | 3 + .../TestTimelineAuthenticationFilter.java | 112 +++++++++++++----- 2 files changed, 88 insertions(+), 27 deletions(-) diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index 42d5551be3d..ad6cba0c359 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -748,6 +748,9 @@ Release 2.6.0 - UNRELEASED YARN-2591. Fixed AHSWebServices to return FORBIDDEN(403) if the request user doesn't have access to the history data. (Zhijie Shen via jianhe) + YARN-2279. Add UTs to cover timeline server authentication. + (Zhijie Shen via xgong) + Release 2.5.1 - 2014-09-05 INCOMPATIBLE CHANGES diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java index 829924261f6..d41a35cb68a 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-applicationhistoryservice/src/test/java/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.java @@ -22,17 +22,23 @@ import java.io.File; import java.security.PrivilegedExceptionAction; +import java.util.Arrays; +import java.util.Collection; import java.util.concurrent.Callable; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.fs.CommonConfigurationKeysPublic; +import org.apache.hadoop.fs.FileUtil; +import org.apache.hadoop.http.HttpConfig; import org.apache.hadoop.io.Text; import org.apache.hadoop.minikdc.MiniKdc; import org.apache.hadoop.security.UserGroupInformation; import org.apache.hadoop.security.authentication.KerberosTestUtils; import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler; import org.apache.hadoop.security.authorize.AuthorizationException; +import org.apache.hadoop.security.ssl.KeyStoreTestUtil; import org.apache.hadoop.security.token.Token; +import org.apache.hadoop.yarn.api.records.timeline.TimelineDomain; import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity; import org.apache.hadoop.yarn.api.records.timeline.TimelinePutResponse; import org.apache.hadoop.yarn.client.api.TimelineClient; @@ -42,30 +48,49 @@ import org.apache.hadoop.yarn.server.timeline.MemoryTimelineStore; import org.apache.hadoop.yarn.server.timeline.TimelineStore; import org.junit.After; -import org.junit.AfterClass; import org.junit.Assert; import org.junit.Before; -import org.junit.BeforeClass; import org.junit.Test; +import org.junit.runner.RunWith; +import org.junit.runners.Parameterized; +@RunWith(Parameterized.class) public class TestTimelineAuthenticationFilter { private static final String FOO_USER = "foo"; private static final String BAR_USER = "bar"; private static final String HTTP_USER = "HTTP"; - private static final File testRootDir = new File("target", + private static final File testRootDir = new File( + System.getProperty("test.build.dir", "target/test-dir"), TestTimelineAuthenticationFilter.class.getName() + "-root"); private static File httpSpnegoKeytabFile = new File( KerberosTestUtils.getKeytabFile()); private static String httpSpnegoPrincipal = KerberosTestUtils.getServerPrincipal(); - private static MiniKdc testMiniKDC; - private static ApplicationHistoryServer testTimelineServer; - private static Configuration conf; + private static final String BASEDIR = + System.getProperty("test.build.dir", "target/test-dir") + "/" + + TestTimelineAuthenticationFilter.class.getSimpleName(); - @BeforeClass - public static void setupClass() { + @Parameterized.Parameters + public static Collection withSsl() { + return Arrays.asList(new Object[][] { { false }, { true } }); + } + + private MiniKdc testMiniKDC; + private String keystoresDir; + private String sslConfDir; + private ApplicationHistoryServer testTimelineServer; + private Configuration conf; + private TimelineClient client; + private boolean withSsl; + + public TestTimelineAuthenticationFilter(boolean withSsl) { + this.withSsl = withSsl; + } + + @Before + public void setup() { try { testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir); testMiniKDC.start(); @@ -77,7 +102,7 @@ public static void setupClass() { try { testTimelineServer = new ApplicationHistoryServer(); - conf = new YarnConfiguration(); + conf = new Configuration(false); conf.setStrings(TimelineAuthenticationFilterInitializer.PREFIX + "type", "kerberos"); conf.set(TimelineAuthenticationFilterInitializer.PREFIX + @@ -98,31 +123,30 @@ public static void setupClass() { "localhost:10200"); conf.set(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_ADDRESS, "localhost:8188"); + conf.set(YarnConfiguration.TIMELINE_SERVICE_WEBAPP_HTTPS_ADDRESS, + "localhost:8190"); conf.set("hadoop.proxyuser.HTTP.hosts", "*"); conf.set("hadoop.proxyuser.HTTP.users", FOO_USER); + + if (withSsl) { + conf.set(YarnConfiguration.YARN_HTTP_POLICY_KEY, + HttpConfig.Policy.HTTPS_ONLY.name()); + File base = new File(BASEDIR); + FileUtil.fullyDelete(base); + base.mkdirs(); + keystoresDir = new File(BASEDIR).getAbsolutePath(); + sslConfDir = + KeyStoreTestUtil.getClasspathDir(TestTimelineAuthenticationFilter.class); + KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false); + } + UserGroupInformation.setConfiguration(conf); testTimelineServer.init(conf); testTimelineServer.start(); } catch (Exception e) { assertTrue("Couldn't setup TimelineServer", false); } - } - @AfterClass - public static void tearDownClass() { - if (testMiniKDC != null) { - testMiniKDC.stop(); - } - - if (testTimelineServer != null) { - testTimelineServer.stop(); - } - } - - private TimelineClient client; - - @Before - public void setup() throws Exception { client = TimelineClient.createTimelineClient(); client.init(conf); client.start(); @@ -130,9 +154,23 @@ public void setup() throws Exception { @After public void tearDown() throws Exception { + if (testMiniKDC != null) { + testMiniKDC.stop(); + } + + if (testTimelineServer != null) { + testTimelineServer.stop(); + } + if (client != null) { client.stop(); } + + if (withSsl) { + KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir); + File base = new File(BASEDIR); + FileUtil.fullyDelete(base); + } } @Test @@ -141,20 +179,40 @@ public void testPutTimelineEntities() throws Exception { @Override public Void call() throws Exception { TimelineEntity entityToStore = new TimelineEntity(); - entityToStore.setEntityType("TestTimelineAuthenticationFilter"); + entityToStore.setEntityType( + TestTimelineAuthenticationFilter.class.getName()); entityToStore.setEntityId("entity1"); entityToStore.setStartTime(0L); TimelinePutResponse putResponse = client.putEntities(entityToStore); Assert.assertEquals(0, putResponse.getErrors().size()); TimelineEntity entityToRead = testTimelineServer.getTimelineStore().getEntity( - "entity1", "TestTimelineAuthenticationFilter", null); + "entity1", TestTimelineAuthenticationFilter.class.getName(), null); Assert.assertNotNull(entityToRead); return null; } }); } + @Test + public void testPutDomains() throws Exception { + KerberosTestUtils.doAs(HTTP_USER + "/localhost", new Callable() { + @Override + public Void call() throws Exception { + TimelineDomain domainToStore = new TimelineDomain(); + domainToStore.setId(TestTimelineAuthenticationFilter.class.getName()); + domainToStore.setReaders("*"); + domainToStore.setWriters("*"); + client.putDomain(domainToStore); + TimelineDomain domainToRead = + testTimelineServer.getTimelineStore().getDomain( + TestTimelineAuthenticationFilter.class.getName()); + Assert.assertNotNull(domainToRead); + return null; + } + }); + } + @Test public void testGetDelegationToken() throws Exception { KerberosTestUtils.doAs(HTTP_USER + "/localhost", new Callable() {