HADOOP-15395. DefaultImpersonationProvider fails to parse proxy user config if username has . in it. Contributed by Ajay Kumar.
This commit is contained in:
Mukul Kumar Singh
parent
3c4fbc635e
commit
5f0b924360
|
|
@ -75,9 +75,9 @@ public class DefaultImpersonationProvider implements ImpersonationProvider {
|
||||||
// $configPrefix.[ANY].hosts
|
// $configPrefix.[ANY].hosts
|
||||||
//
|
//
|
||||||
String prefixRegEx = configPrefix.replace(".", "\\.");
|
String prefixRegEx = configPrefix.replace(".", "\\.");
|
||||||
String usersGroupsRegEx = prefixRegEx + "[^.]*(" +
|
String usersGroupsRegEx = prefixRegEx + "[\\S]*(" +
|
||||||
Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
|
Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + ")";
|
||||||
String hostsRegEx = prefixRegEx + "[^.]*" + Pattern.quote(CONF_HOSTS);
|
String hostsRegEx = prefixRegEx + "[\\S]*" + Pattern.quote(CONF_HOSTS);
|
||||||
|
|
||||||
// get list of users and groups per proxyuser
|
// get list of users and groups per proxyuser
|
||||||
Map<String,String> allMatchKeys =
|
Map<String,String> allMatchKeys =
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,100 @@
|
||||||
|
/**
|
||||||
|
* Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
* or more contributor license agreements. See the NOTICE file
|
||||||
|
* distributed with this work for additional information
|
||||||
|
* regarding copyright ownership. The ASF licenses this file
|
||||||
|
* to you under the Apache License, Version 2.0 (the
|
||||||
|
* "License"); you may not use this file except in compliance
|
||||||
|
* with the License. You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
package org.apache.hadoop.security.authorize;
|
||||||
|
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
import org.apache.hadoop.security.UserGroupInformation;
|
||||||
|
import org.apache.hadoop.test.LambdaTestUtils;
|
||||||
|
import org.junit.After;
|
||||||
|
import org.junit.Before;
|
||||||
|
import org.junit.Rule;
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.rules.Timeout;
|
||||||
|
import org.mockito.Mockito;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test class for @DefaultImpersonationProvider
|
||||||
|
*/
|
||||||
|
public class TestDefaultImpersonationProvider {
|
||||||
|
|
||||||
|
private String proxyUser;
|
||||||
|
private String user;
|
||||||
|
private DefaultImpersonationProvider provider;
|
||||||
|
private UserGroupInformation userGroupInformation = Mockito
|
||||||
|
.mock(UserGroupInformation.class);
|
||||||
|
private UserGroupInformation realUserUGI = Mockito
|
||||||
|
.mock(UserGroupInformation.class);
|
||||||
|
private Configuration conf;
|
||||||
|
@Rule
|
||||||
|
public Timeout globalTimeout = new Timeout(10000);
|
||||||
|
|
||||||
|
@Before
|
||||||
|
public void setup() {
|
||||||
|
conf = new Configuration();
|
||||||
|
provider = new DefaultImpersonationProvider();
|
||||||
|
|
||||||
|
// Setup 3 proxy users
|
||||||
|
conf.set("hadoop.proxyuser.fakeuser.groups", "*");
|
||||||
|
conf.set("hadoop.proxyuser.fakeuser.hosts", "*");
|
||||||
|
conf.set("hadoop.proxyuser.test.user.groups", "*");
|
||||||
|
conf.set("hadoop.proxyuser.test.user.hosts", "*");
|
||||||
|
conf.set("hadoop.proxyuser.test user2.groups", "*");
|
||||||
|
conf.set("hadoop.proxyuser.test user2.hosts", "*");
|
||||||
|
provider.setConf(conf);
|
||||||
|
provider.init(ProxyUsers.CONF_HADOOP_PROXYUSER);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAuthorizationSuccess() throws AuthorizationException {
|
||||||
|
proxyUser = "fakeuser";
|
||||||
|
user = "dummyUser";
|
||||||
|
when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
|
||||||
|
when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
|
||||||
|
provider.authorize(userGroupInformation, "2.2.2.2");
|
||||||
|
|
||||||
|
user = "somerandomuser";
|
||||||
|
proxyUser = "test.user";
|
||||||
|
when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
|
||||||
|
when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
|
||||||
|
provider.authorize(userGroupInformation, "2.2.2.2");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testAuthorizationFailure() throws Exception {
|
||||||
|
user = "dummyUser";
|
||||||
|
proxyUser = "test user2";
|
||||||
|
when(realUserUGI.getShortUserName()).thenReturn(proxyUser);
|
||||||
|
when(realUserUGI.getUserName()).thenReturn(proxyUser);
|
||||||
|
when(userGroupInformation.getUserName()).thenReturn(user);
|
||||||
|
when(userGroupInformation.getRealUser()).thenReturn(realUserUGI);
|
||||||
|
LambdaTestUtils.intercept(AuthorizationException.class, "User: "
|
||||||
|
+ proxyUser + " is not allowed to impersonate " + user, () ->
|
||||||
|
provider.authorize(userGroupInformation, "2.2.2.2"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@After
|
||||||
|
public void clear() {
|
||||||
|
provider = null;
|
||||||
|
conf = null;
|
||||||
|
userGroupInformation = null;
|
||||||
|
realUserUGI = null;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue